DoS from inside LAN

[murder_face]

Just noticed this in my router logs:

DoS attack: IP Spoof] attack packets in last 20 sec from ip [192.168.1.173], Wednesday, Nov 07,2012 05:34:49

I'm kind of confused as to how an outside machine can even get an IP on my router. I have MAC filtering on and static IP address for everything on my LAN. I do have port forwarding in use on my router. One port for SSH to one of my machines, and another for NESSUS. I ran nmap as soon as I saw my log and the foreign IP wasn't on the network. I am wondering if this was just a drive by on my router or a direct attack. If it is a direct attack, what would be the best way to dish out some karma?

[newbi3]

Just throwing this out there, do you have DHCP disabled, and how about WPS is that disabled as well? It seems like it would have been a random attack on your router.

[digip]

Its possible to send packets from the internet and forge the sender and return address. If 192.168.1.173 isn't in use by anything on your network though, you may need to do some more investigating. 192.168.1.173 is not an internet routeable IP address. Its a range reserved for the local lan, but not impossible for someone to be on the same network as you if say you use business class services with your ISP, which in effect, usually puts you on the 10.x.x.x network local to them, unless you use a router to add NAT between you and them. When I first got on cable from Comcast I didn't use a router, and way back in the day, we're talking like 2002 or so, I could see the internal Comcast 10.x.x.x network from my modem due to a misconfiguration by them when setting me up, and not putting the modem in some particular mode, I could see their internal network. If your router had something on like say, RIP, and it somehow exchanged routing tables with the ISP and they use a 192.168.1.x network, it could be possible to exchange routing tables with them, and then see IP's not from just your LAN but theirs as well, but thats shouldn't be the case with NAT and most setups these days, and more than likely, either one of your machines on the network possibly got hit by something that caused your machines to attack the internal network, or someone actually got into your network.

There was a talk at Defcon or Blackhat a few years ago, a guy gave, on how you could basically use XSS and CSRF attacks, to make yourself look like a user on the inside network, to attack the users router.

Few things I would do though, 1, change your external IP (force a new lease from the ISP by either changing the routers MAC address via MAC address cloning and then rebooting the modem, or power off the modem for about 30 minutes after releasing the lease on the router side, then restarting the modem and reaquire a new DHCP lease from the ISP) and 2, go through every configuration setting on the router. Make sure remote administration is disabled as well as configuation over wifi is disabled, Only allow it to be configured over wired, and if possible, https only, disable http, in the event someone did get on your network and try a MITM to capture the login to the router. 3, make sure services such as uPnP, SSDP and TFTP are disabled, and 4, if you have to, reload the firmware on the router, and start fresh with a new config for everything uncluding new ssid, and passwords for local administration and WPA2 logins.

Forgot to mention, I think OpenDNS blocks DNS rebinding attacks, but don't quote me on that...

Edited November 8, 2012 by digip

[murder_face]

So. I have refreshed my IP, and changed the MAC address of my router. I haven't gone as far as reloading firmware yet, but it looks like that is my next step. I have UPnP and remote management disabled(sadly there isn't a setup for wired config only)The strange thing is when I ran a nessus scan on the router it still shows UPnP and telnet ports. I also have another port open that I don't recognize. TCP 1780 dpkeyserv. The weird thing is google says dpkeyserv "This server provides license to multiple users for using kana-kanji conversion server. jserver"

Here is my nessus report: http://www.geek-labs.com/

Few things I would do though, 1, change your external IP (force a new lease from the ISP by either changing the routers MAC address via MAC address cloning and then rebooting the modem, or power off the modem for about 30 minutes after releasing the lease on the router side, then restarting the modem and reaquire a new DHCP lease from the ISP) and 2, go through every configuration setting on the router. Make sure remote administration is disabled as well as configuation over wifi is disabled, Only allow it to be configured over wired, and if possible, https only, disable http, in the event someone did get on your network and try a MITM to capture the login to the router. 3, make sure services such as uPnP, SSDP and TFTP are disabled, and 4, if you have to, reload the firmware on the router, and start fresh with a new config for everything uncluding new ssid, and passwords for local administration and WPA2 logins.

Forgot to mention, I think OpenDNS blocks DNS rebinding attacks, but don't quote me on that...

[digip]

If that port is open, try port forwarding it to a non existent IP on your lan, see if that stops traffic to it. I do this with TFTP as well for my router, but I would reload the firmware to be safe, see if the port goes away. Could also be false positive, but I wouldn't take any chances. Is the router, an all in one modem/router/wifi device? If so, some things you may have no control over, and the ISP will load whatever they want on the damn thing.