Banda Ancha EU

Comunidad de usuarios
de fibra, móvil y ADSL

ADSL

Problema "UDP BOMB ATTACK"

mgoreiro

Buenas chicos. En casa tenemos ADSL de Vodafone, al router hay conectados siempre entre 4 y 8 equipos (Windows, Linux, Móviles mi MacMini y mi MacBook). El problema viene siempre por el MacBook, que tiene asignada la IP local 192.168.1.192, siempre fija.

El MacBook tiene instalada la última versión de Snow Leopard con todas las actualizaciones, y que yo sepa ningún malware ni cosa parecida (el MacMini tiene Lion).

En el firewall del router aparecen continuamente estos mensajes:

Registro del firewall
Nov 1 22:09:18 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:10:22 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:10:22 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:10:22 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:10:22 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:10:22 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:43:54 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:43:54 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:43:54 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:43:54 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:43:54 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:43:55 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:43:55 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:43:55 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:43:55 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:43:55 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:44:00 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:44:04 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:44:12 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:44:28 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:44:28 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:44:28 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:44:49 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:44:49 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:44:49 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:44:49 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:45:53 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:45:53 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:45:53 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:45:53 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 1 22:45:53 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 00:32:22 kernel: [fwlog] Udp bomb attack, SRC=218.76.138.156 DST=Mi IP.
Nov 2 00:55:44 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 00:55:44 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 00:55:44 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 00:55:44 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 00:55:44 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 00:55:45 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 00:55:45 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 00:55:45 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 00:55:45 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 00:55:45 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 00:55:50 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 00:56:01 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 00:56:01 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 00:56:09 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 00:56:09 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 00:56:41 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 00:56:41 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 00:56:41 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 00:56:41 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 00:56:41 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 00:57:45 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 00:57:45 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 00:57:45 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 00:57:45 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 00:57:45 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 01:06:08 kernel: [fwlog] Udp bomb attack, SRC=218.76.138.156 DST=Mi IP.
Nov 2 01:13:53 kernel: [fwlog] Udp bomb attack, SRC=218.76.138.156 DST=Mi IP.
Nov 2 01:52:06 kernel: [fwlog] Udp bomb attack, SRC=218.76.138.156 DST=Mi IP.
Nov 2 02:14:10 kernel: [fwlog] Udp bomb attack, SRC=218.76.138.156 DST=Mi IP.
Nov 2 02:26:57 kernel: [fwlog] Udp bomb attack, SRC=218.76.138.156 DST=Mi IP.
Nov 2 02:39:58 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 02:39:58 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 02:39:58 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 02:39:58 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 02:39:58 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 02:40:00 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 02:40:00 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 02:40:00 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 02:40:00 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 02:40:00 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 02:40:03 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 02:40:13 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 02:40:13 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 02:40:21 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 02:40:53 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 02:40:53 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 02:40:53 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 02:40:53 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 02:40:53 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 02:41:57 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 02:41:57 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 02:41:57 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 02:41:57 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 02:41:57 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 02:59:49 kernel: [fwlog] Udp bomb attack, SRC=218.76.138.156 DST=Mi IP.
Nov 2 03:31:21 kernel: [fwlog] Udp bomb attack, SRC=218.76.138.156 DST=Mi IP.
Nov 2 03:40:27 kernel: [fwlog] Udp bomb attack, SRC=218.76.138.156 DST=Mi IP.
Nov 2 08:05:37 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 08:05:37 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 08:05:37 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 08:05:37 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 08:05:37 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 08:05:38 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 08:05:38 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 08:05:38 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 08:05:38 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 08:05:38 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 08:05:43 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 08:05:47 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 08:05:55 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 08:06:11 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 08:06:11 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 08:06:11 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 08:06:31 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 08:06:31 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 08:06:31 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 08:06:31 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 08:07:35 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 08:07:35 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 08:07:35 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 08:07:35 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.
Nov 2 08:07:35 kernel: [fwlog] Udp bomb attack, SRC=192.168.1.192 DST=224.0.0.251.

Si miro la IP de destino con un WhoIs me sale lo siguiente:

NetRange: 224.0.0.0 - 239.255.255.255
CIDR: 224.0.0.0/4
OriginAS:
NetName: MCAST-NET
NetHandle: NET-224-0-0-0-1
Parent:
NetType: IANA Special Use
Comment: This block is reserved for special purposes.
Comment: Please see RFC 3171 for additional information.
RegDate: 1991-05-22
Updated: 2002-09-16
Ref: whois.arin.net/rest/net/NET-224-0-0-0-1

OrgName: Internet Assigned Numbers Authority
OrgId: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US
RegDate:
Updated: 2004-02-24
Ref: whois.arin.net/rest/org/IANA

OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: [img]http://source.domaintools.com/email.pgif?md5=d59b06fd74e3776b65830fddb7c108c1&face=arial&size=9&color=000000&bgcolor=FFFFFF&face=arial&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent[/img]
OrgTechRef: whois.arin.net/rest/poc/IANA-IP-ARIN

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: [img]http://source.domaintools.com/email.pgif?md5=d59b06fd74e3776b65830fddb7c108c1&face=arial&size=9&color=000000&bgcolor=FFFFFF&face=arial&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent[/img]
OrgAbuseRef: whois.arin.net/rest/poc/IANA-IP-ARIN

En cambio en las que atacan mi IP (que es fija) me sale ésto si hago un Whois:
inetnum: 218.76.128.0 - 218.76.143.255
netname: CHINANET-HN-LD
country: CN
descr: CHINANET-HN LouDi node network
descr: hunan Telecom
admin-c: CHL26-AP
tech-c: CH636-AP
status: ALLOCATED NON-PORTABLE
changed: [img]http://source.domaintools.com/email.pgif?md5=9e22ba52ff38904d4a301ade0817949a&face=arial&size=9&color=000000&bgcolor=FFFFFF&face=arial&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent[/img] 20050914
mnt-by: MAINT-CHINANET-HN
mnt-lower: MAINT-CHINANET-HN-LD
source: APNIC

role: CHINANET HuNan LouDi
address: No.26 ChangQing middle street Loudi,Hunanan 417000
country: CN
phone: +86 738 8228833
fax-no: +86 738 8227079
e-mail: [img]http://source.domaintools.com/email.pgif?md5=a8904269b452e1898d5eb91eb03fa711&face=arial&size=9&color=000000&bgcolor=FFFFFF&face=arial&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent[/img]
trouble: send spam reports to [img]http://source.domaintools.com/email.pgif?md5=87a65d73f426e9dd991426e1310e992a&face=arial&size=9&color=000000&bgcolor=FFFFFF&face=arial&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent[/img]
trouble: and abuse reports to [img]http://source.domaintools.com/email.pgif?md5=a8904269b452e1898d5eb91eb03fa711&face=arial&size=9&color=000000&bgcolor=FFFFFF&face=arial&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent[/img]
trouble: Please include detailed information and
trouble: times in UTC
admin-c: LD228-AP
tech-c: LD228-AP
nic-hdl: CHL26-AP
mnt-by: MAINT-CHINANET-HN-LD
changed: [img]http://source.domaintools.com/email.pgif?md5=9e22ba52ff38904d4a301ade0817949a&face=arial&size=9&color=000000&bgcolor=FFFFFF&face=arial&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent[/img] 20050818
source: APNIC

role: CHINANET HUNAN
address: No.1 TuanJie road,ChangSha,Hunan 410005
country: CN
phone: +86 731 4792092
fax-no: +86 731 4792007
e-mail: [img]http://source.domaintools.com/email.pgif?md5=9dcf390d91257ebde53485ead88ac619&face=arial&size=9&color=000000&bgcolor=FFFFFF&face=arial&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent[/img]
trouble: send spam reports to [img]http://source.domaintools.com/email.pgif?md5=5de7878266722ce606ba5218d51e85b7&face=arial&size=9&color=000000&bgcolor=FFFFFF&face=arial&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent[/img]
trouble: and abuse reports to [img]http://source.domaintools.com/email.pgif?md5=9dcf390d91257ebde53485ead88ac619&face=arial&size=9&color=000000&bgcolor=FFFFFF&face=arial&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent[/img]
trouble: Please include detailed information and
trouble: times in UTC
admin-c: CH632-AP
tech-c: CS499-AP
nic-hdl: CH636-AP
mnt-by: MAINT-CHINANET-HN
changed: [img]http://source.domaintools.com/email.pgif?md5=9e22ba52ff38904d4a301ade0817949a&face=arial&size=9&color=000000&bgcolor=FFFFFF&face=arial&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent[/img] 20050816
source: APNIC

Y estoy atascado, de aquí no soy capaz de pasar. Un poco de ayuda, please!

333

¿Y qué quieres hacer? No tiene por qué ser nada malo, seguro que usas Torrent o algo parecido y se te están intentando conectar... o te están zumbando directamente, pero vamos, que no hay nada que hacer.

BocaDePez
BocaDePez

Sabes hacer un WhoIs, pero no sabes entender los resultados. Si es una IP de Multicast, no es una IP de equipos de Internet.

Más información habrías encontrado si en Google le pones la IP directamente. Los resultados que salen hablan justamente de Macs. No sé si el log te oculta el puerto en cuestión, o si lo has quitado tú al pegarlo aquí en el foro, pero si se trata del 5353, el proceso que está martilleando tu red constantemente es el Bonjour de Apple.

(link roto) … /DTS40009974

Sobre los equipos chinos, pues depende del puerto saber qué vulnerabilidad andaban buscando (si es que buscaban algo, también hay conexiones UDP lícitas como el Kademlia del eMule, o el DHT del uTorrent). Pero bueno, si el router te hace NAT no te preocupes, que de ahí no pasa.

Lo dicho, si comentas de qué puerto se trata, te podremos dar más información. Si no, no.

🗨️ 2
BocaDePez
BocaDePez

El analizador sintáctico de BandaAncha no entiende el enlace de la web de Apple. Te lo he acortado aquí: developer.apple.com/library/archive

mgoreiro

El firewall del router no me informa del puerto; pero voy a instalar el Wireshark y voy a rastrear los paquetes a ver si saco el puerto; y con desactivar el Bonjour estaría solucionado...

mgoreiro

Solucionado; tenía activada la búsqueda de cuentas de Bonjour en el iChat. Fue desactivar el Bonjour del iChat y el Firewall dejó de registrar los UDP BOMB ATTACK desde el MacBook.

Lo otro supongo que serán ataques externos aleatorios, o cualquier cosa....

Gracias, chicos.