Internal Teardrop DOS Attack from Joey

SBD

SatelliteGuys Family
Original poster
Mar 18, 2005
57
1
My internet stopped working so I checked the logs and it shows the IP address for a wireless Joey and 1 regular Joey 2.0 attacking the internal IP address 192.168.0.255:10102. Both the internal IP addresses associated with the wireless Joey are also using port 10102 for the attack.

Any idea what could be going on here?

Sent from my SM-G930P using the SatelliteGuys app!
 
.255 would be the IP broadcast address for that class C network. Perhaps it is looking for any machine listening on that port for whatever reason.
 
What router do you have ? My money is on it being the problem... Lots of routers with poor security/firmware have been compromised. Are you using the default user/password on the router ?
 
I am using the Netgear Nighthawk AC1900 (C7000) and yes, I changed the default password.

Sent from my SM-G930P using the SatelliteGuys app!
 
.255 would be the IP broadcast address for that class C network. Perhaps it is looking for any machine listening on that port for whatever reason.

Definitely the broadcast unless his router is using a crazy subnet. Not sure what the joeys are trying to broadcast. Maybe use a program like Wireshark to inspect the packets would shed some light on what's going on.

Definitely update. I have the R7000... serious security flaw in the firmware recently.


Sent from my iPad using Tapatalk
 
I don't have the R7000, I have the C7000. No security for this one as it is updated only by ISP.

Sent from my SM-G930P using the SatelliteGuys app!
 
I downloaded Wireshark and it seems that the Hopper3 and all of the Joey's are sending data to that .255 address.

Sent from my SM-G930P using the SatelliteGuys app!
 
20170129_234731.jpeg


Sent from my SM-G930P using the SatelliteGuys app!
 
I'm no network expert, but this doesn't look like any DoS attack to me. I Google searched "teardrop DoS attack" and found that this is an old attack aimed at Windows 95/NT machines and OLD Linux kernels. It had to do with packet fragmentation.

When machines send broadcasts, they are generally looking for partners on the network. I believe the Joeys are just searching for new Hoppers (or some other device on the network). I'd bet that if you did a port scan on a Hopper, you'd find a process monitoring port 10102. When the Joey sends a broadcast to port 10102, every device on your local network will get it. The Hopper is the only thing listening, and it now knows there is a Joey out there willing to talk. Why it's doing it every two seconds escapes me. Perhaps it's the way Dish maintains synchronization between all of the devices (Hoppers/Joeys) on your home network.
 
I did a portscan and the only open port on the Hopper3 is 80 same goes for the Joey.

Sent from my SM-G930P using the SatelliteGuys app!
 
Did a Wireshark capture on my network, and my Hopper, Joey, and Joey4K are all doing exactly the same thing. Not sure why the port scan didn't show anything. Perhaps it is a true broadcast receive-only port that does not acknowledge a connection request? Too far over my head.

I'm still not feeling like it is any kind of attack. The vulnerability was fixed years ago.
 
According to Incapsula, this type of attack was again viable in both Vista and Win 7.

https://www.incapsula.com/ddos/attack-glossary/ip-fragmentation-attack-teardrop.html

However, Wireshark is showing that the protocol being used is UDP and not TCP.

UDP and ICMP fragmentation attacks - These attacks involve the transmission of fraudulent UDP or ICMP packets that are larger than the network's MTU, (usually ~1500 bytes). As these packets are fake, and are unable to be reassembled, the target server's resources are quickly consumed, resulting in server unavailability.

Sent from my SM-G930P using the SatelliteGuys app!
 
Also, these attacks only recently began to get logged, so it just started happening. Will check software on Hopper to see if it was updated recently.

Sent from my SM-G930P using the SatelliteGuys app!
 
Sure enough, whatever is happening, it was introduced with the U341 update that occurred on my system on January 29, 2017 @7:17 am.

The attack started logging immediately thereafter.

Sent from my SM-G930P using the SatelliteGuys app!
 
Is your internet still not working ? If it's fine now, how did you fix it ?

LAN traffic won't make your internet stop working. It could make your network busy or slow, but won't make it shut down.
Browser was hanging, but all lights on router display indicated all was normal so I logged into the router and that's when I noticed these new log entries.

Sent from my SM-G930P using the SatelliteGuys app!
 

Bill Paying History

VIP211z and Wally

Users Who Are Viewing This Thread (Total: 0, Members: 0, Guests: 0)

Who Read This Thread (Total Members: 1)