DoS - Attacken ohne Ende!

#1 Hey ,
ich habe einen hardware-Router Marke Longshine und ziehe
ab und an Musik mit Kazaa.For c.a. 2 Wochen hab ich eine File
geöffnet die sich laut Norten als"Trojan-dropper" entpuppte.
Ich hab dann 2-3* Antivirus drüberlaufen lassen, er fand ein paar Viren und ich dachte das Problem sei gegessen, ist es aber nicht.
Seit diesem Zeitpunkt benachrichtigt mich mein Router per E-mail alle 2 Stunden über eine DoS-Attacke.Ich hab schon Ad-aware ausprobiert,
das findet auch nix aber ich muss ja schließlich noch irgendwas auf dem Rechner haben, was dem Knödel der mich net in Ruhe lässt sobald ich ins
Netz gehe immer wieder meine WAN - IP zuschickt.Hier noch mal die letzten
e-mails vom Router:

Mon May 05 09:50:48 2003 - PPPoE session start - PPPoE
Mon May 05 09:59:37 2003 - syn flood attack - tcp
[wan,82.64.192.61,80.129.112.74:4662] - [discard]
Mon May 05 09:59:37 2003 - block attack - ids

Nach syn- floods Was sind das für Attacks, ich kenn mich gar nicht aus!)

Sat May 03 02:06:08 2003 - stop blocking - ids
Sat May 03 17:04:28 2003 - PPPoE session start - PPPoE
Sat May 03 17:16:13 2003 - icmp attack - icmp
[wan,195.227.227.216,217.82.37.156:0] - [discard]
Sun May 04 13:02:28 2003 - PPPoE session start - PPPoE
Sun May 04 13:05:02 2003 - login successful - http
[192.168.1.128:1054]
Sun May 04 13:34:19 2003 - icmp attack - icmp
[wan,62.134.76.160,217.225.200.117:0] - [discard]
Sun May 04 18:01:53 2003 - PPPoE session start - PPPoE
Sun May 04 19:29:44 2003 - syn flood attack - tcp
[wan,172.184.73.13,80.129.117.119:4662] - [discard]
Sun May 04 19:29:44 2003 - block attack - ids

und jetzt probiert ers über Port139, der bei mir auch zu ist.

Sun May 04 20:09:13 2003 - stop blocking - ids
Sun May 04 20:09:33 2003 - port 139 attack - tcp
[wan,219.101.136.178,80.129.117.119:139] - [discard]
Sun May 04 20:09:39 2003 - port 139 attack - tcp
[wan,219.101.136.178,80.129.117.119:139] - [discard]
Sun May 04 20:09:51 2003 - port 139 attack - tcp
[wan,219.101.136.178,80.129.117.119:139] - [discard]
Sun May 04 20:10:15 2003 - port 139 attack - tcp
[wan,219.101.136.178,80.129.117.119:139] - [discard]
Sun May 04 20:11:03 2003 - port 139 attack - tcp
[wan,219.101.136.178,80.129.117.119:139] - [discard]
Sun May 04 21:07:26 2003 - ip spoofing - any
[wan,192.168.1.38,80.129.117.119:0] - [forward]
Sun May 04 21:56:23 2003 - syn flood attack - tcp
[wan,80.56.201.81,80.129.117.119:4662] - [discard]
Sun May 04 21:56:23 2003 - block attack - ids

Soweit ich das von der zeitlichen Reihenfolge rekonstruieren kann
probiert er immer wieder neu wenn mein Router nach einer geblockten
Attacke wieder aufmacht, oder wenn ich länger als 2 Stunden nicht im Netz
war (Router ist so konf. das er nach 2 Stunden offline geht) sobald ich
mich neu einwähle.


Nach der Info die eigentliche Frage:

Wie krieg ich meinen Rechner ohne Neuinstallation wieder sauber?

Was heißt das forward bei ip - spoofing, ist er bei mir jetzt irgendwie reingekommen oder net.Das war bis jetzt das einzige forward,
ansonsten hat er immer discarded (Anfrage/Verbindung beendet, oder?)

danke schon mal im vorraus,

nIC

#2 A SYN-flood attack is a denial-of-service attack.
The attacker send a huge amount of please-start-a-connection packets and then nothing else.

When a system (called the client) attempts to establish a TCP connection to a system providing a service (the server), the client and server exchange a set sequence of messages.
This connection technique applies to all TCP connections--telnet, Web, email, etc.

The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message. The connection between the client and the server is then open, and the service-specific data can be exchanged between the client and the server. Here is a view of this message flow:

Client Server
------ ------
SYN-------------------->
<--------------------SYN-ACK
ACK-------------------->
Client and server can now
send service-specific data

The potential for abuse arises at the point where the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message. This is what we mean by half-open connection.
The server has built in its system memory a data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially-open connections.
Creating half-open connections is easily accomplished with IP spoofing. The attacking system sends SYN messages to the victim server system; these appear to be legitimate but in fact reference a client system that is unable to respond to the SYN-ACK messages. This means that the
final ACK message will never be sent to the victim server system.

The half-open connections data structure on the victim server system will eventually fill; then the system will be unable to accept any new incoming connections until the table is emptied out.
Normally there is a timeout associated with a pending connection, so the half-open connections will eventually expire and the victim server system will recover. However, the attacking system can simply continue sending IP-spoofed packets requesting new connections faster than the
victim system can expire the pending connections.
In most cases, the victim of such an attack will have difficulty in accepting any new incoming network connection. In these cases, the attack does not affect existing incoming connections nor the ability to originate outgoing network connections.

Praktisch wird dein System mit Anfragen überflutet bis es keine neue Anfragen annehmen kann.
Die schlimmste Folge bei einer extremer Belastung kann ein Crash sein.

Nein er ist nicht drin

Ich würde sicherheitshalber mit einer Testversion von KAV(KasperskyAntivirus) das System scannen.
Die Erkennungsrate bei Trojaner ist viel besser als bei Norton.
Falls Du nicht winXP hast würde ich die Version 3.5http://download1.kav.ch/avpfiles/win32/a32f350.exe,
ansonsten die 4-er Version nehmen.(Virendefinitionen/update nicht vergessen)

Gruß
Ajax

#3

Zitat

Ajax postete
A SYN-flood attack is a denial-of-service attack.
The attacker send a huge amount of please-start-a-connection packets and then nothing else.

When a system (called the client) attempts to establish a TCP connection to a system providing a service (the server), the client and server exchange a set sequence of messages.
This connection technique applies to all TCP connections--telnet, Web, email, etc.

The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message. The connection between the client and the server is then open, and the service-specific data can be exchanged between the client and the server. Here is a view of this message flow:

Client Server
------ ------
SYN-------------------->
<--------------------SYN-ACK
ACK-------------------->
Client and server can now
send service-specific data

The potential for abuse arises at the point where the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message. This is what we mean by half-open connection.
The server has built in its system memory a data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially-open connections.
Creating half-open connections is easily accomplished with IP spoofing. The attacking system sends SYN messages to the victim server system; these appear to be legitimate but in fact reference a client system that is unable to respond to the SYN-ACK messages. This means that the
final ACK message will never be sent to the victim server system.

The half-open connections data structure on the victim server system will eventually fill; then the system will be unable to accept any new incoming connections until the table is emptied out.
Normally there is a timeout associated with a pending connection, so the half-open connections will eventually expire and the victim server system will recover. However, the attacking system can simply continue sending IP-spoofed packets requesting new connections faster than the
victim system can expire the pending connections.
In most cases, the victim of such an attack will have difficulty in accepting any new incoming network connection. In these cases, the attack does not affect existing incoming connections nor the ability to originate outgoing network connections.

Praktisch wird dein System mit Anfragen überflutet bis es keine neue Anfragen annehmen kann.
Die schlimmste Folge bei einer extremer Belastung kann ein Crash sein.

Nein er ist nicht drin

Ich würde sicherheitshalber mit einer Testversion von KAV(KasperskyAntivirus) das System scannen.
Die Erkennungsrate bei Trojaner ist viel besser als bei Norton.
Falls Du nicht winXP hast würde ich die Version 3.5http://download1.kav.ch/avpfiles/win32/a32f350.exe,
ansonsten die 4-er Version nehmen.(Virendefinitionen/update nicht vergessen)

Gruß
Ajax

#4 ups...
Danke für die Antwort!

Greetz