Banda Ancha EU

Comunidad de usuarios
de fibra, móvil y ADSL

Problema "UDP BOMB ATTACK"

  • ADSL

    Problema "UDP BOMB ATTACK"

    Buenas chicos. En casa tenemos ADSL de Vodafone, al router hay conectados siempre entre 4 y 8 equipos (Windows, Linux, Móviles mi MacMini y mi MacBook). El problema viene siempre por el MacBook, que tiene asignada la IP local 192.168.1.192, siempre fija.

    El MacBook tiene instalada la última versión de Snow Leopard con todas las actualizaciones, y que yo sepa ningún malware ni cosa parecida (el MacMini tiene Lion).

    En el firewall del router aparecen continuamente estos mensajes:

    Registro del firewall
    Nov 1 22:09:18 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:10:22 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:10:22 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:10:22 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:10:22 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:10:22 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:43:54 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:43:54 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:43:54 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:43:54 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:43:54 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:43:55 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:43:55 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:43:55 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:43:55 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:43:55 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:44:00 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:44:04 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:44:12 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:44:28 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:44:28 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:44:28 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:44:49 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:44:49 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:44:49 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:44:49 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:45:53 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:45:53 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:45:53 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:45:53 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 1 22:45:53 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 00:32:22 kernel: [fwlog] Udp bomb attack, SRC=218.76.138.156 DST=Mi IP.
    Nov 2 00:55:44 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 00:55:44 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 00:55:44 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 00:55:44 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 00:55:44 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 00:55:45 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 00:55:45 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 00:55:45 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 00:55:45 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 00:55:45 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 00:55:50 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 00:56:01 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 00:56:01 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 00:56:09 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 00:56:09 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 00:56:41 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 00:56:41 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 00:56:41 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 00:56:41 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 00:56:41 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 00:57:45 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 00:57:45 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 00:57:45 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 00:57:45 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 00:57:45 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 01:06:08 kernel: [fwlog] Udp bomb attack, SRC=218.76.138.156 DST=Mi IP.
    Nov 2 01:13:53 kernel: [fwlog] Udp bomb attack, SRC=218.76.138.156 DST=Mi IP.
    Nov 2 01:52:06 kernel: [fwlog] Udp bomb attack, SRC=218.76.138.156 DST=Mi IP.
    Nov 2 02:14:10 kernel: [fwlog] Udp bomb attack, SRC=218.76.138.156 DST=Mi IP.
    Nov 2 02:26:57 kernel: [fwlog] Udp bomb attack, SRC=218.76.138.156 DST=Mi IP.
    Nov 2 02:39:58 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 02:39:58 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 02:39:58 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 02:39:58 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 02:39:58 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 02:40:00 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 02:40:00 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 02:40:00 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 02:40:00 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 02:40:00 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 02:40:03 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 02:40:13 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 02:40:13 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 02:40:21 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 02:40:53 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 02:40:53 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 02:40:53 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 02:40:53 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 02:40:53 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 02:41:57 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 02:41:57 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 02:41:57 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 02:41:57 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 02:41:57 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 02:59:49 kernel: [fwlog] Udp bomb attack, SRC=218.76.138.156 DST=Mi IP.
    Nov 2 03:31:21 kernel: [fwlog] Udp bomb attack, SRC=218.76.138.156 DST=Mi IP.
    Nov 2 03:40:27 kernel: [fwlog] Udp bomb attack, SRC=218.76.138.156 DST=Mi IP.
    Nov 2 08:05:37 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 08:05:37 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 08:05:37 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 08:05:37 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 08:05:37 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 08:05:38 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 08:05:38 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 08:05:38 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 08:05:38 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 08:05:38 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 08:05:43 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 08:05:47 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 08:05:55 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 08:06:11 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 08:06:11 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 08:06:11 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 08:06:31 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 08:06:31 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 08:06:31 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 08:06:31 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 08:07:35 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 08:07:35 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 08:07:35 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 08:07:35 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
    Nov 2 08:07:35 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.

    Si miro la IP de destino con un WhoIs me sale lo siguiente:

    NetRange: 224.0.0.0 - 239.255.255.255
    CIDR: 224.0.0.0/4
    OriginAS:
    NetName: MCAST-NET
    NetHandle: NET-224-0-0-0-1
    Parent:
    NetType: IANA Special Use
    Comment: This block is reserved for special purposes.
    Comment: Please see RFC 3171 for additional information.
    RegDate: 1991-05-22
    Updated: 2002-09-16
    Ref: whois.arin.net/rest/net/NET-224-0-0-0-1

    OrgName: Internet Assigned Numbers Authority
    OrgId: IANA
    Address: 4676 Admiralty Way, Suite 330
    City: Marina del Rey
    StateProv: CA
    PostalCode: 90292-6695
    Country: US
    RegDate:
    Updated: 2004-02-24
    Ref: whois.arin.net/rest/org/IANA

    OrgTechHandle: IANA-IP-ARIN
    OrgTechName: Internet Corporation for Assigned Names and Number
    OrgTechPhone: +1-310-301-5820
    OrgTechEmail: [img]http://source.domaintools.com/email.pgif?md5=d59b06fd74e3776b65830fddb7c108c1&face=arial&size=9&color=000000&bgcolor=FFFFFF&face=arial&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent[/img]
    OrgTechRef: whois.arin.net/rest/poc/IANA-IP-ARIN

    OrgAbuseHandle: IANA-IP-ARIN
    OrgAbuseName: Internet Corporation for Assigned Names and Number
    OrgAbusePhone: +1-310-301-5820
    OrgAbuseEmail: [img]http://source.domaintools.com/email.pgif?md5=d59b06fd74e3776b65830fddb7c108c1&face=arial&size=9&color=000000&bgcolor=FFFFFF&face=arial&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent[/img]
    OrgAbuseRef: whois.arin.net/rest/poc/IANA-IP-ARIN

    En cambio en las que atacan mi IP (que es fija) me sale ésto si hago un Whois:
    inetnum: 218.76.128.0 - 218.76.143.255
    netname: CHINANET-HN-LD
    country: CN
    descr: CHINANET-HN LouDi node network
    descr: hunan Telecom
    admin-c: CHL26-AP
    tech-c: CH636-AP
    status: ALLOCATED NON-PORTABLE
    changed: [img]http://source.domaintools.com/email.pgif?md5=9e22ba52ff38904d4a301ade0817949a&face=arial&size=9&color=000000&bgcolor=FFFFFF&face=arial&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent[/img] 20050914
    mnt-by: MAINT-CHINANET-HN
    mnt-lower: MAINT-CHINANET-HN-LD
    source: APNIC

    role: CHINANET HuNan LouDi
    address: No.26 ChangQing middle street Loudi,Hunanan 417000
    country: CN
    phone: +86 738 8228833
    fax-no: +86 738 8227079
    e-mail: [img]http://source.domaintools.com/email.pgif?md5=a8904269b452e1898d5eb91eb03fa711&face=arial&size=9&color=000000&bgcolor=FFFFFF&face=arial&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent[/img]
    trouble: send spam reports to [img]http://source.domaintools.com/email.pgif?md5=87a65d73f426e9dd991426e1310e992a&face=arial&size=9&color=000000&bgcolor=FFFFFF&face=arial&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent[/img]
    trouble: and abuse reports to [img]http://source.domaintools.com/email.pgif?md5=a8904269b452e1898d5eb91eb03fa711&face=arial&size=9&color=000000&bgcolor=FFFFFF&face=arial&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent[/img]
    trouble: Please include detailed information and
    trouble: times in UTC
    admin-c: LD228-AP
    tech-c: LD228-AP
    nic-hdl: CHL26-AP
    mnt-by: MAINT-CHINANET-HN-LD
    changed: [img]http://source.domaintools.com/email.pgif?md5=9e22ba52ff38904d4a301ade0817949a&face=arial&size=9&color=000000&bgcolor=FFFFFF&face=arial&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent[/img] 20050818
    source: APNIC

    role: CHINANET HUNAN
    address: No.1 TuanJie road,ChangSha,Hunan 410005
    country: CN
    phone: +86 731 4792092
    fax-no: +86 731 4792007
    e-mail: [img]http://source.domaintools.com/email.pgif?md5=9dcf390d91257ebde53485ead88ac619&face=arial&size=9&color=000000&bgcolor=FFFFFF&face=arial&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent[/img]
    trouble: send spam reports to [img]http://source.domaintools.com/email.pgif?md5=5de7878266722ce606ba5218d51e85b7&face=arial&size=9&color=000000&bgcolor=FFFFFF&face=arial&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent[/img]
    trouble: and abuse reports to [img]http://source.domaintools.com/email.pgif?md5=9dcf390d91257ebde53485ead88ac619&face=arial&size=9&color=000000&bgcolor=FFFFFF&face=arial&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent[/img]
    trouble: Please include detailed information and
    trouble: times in UTC
    admin-c: CH632-AP
    tech-c: CS499-AP
    nic-hdl: CH636-AP
    mnt-by: MAINT-CHINANET-HN
    changed: [img]http://source.domaintools.com/email.pgif?md5=9e22ba52ff38904d4a301ade0817949a&face=arial&size=9&color=000000&bgcolor=FFFFFF&face=arial&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent[/img] 20050816
    source: APNIC

    Y estoy atascado, de aquí no soy capaz de pasar. Un poco de ayuda, please!

    Este tema lleva más de 6 meses inactivo. Es recomendable que abras un nuevo tema para retomar la conversación.
    • ¿Y qué quieres hacer? No tiene por qué ser nada malo, seguro…

      ¿Y qué quieres hacer? No tiene por qué ser nada malo, seguro que usas Torrent o algo parecido y se te están intentando conectar... o te están zumbando directamente, pero vamos, que no hay nada que hacer.

    • BocaDePez BocaDePez

      Sabes hacer un WhoIs, pero no sabes entender los resultados.…

      Sabes hacer un WhoIs, pero no sabes entender los resultados. Si es una IP de Multicast, no es una IP de equipos de Internet.

      Más información habrías encontrado si en Google le pones la IP directamente. Los resultados que salen hablan justamente de Macs. No sé si el log te oculta el puerto en cuestión, o si lo has quitado tú al pegarlo aquí en el foro, pero si se trata del 5353, el proceso que está martilleando tu red constantemente es el Bonjour de Apple.

      (link roto) … /DTS40009974

      Sobre los equipos chinos, pues depende del puerto saber qué vulnerabilidad andaban buscando (si es que buscaban algo, también hay conexiones UDP lícitas como el Kademlia del eMule, o el DHT del uTorrent). Pero bueno, si el router te hace NAT no te preocupes, que de ahí no pasa.

      Lo dicho, si comentas de qué puerto se trata, te podremos dar más información. Si no, no.

    • Solucionado; tenía activada la búsqueda de cuentas de Bonjour…

      Solucionado; tenía activada la búsqueda de cuentas de Bonjour en el iChat. Fue desactivar el Bonjour del iChat y el Firewall dejó de registrar los UDP BOMB ATTACK desde el MacBook.

      Lo otro supongo que serán ataques externos aleatorios, o cualquier cosa....

      Gracias, chicos.