Internal Teardrop DOS Attack from Joey (1 Viewer)

SBD

Thread Starter
SatelliteGuys Family
Mar 18, 2005
57
1
My internet stopped working so I checked the logs and it shows the IP address for a wireless Joey and 1 regular Joey 2.0 attacking the internal IP address 192.168.0.255:10102. Both the internal IP addresses associated with the wireless Joey are also using port 10102 for the attack.

Any idea what could be going on here?

Sent from my SM-G930P using the SatelliteGuys app!
 

jpmarto

SatelliteGuys Pro
Pub Member / Supporter
Aug 26, 2007
433
67
E. of Seattle
.255 would be the IP broadcast address for that class C network. Perhaps it is looking for any machine listening on that port for whatever reason.
 

Hall

SatelliteGuys Master
Feb 14, 2004
18,409
3,193
Germantown OH
What router do you have ? My money is on it being the problem... Lots of routers with poor security/firmware have been compromised. Are you using the default user/password on the router ?
 

SBD

Thread Starter
SatelliteGuys Family
Mar 18, 2005
57
1
I am using the Netgear Nighthawk AC1900 (C7000) and yes, I changed the default password.

Sent from my SM-G930P using the SatelliteGuys app!
 

dolfan3033

SatelliteGuys Pro
Jul 10, 2010
224
234
NC
.255 would be the IP broadcast address for that class C network. Perhaps it is looking for any machine listening on that port for whatever reason.

Definitely the broadcast unless his router is using a crazy subnet. Not sure what the joeys are trying to broadcast. Maybe use a program like Wireshark to inspect the packets would shed some light on what's going on.

Definitely update. I have the R7000... serious security flaw in the firmware recently.


Sent from my iPad using Tapatalk
 

SBD

Thread Starter
SatelliteGuys Family
Mar 18, 2005
57
1
I don't have the R7000, I have the C7000. No security for this one as it is updated only by ISP.

Sent from my SM-G930P using the SatelliteGuys app!
 

SBD

Thread Starter
SatelliteGuys Family
Mar 18, 2005
57
1
I downloaded Wireshark and it seems that the Hopper3 and all of the Joey's are sending data to that .255 address.

Sent from my SM-G930P using the SatelliteGuys app!
 

SBD

Thread Starter
SatelliteGuys Family
Mar 18, 2005
57
1
20170129_234731.jpeg


Sent from my SM-G930P using the SatelliteGuys app!
 

rharkins

SatelliteGuys Guru
Mar 8, 2006
138
82
Kansas City, MO USA
I'm no network expert, but this doesn't look like any DoS attack to me. I Google searched "teardrop DoS attack" and found that this is an old attack aimed at Windows 95/NT machines and OLD Linux kernels. It had to do with packet fragmentation.

When machines send broadcasts, they are generally looking for partners on the network. I believe the Joeys are just searching for new Hoppers (or some other device on the network). I'd bet that if you did a port scan on a Hopper, you'd find a process monitoring port 10102. When the Joey sends a broadcast to port 10102, every device on your local network will get it. The Hopper is the only thing listening, and it now knows there is a Joey out there willing to talk. Why it's doing it every two seconds escapes me. Perhaps it's the way Dish maintains synchronization between all of the devices (Hoppers/Joeys) on your home network.
 

SBD

Thread Starter
SatelliteGuys Family
Mar 18, 2005
57
1
I did a portscan and the only open port on the Hopper3 is 80 same goes for the Joey.

Sent from my SM-G930P using the SatelliteGuys app!
 

rharkins

SatelliteGuys Guru
Mar 8, 2006
138
82
Kansas City, MO USA
Did a Wireshark capture on my network, and my Hopper, Joey, and Joey4K are all doing exactly the same thing. Not sure why the port scan didn't show anything. Perhaps it is a true broadcast receive-only port that does not acknowledge a connection request? Too far over my head.

I'm still not feeling like it is any kind of attack. The vulnerability was fixed years ago.
 

SBD

Thread Starter
SatelliteGuys Family
Mar 18, 2005
57
1
According to Incapsula, this type of attack was again viable in both Vista and Win 7.

https://www.incapsula.com/ddos/attack-glossary/ip-fragmentation-attack-teardrop.html

However, Wireshark is showing that the protocol being used is UDP and not TCP.

UDP and ICMP fragmentation attacks - These attacks involve the transmission of fraudulent UDP or ICMP packets that are larger than the network's MTU, (usually ~1500 bytes). As these packets are fake, and are unable to be reassembled, the target server's resources are quickly consumed, resulting in server unavailability.

Sent from my SM-G930P using the SatelliteGuys app!
 

SBD

Thread Starter
SatelliteGuys Family
Mar 18, 2005
57
1
Also, these attacks only recently began to get logged, so it just started happening. Will check software on Hopper to see if it was updated recently.

Sent from my SM-G930P using the SatelliteGuys app!
 

SBD

Thread Starter
SatelliteGuys Family
Mar 18, 2005
57
1
Sure enough, whatever is happening, it was introduced with the U341 update that occurred on my system on January 29, 2017 @7:17 am.

The attack started logging immediately thereafter.

Sent from my SM-G930P using the SatelliteGuys app!
 

SBD

Thread Starter
SatelliteGuys Family
Mar 18, 2005
57
1
Is your internet still not working ? If it's fine now, how did you fix it ?

LAN traffic won't make your internet stop working. It could make your network busy or slow, but won't make it shut down.
Browser was hanging, but all lights on router display indicated all was normal so I logged into the router and that's when I noticed these new log entries.

Sent from my SM-G930P using the SatelliteGuys app!
 

Users who are viewing this thread

Users Who Are Viewing This Thread (Total: 0, Members: 0, Guests: 0)

Latest posts

Top