Networking & Wireless forum

Question

Not sure if TWC connection or security issue on network

by lalalynn / October 20, 2014 3:07 PM PDT

So I live in an apartment near campus shared with 3 other girls. Now I understand sometimes others might be hogging bandwidth with streaming and downloads potentially but lately (past few weeks) I see our speed throttled from 15mb down (what it should be and has been for the past few months pretty regularly) and dropps drastically during the speed test down to ~2-5mb download.

I felt this was ridiculous and I've contacted TWC about it a few times but I can't really tell if it's a combination of the latest modem issues/DNS servers dropping and the typical TWC speed declines during certain times of the day.

I checked out my logs on my netgear router and I found something that seemed off. I noticed on computer on the network is constantly getting

[LAN access from remote] from 178.89.55.53:12561 to xxx.xxx.x.x:45712 Monday, Oct 20,2014 23:02:07

I see this every second/few seconds SAME port. After some research I saw it could be related to the upnp exploit so I disabled that. I also disabled this port for that ip address since I didn't see it occuring on any other device on the network.

I thought this might have fixed the issue but I can't tell at the moment because I watch downdetector.com and noticed there are some problems in this area as well.

I'm still experiencing download speed throttled to about 5mb.

Anyone have some input if this is the correct course of action or some other potential ideas?

I also see some other lines in the router logs that seem suspicious
[Service blocked: ICMP_echo_req] from source 27.9.76.124, Monday, Oct 20,2014 23:15:41
[DHCP IP: (xxx.xxx.x.xx)] to MAC address x, Monday, Oct 20,2014 23:15:05 (this is probably my doing after blocking that port)

[DoS attack: FIN Scan] attack packets in last 20 sec from ip [23.7.52.50], Monday, Oct 20,2014 23:11:19 (this I don't see as often but I see it frequently enough to be concerned.


I proceeded to tell all my room mates to download malwarebytes and spybot search and destroy and run some scans to see if they can clear up the worst of the mess.


Am I over reacting?

Discussion is locked
You are posting a reply to: Not sure if TWC connection or security issue on network
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Not sure if TWC connection or security issue on network
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

All Answers

Collapse -
Answer
Not at all.
by R. Proffitt Forum moderator / October 20, 2014 3:14 PM PDT
Collapse -
Looks good
by lalalynn / October 20, 2014 5:11 PM PDT
In reply to: Not at all.

I run this and see how it works. I ended up excluding that computer from the network and saw a pretty drastic improvement so this resolution seems like it holds up.

I'll let you know how it works.

Collapse -
Still happening
by lalalynn / October 27, 2014 5:54 AM PDT
In reply to: Looks good

So after monitoring this for a week and trying to get everyone to properly run and remove any threats from their devices I'm still getting one annoying thing in the logs quite frequently.

[Service blocked: ICMP_echo_req] from source 174.89.172.181, Monday, Oct 27,2014 15:03:20
[Service blocked: ICMP_echo_req] from source 174.89.172.181, Monday, Oct 27,2014 15:00:23
[Service blocked: ICMP_echo_req] from source 76.17.202.156, Monday, Oct 27,2014 15:00:13
[Service blocked: ICMP_echo_req] from source 174.89.172.181, Monday, Oct 27,2014 14:53:06
[Service blocked: ICMP_echo_req] from source 174.89.172.181, Monday, Oct 27,2014 14:50:22
[Service blocked: ICMP_echo_req] from source 76.17.202.156, Monday, Oct 27,2014 14:50:19

Some times its spammed every 5-10 seconds, sometimes it goes away for a few minutes even hours. I can't really seem to see what's going on. I changed my DNS settings on the router to use openDNS servers since Time warner cable has been having issues keeping their DNS servers up in this area lately. I also opted for their security and phishing protection that is offered just to try and keep the worst out. Is this something related to that and I'm just not familiar with the process? Or is some device on the network still acting up somehow.

I still get random internet spikes every now and them but everytime I do a tracert I usually get unusually high ping from time warner cable as well and I just can't tell if it's a combination of their service spiking at certain times too.

Any information is helpful.

Collapse -
Sorry but as those are from the internet
by R. Proffitt Forum moderator / October 27, 2014 10:05 AM PDT
In reply to: Still happening

It doesn't look out of the normal things everyone sees. Folk scan the web looking for machines to exploit. Since your device blocked it, all good.

There is something worth noting. Some folk run a torrent and then explode over the denial of service attacks on their connection. Just saying.
Bob

Collapse -
No need to get sassy
by lalalynn / October 27, 2014 11:51 AM PDT

Well this is the first time I've shared a network with room mates and not people I'm familiar with I don't ever remember seeing anything as weird as this. I assumed the server being blocked was fine security wise but the fact that it was happening so often sketched me out and made me think it was affecting our bandwidth. I think time warner has also been having issues that's why I wanted to figure this out if it was just my apartment or the entire area. Looks like it's just time warner or probably someone on the network is just hogging all the bandwidth which I wouldn't be surprised either.

Sorry if I'm skeptical when I see things like this Silly I take online classes and work from home mostly so yes a steady internet connection is pretty important. Especially when there are times where every time I advance a page it loses connection and I then have to refresh and start the section over.

Collapse -
Where was the sass?
by R. Proffitt Forum moderator / October 27, 2014 11:55 AM PDT
In reply to: No need to get sassy

I guess you are new to this area and to clear up a common DOS cause I wanted to be sure this wasn't another torrent user looking for help. I'm unsure why they ask.

-> The online course thing. Time to see if it's the other users. Try it with the internet all to yourself.
Bob

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GIVEAWAY

Turn up the volume with our Apple Byte sweeps!

Two lucky winners will take home the coveted smart speaker that lets Siri help you around your connected house. This sweepstake ends Feb. 25, 2018.