Denial of Service Attacks/Smurf Attacks from my home router?

Factual Questions
1

The Backstory: I just returned Sunday night from my latest deployment. My laptop was offline (no internet connected to it) for six months, until last Thursday when I flew through Ramstein, Germany. As soon as I grabbed a local, safe WiFi signal, my Symantec would bleep up that a Denial of Service attack was underway, and that it would be blocked for 10 minutes. The “attacking site” was some random IP, but it appeared the same time several times over. I would essentially lose all connectivity, despite a solid signal, and would have to either reboot the machine for an additional 5 minutes of time before it happened again, or would just have to walk away from the laptop.

Fast Forward to Today: A lot of Symantec & Windows updates had installed themselves by this morning, and I’d run my battery of anti-virus and anti-malware tests without finding anything. Everytime I opened FireFox, Symantec would bleep up that another DoS attack was underway, but this time it appeared it was coming from my host WiFi router in my home. Figuring all my updates had taken effect, I went out on a limb and downloaded and installed the newest FireFox.

So far, I haven’t seen Symantec pop up for a DoS notification. So . . .

Was FireFox found to have holes in it that updates couldn’t fix?

Having read up on things, I was going to adjust the firewall on the router to block the offending website, when I found out the IP was actually the router’s IP to begin with.

Was this a legitimate DoS attack, or am I missing something? Why would my own router try to continually ping my machine?

Oh the questions abound. . . but it’s late (compared to where I was). But I do have questions. I can’t imagine just changing to a new version of FireFox would do the trick. . .

Tripler
‘Bleep’ is a scientific term.

2

DISCLAIMER - I work for Symantec, but not in support or in product dev. I participate on this board only in a personal capacity, and cannot comment for Symantec in any official capacity, and any feedback I provide is as a concerned poster, not as a Symantec employee. Before you make any decisions based on anything I have to say, I recommend to contact Symantec support if possible. I will not make any product recommendations nor can I provide a batphone to support.

Mods, if you feel I should stay out of this thread since my company’s product is involved, please feel free to delete this post.
Ok, a few questions:

What version of Firefox did you update from/to?

While your laptop was offline, did you load any files or applications onto it manually, via CD/DVD, USB drive, or otherwise? Is so, what kind?

Can you specify which Symantec product? Is it Norton Internet Security, Norton 360, Symantec Endpoint Security, or something else? Also, when was the last update performed to download definitions/signatures?

Have you gone through your security logs to look for more information on the alerts that the Symantec software bleeped? (You’re right, it does sound very scientific)

Did the alert/logs say that it was blocking an inbound, or an outbound connection?

Is this a personal or work laptop? If work, do you work in an industry where you might conceivably be a target for malicious hackers? i.e., do you work with valuable proprietary information or have high-level systems access at your employer, or are you a high-profile employee (executive, product manager, etc. - basically, do you do anything public on behalf of your company)?

3

Crown Prince, disclaimer noted and understood. For yourself and the mods, I post my answers not for corporate research, but maybe to help trigger some questions/answers for other Dopers here.

Ok, a few questions:

**What version of Firefox did you update from/to? ** I went from FireFox 5.XX (with change) to 6.0.

While your laptop was offline, did you load any files or applications onto it manually, via CD/DVD, USB drive, or otherwise? Is so, what kind? I did not. And I’m not hiding anything either. :smiley: My laptop was my ‘morale’ computer which I played music, games, did homework on while I was back at my hooch–I had no connectivity since February, and prior to that point in time, everything was running like a well oiled machine. My internet connection there was a hardline into my LAN port, connected to a commercial satellite system–not WiFi. I have not installed any new applications into it, simply because I didn’t have access to it. I did load Air Force-made products (Flash movies, PowerPoint slideshows and PDF reads) from a CD-ROM onto my computer, but no new applications were installed. They were just “watching movies” or reading files from that disk. I reckoned I could trust the Air Force to produce clean files. All other applications/files/games were either loaded before I lost connectivity, or were produced on that machine afterwards. I can get you specifics on the majority of the programs I use, if need be.

I will point out that as soon as my laptop discovered it had connectivity, Windows almost gasped for fresh air at the number of updates it wanted to download and install. No kidding, I must have downloaded five different packages (including SP1 for Win7) and rebooted the machine as many, if not more, times.

Can you specify which Symantec product? Is it Norton Internet Security, Norton 360, Symantec Endpoint Security, or something else? Also, when was the last update performed to download definitions/signatures? I’m running Symantec Endpoint Protection v11.0.6005.562, with updates downloaded 16 Aug 11. When I got back into connectivity on the 10th, I immediately downloaded the newest definitions and signatures. However, that was also the same time I started having DoS notifications. I do not remember if I had the DoS first and then downloaded the defs/sigs, but I remember trying to download the defs/sigs at first chance.

Have you gone through your security logs to look for more information on the alerts that the Symantec software bleeped? (You’re right, it does sound very scientific) I did try to go through all of my logs, but they were all strangely empty–I may not have been looking in the right places. I have not cleared any logs, so if you can walk me through where to look, I’ll take another gander. And yes, bleeps are very scientific.

Did the alert/logs say that it was blocking an inbound, or an outbound connection? This one I remember: it was blocking an inbound signal.

Is this a personal or work laptop? If work, do you work in an industry where you might conceivably be a target for malicious hackers? i.e., do you work with valuable proprietary information or have high-level systems access at your employer, or are you a high-profile employee (executive, product manager, etc. - basically, do you do anything public on behalf of your company)? This is a personal laptop, that I do mostly personal work on, with the occasional ‘jobby-job’ task I bring home. I am a military member, and do consider myself a target for malicious, Soviet Communist-type hackers. I have access to high-security level information, however, that is on a different network, and must be “air gapped” to other different security networks. Due to policies and restrictions, none of it is ever brought to an unclassified network. Secure information stays secure due to hardware restrictions–it cannot be transferred inadvertently. I am a high-profile employee, and can be found through Google searches. I have many leatherbound books, and my office smells of rich mahogany. In other words . . . I’m kind of a big deal.

Thanks for your help Prince. Wisecracks added at no extra charge. :smiley:

Tripler
You stay classy, San Diego.

4

Now that you’ve disclaimed my disclaimer, I think we should be pretty well covered.

This might be an interesting starting point - since Firefox went to an agile development cycle after FF 4 (a new full-numbered release every few months instead of every 12-18 months) I’ve been wondering if there might be any repurcussions.
Followup question: How long had you been on FF 5.xx? I’m thinking probably right around the time you went offline, but please confirm.

That’s what they all say. :wink:

One would hope - however, it is possible for some malware to be transmitted via PPT and PDF. I’m not thinking that’s what happened here, especially if the CD were mass-produced by the USAF.

Followup question: Did the DoS alert start before, during, or after all these updates/reboots?

Coolio - that version is pretty robust, as it has tamper protection preventing most methods of disabling the security scanner, and also pretty good heuristic and behavioral detection for “unknown” attacks. Usually, if malware disables the detection engine, it will also block the connection to the definition update server too, so the fact that you have updated definitions is a good sign.

I’ve got SEP 12, which is a bit different - but in SEP 11, there should be a View Logs, or Event Viewer link of some sort from the SEP interface (double click the yellow shield in the systray to bring up the interface). If your SEP client is managed by the USAF (not uncommon when enterprise-class software like SEP is licensed for users’ personal systems), they may offload your logs to a central server and delete them locally, for enhanced security (this way, in case someone cracks into your system somehow, they cannot see IP addresses or names of sensitive USAF assets).

If your SEP client is not centrally managed, then missing logs might be a little concerning. If in doubt, contact your network administrator.

This is another good(ish) sign - if it were outbound, I’d be very concerned, but inbound is inconclusive.
Followup question: Do you remember if the DoS alert started after you’d opened Firefox, or before?

Well aren’t you special. :smiley:

Even if you don’t host sensitive files, hackers probably wouldn’t care. Determined hackers (the kind trying to crack into the DoD for instance) will try any possible angle to get into a network - as far as they’re concerned every system you use is a potential target. So it’s good you have an enterprise-class security software on your personal system - not saying my company’s product is superior to another’s (I’ve got my own opinions), but “enterprise-class” security software tends to be more robust than “consumer” product (think Norton), often with more security measures and a leaner interface, and can be centrally managed so that certain policies are applied dictating how agressive detection should be, whether scannign can be turned off, update/scan schedules, etc.

But it seems to me (in my inexpert opinion) that this issue may have been due to the confluence of the updated virus/behavior definitions, and some artifact or behavior of the version of Firefox you migrated from, and that updating FF fixed the issue.

But I would still strongly recommend to have one of your network techs take a look. Since you’re using an enterprise-class client, most likely support will be routed through USAF IT, so you probably won’t be able to call up directly.

Cheers,
CPoI

5

Followup question: How long had you been on FF 5.xx? I’m thinking probably right around the time you went offline, but please confirm.

I’d been on FF 5.XX for some time prior to going offline–it had been at least a few months before I left in January that I downloaded & installed it. I may have upgraded it, but I was well into the 5-series for some time.
Followup question: Did the DoS alert start before, during, or after all these updates/reboots? I believe it started before, but I can’t be certain.

Followup question: Do you remember if the DoS alert started after you’d opened Firefox, or before?

I distinctly remember it beginning after I opened FF. I could use iTunes easily, until the entire connection was blocked by Symantec–it seemed that when Symantec bleeped, it blocked the connection. I verified this in the settings, that Symantec would wait for 600 seconds before unblocking the IP address. But, being that the IP was my router, it effectively cut off my signal/connection.

Even if you don’t host sensitive files, hackers probably wouldn’t care. Determined hackers (the kind trying to crack into the DoD for instance) will try any possible angle to get into a network - as far as they’re concerned every system you use is a potential target. So it’s good you have an enterprise-class security software on your personal system - not saying my company’s product is superior to another’s (I’ve got my own opinions), but “enterprise-class” security software tends to be more robust than “consumer” product (think Norton), often with more security measures and a leaner interface, and can be centrally managed so that certain policies are applied dictating how agressive detection should be, whether scannign can be turned off, update/scan schedules, etc.

It was legally and ethically acquired from the Air Force in part of their licensing agreement. The AF understands that some of us take work home, so they make the enterprise-class license available to its employees. We’ve got a similar program with other software too.

**But it seems to me (in my inexpert opinion) that this issue may have been due to the confluence of the updated virus/behavior definitions, and some artifact or behavior of the version of Firefox you migrated from, and that updating FF fixed the issue. **

Just about a half hour ago, it popped up again–got another DoS warning. I’ll transcribe the text of it when it comes up so you can see exactly the warning it’s giving me.

I’d done some reading that it could be a “Smurf Attack” where some nefarious type is spoofing my IP to hit me. I wanted to get into my router settings to try to disable some of that echoing of pings, but I’m not sure where to go after that. I did an “ipconfig /refresh” which seemed to work for a little bit, but the upgrade to FF 6.00 seems to be working the best for the moment. More to follow. . .

But I would still strongly recommend to have one of your network techs take a look. Since you’re using an enterprise-class client, most likely support will be routed through USAF IT, so you probably won’t be able to call up directly.

Unfortunately, because it’s a personal laptop, I may be out of luck–the AF won’t look at a personal machine. But, I may ask around to see if someone would be willing to break with policy and give me a little ‘side consultation’ for a cup of coffee and six donuts. I am obliged for your help, though!

Tripler
The currency of favors: Tim Horton’s donuts.

6

I’d be very curious to see those logs, although please redact any sensitive IP or hostname info. Obviously, if your router is 192.168.1.1, don’t worry about it.

The real weird thing is that you first noticed the issue when connected to the wifi when traveling through Rammstein (you didn’t specify if you were flying through a civilian airport, or were at the air base). This would seem to preclude most types of targeted DoS attacks, since the issue carried over when from there to when you connected at home. Unless by some unlikely circumstance, you were a target of separate DoS attacks at both Rammstein and at home.

Since the issue has recurred, I’d definitely recommend to try to cajole your IT guys to help you out - if for no other reason than that your personal system may have some forensic evidence of an attempt to attack USAF resources, especially if the first incident was while you were at Rammstein Air Base. And security guys love poring over event logs. :smiley:

7

I was actually on base, in billeting (their hotel) at the time. Darn weird indeed.

I think I will–I’ll mention it when I go back into work. In the meantime, I’ve turned off the DoS blocker, because my logs indicate the incoming packets are from MAC addresses in this house. I wonder if it’s just something with Win7 on my laptop taking random pings from whatever wireless I’m on as DoS attacks. That’s all I can think of.

Tripler
Much obliged for the help, though.