PDA

View Full Version : Strange firewall/DoS report


aflowers001
23-02-2005, 22:47
I have a Belkin wireless router and recently I have been experiencing a lot of problems such as slow speed, inability to connect etc.

A portion of the routers firewall log is shown below.
I am aware that 10.14.32.1 is a private address that i cannot trace, but i'd like to know where it is coming from as my firewall log is packed with DoS reports about it.

There is also quite a number of DoS reports about the modem (192.168.100.1) which are very puzzling and annoying. Any ideas about why the modem would be doing this ?


Wed Feb 23 20:33:50 2005 1 Blocked by DoS protection 10.14.32.1
Wed Feb 23 20:36:02 2005 1 Blocked by DoS protection 10.14.32.1
Wed Feb 23 20:36:02 2005 1 Blocked by DoS protection 10.14.32.1
Wed Feb 23 20:36:02 2005 1 Blocked by DoS protection 10.14.32.1
Wed Feb 23 20:36:02 2005 1 Blocked by DoS protection 10.14.32.1
Wed Feb 23 20:38:13 2005 1 Blocked by DoS protection 10.14.32.1
Wed Feb 23 20:38:17 2005 1 Blocked by DoS protection 10.14.32.1
Wed Feb 23 20:38:25 2005 1 Blocked by DoS protection 10.14.32.1
Wed Feb 23 20:38:41 2005 1 Blocked by DoS protection 10.14.32.1
Wed Feb 23 20:39:29 2005 1 Blocked by DoS protection 10.14.32.1
Wed Feb 23 20:39:32 2005 1 Blocked by DoS protection 10.14.32.1
Wed Feb 23 20:39:40 2005 1 Blocked by DoS protection 10.14.32.1
Wed Feb 23 20:39:55 2005 1 Blocked by DoS protection 10.14.32.1
Wed Feb 23 20:41:12 2005 1 Blocked by DoS protection 192.168.100.1
Wed Feb 23 20:41:22 2005 1 Blocked by DoS protection 192.168.100.1
Wed Feb 23 20:41:32 2005 1 Blocked by DoS protection 192.168.100.1
Wed Feb 23 20:41:42 2005 1 Blocked by DoS protection 192.168.100.1
Wed Feb 23 20:41:52 2005 1 Blocked by DoS protection 192.168.100.1
Wed Feb 23 20:42:02 2005 1 Blocked by DoS protection 192.168.100.1
Wed Feb 23 20:42:12 2005 1 Blocked by DoS protection 192.168.100.1
Wed Feb 23 20:42:22 2005 1 Blocked by DoS protection 192.168.100.1
Wed Feb 23 20:42:32 2005 1 Blocked by DoS protection 192.168.100.1
Wed Feb 23 20:42:42 2005 1 Blocked by DoS protection 192.168.100.1
Wed Feb 23 20:42:52 2005 1 Blocked by DoS protection 192.168.100.1
Wed Feb 23 20:43:02 2005 1 Blocked by DoS protection 192.168.100.1
Wed Feb 23 20:43:12 2005 1 Blocked by DoS protection 192.168.100.1
Wed Feb 23 20:43:22 2005 1 Blocked by DoS protection 192.168.100.1
Wed Feb 23 20:43:32 2005 1 Blocked by DoS protection 192.168.100.1
Wed Feb 23 20:43:48 2005 1 Blocked by DoS protection 10.14.32.1
Wed Feb 23 20:43:52 2005 1 Blocked by DoS protection 10.14.32.1
Wed Feb 23 20:43:59 2005 1 Blocked by DoS protection 10.14.32.1
Wed Feb 23 20:44:15 2005 1 Blocked by DoS protection 10.14.32.1

rdhw
24-02-2005, 00:13
My guess is that 10.14.32.1 is your local cable head-end (CMTS, or UBR). And you know that 192.168.100.1 is your cable modem. I suspect that your Belkin is confused. If you can configure the Belkin to always allow traffic from these two IP addresses, then do so. If you can't configure it like that, then just disable the firewall component of the Belkin that is producing these blocks.

soccerguy
14-03-2005, 12:58
I have almost the same issue with my belkin router - except the only DoS attack it is registering is from the 10.???.???.1 address. I can't seem to find on my router where to allow all traffic from this address. Help, PLEASE!

thanks for your attention to this matter!

Paul
14-03-2005, 16:02
What model router do you have ?

BBKing
14-03-2005, 16:04
10.14.32.1 is on UBR 1 in Stretford, Manchester. Nothing to worry about.

fragless
14-03-2005, 16:11
Hi,
I to have a Belkin Model: F5D7230-4.
I see them ....
Wed Feb 23 20:39:32 2005 1 Blocked by DoS protection 10.14.32.1
Wed Feb 23 20:39:40 2005 1 Blocked by DoS protection 10.14.32.1
Wed Feb 23 20:39:55 2005 1 Blocked by DoS protection 10.14.32.1
Wed Feb 23 20:41:12 2005 1 Blocked by DoS protection 192.168.100.1
Wed Feb 23 20:41:22 2005 1 Blocked by DoS protection 192.168.100.1
Wed Feb 23 20:41:32 2005 1 Blocked by DoS protection 192.168.100.1

There safe to ignore, its any other IP's other than them.
Example


Firewall log:
Mon Mar 14 12:48:42 2005 1 Blocked by DoS protection 10.109.16.1 << safe
Mon Mar 14 13:34:18 2005 1 Blocked by DoS protection 10.109.16.1 << safe
Mon Mar 14 13:41:59 2005 1 Blocked by DoS protection 216.194.5.31 << not good
Mon Mar 14 13:45:11 2005 1 Blocked by DoS protection 12.235.239.45 << not good

Mon Mar 14 13:48:04 2005 1 Blocked by DoS protection 222.88.173.5 << not good

Mon Mar 14 14:09:06 2005 1 Blocked by DoS protection 204.254.251.167
Mon Mar 14 14:09:06 2005 1 Blocked by DoS protection 205.119.224.203
Mon Mar 14 14:17:21 2005 1 Blocked by DoS protection 61.129.115.57
Mon Mar 14 15:03:00 2005 1 Blocked by DoS protection 61.10.253.11
Mon Mar 14 15:07:09 2005 1 Blocked by DoS protection 196.44.33.90

aflowers001
14-03-2005, 16:20
I've been on to Belkin tech support & NTL support and the results of this are

The 10.xxx addresses are the UBRs. It's likely that the traffic are broadcast DHCP messages. This can be checked out at robin walkers web site., http://homepage.ntlworld.com/robin.d.h.walker/cmtips/index.html

The 192.168.100.1 address is the local modem doing something. I found that if I power down the modem AND router, then power up the modem, wait a minute then power up the router I no longer see any firewall log entries for 192.168.100.1. It looks like the router has tobe started AFTER the modem in order to allow it to initialise it's communications with it.

Both NTL and Belkin said there is nothing to worry about these 2 addresses appearing in the logs, but perhaps one day Belkin will improve their logs so that they start detailing WHY an entry is in there....

Zach
05-05-2007, 17:42
I just downloaded Comodo Firewall Pro and its reading
Inbound Policy Violation (Access Denied IP = 10.14.32.1 port dhcp(68))

it is giving me constant on the fly reports on all the ingoing and outgoing stuff on my connection and i am getting that one alot like every 5 seconds
it is sayign the severity is medium but i dont know

crowlord
05-05-2007, 19:21
Brilliant. Got loads of 10.X.X.1 ips on my DOS log. didn't know what they are and didnt need them as my Router is mt DHCP server. Time to allow it through :D

Blast how do i do it on a belkin 70somethin something bah all the interanal menus are the same anyway :D

Walshicus
05-06-2007, 22:55
Brilliant. Got loads of 10.X.X.1 ips on my DOS log. didn't know what they are and didnt need them as my Router is mt DHCP server. Time to allow it through :D

Blast how do i do it on a belkin 70somethin something bah all the interanal menus are the same anyway :D

I too am getting the same logs, and the same internet failures every 30 to 60 minutes. It's incredibly annoying. I have tried turning my firewall on and off. I've turned DMZ on and off. I've done all combinations I can think of; reset my modem before my router, my router before my modem...

There must be something wrong with these Belkin routers and VM.

hokkers999
06-06-2007, 11:16
Hi,
I to have a Belkin Model: F5D7230-4.
I see them ....

There safe to ignore, its any other IP's other than them.
Example

The only thing safe to ignore is the ip of the modem, ANYTHING else is suspect. Having a 10.x.x.x address simply means that it is local to your head end, it doesn't mean that it isn't an attack on you. Belkin isn't the best kit, if you can, switch to a Linksys (Cisco) and if you want total control then replace the firmware with DD-WRT(?).