[Gllug] Router under attack: help/advice needed
T Menezes
t.menezes at tm.uklinux.net
Mon Oct 5 07:59:06 UTC 2009
Hi,
Thanks everyone for their help.
I was scratching my head over this and realised that there is a relation
to Skype:
All the incoming ports on the router are blocked, but I have a
permissive outwards policy (which I know is not ideal). I am not running
any servers, not even on the intranet.
What bugs me is that the router (Netgear) security emails tell me that
the destination address is the IP address of my laptop, not that of the
router's external interface. Shouldn't the router be doing NAT and only
showing the IP address provided by my ISP?
I was puzzled, so I decided to change the details of the home intranet.
And lo and behold, the security emails from the router read the new
internal IP address of my laptop. The thing is that it only took like 1
minute for the attacker to pick up the internal IP address.
At the time I only had my laptop connected to the home network. I had a
think and Skype was the only programme that I had (knowingly) plugged to
the internet. So I turned it off, changed the details of the intranet
again and re-connected to the internet. Now, it took a good 8 hours to
start getting more security emails from the router. More interestingly,
the emails started as soon as my wife turned her laptop on (which
automatically starts Skype when Windows boots up and she logs in).
Any thoughts anyone?
Thanks
TM
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list