# DoS Attack?



## JHY-IC (Oct 5, 2005)

I use Zonealarm Professional v7.x.x and I have been noticing the little green and yellow bars that appear in the system tray and a little red flashing icon is also appearing. When I look at the logs, there is nothing there. When I check my Belkin router security log, I have a BUNCH of the following entries:

Mon Nov 12 10:16:18 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:16:18 2007 1 Blocked by DoS protection 68.87.68.163
Mon Nov 12 10:16:19 2007 1 Blocked by DoS protection 68.87.74.165
Mon Nov 12 10:16:19 2007 1 Blocked by DoS protection 68.87.68.165
Mon Nov 12 10:16:20 2007 1 Blocked by DoS protection 68.87.74.164
Mon Nov 12 10:16:23 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:16:31 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:16:36 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:16:39 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:16:44 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:16:46 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:16:47 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:16:50 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:16:59 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:16:59 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:17:02 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:17:07 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:17:11 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:17:17 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:17:32 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:17:32 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:17:34 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:17:38 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:17:38 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:17:40 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:17:41 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:17:44 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:17:45 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:17:45 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:17:46 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:17:47 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:17:50 2007 1 Blocked by DoS protection 73.238.234.1 

Here are a few more recent with a new IP:

Mon Nov 12 10:35:46 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:35:48 2007 1 Blocked by DoS protection 68.87.74.165
Mon Nov 12 10:35:48 2007 1 Blocked by DoS protection 68.87.68.164
Mon Nov 12 10:35:48 2007 1 Blocked by DoS protection 68.87.74.165
Mon Nov 12 10:35:48 2007 1 Blocked by DoS protection 68.87.74.165
Mon Nov 12 10:35:48 2007 1 Blocked by DoS protection 68.87.74.165
Mon Nov 12 10:35:48 2007 1 Blocked by DoS protection 68.87.74.165
Mon Nov 12 10:35:49 2007 1 Blocked by DoS protection 68.87.68.164
Mon Nov 12 10:35:53 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:35:53 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:35:53 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:35:54 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 10:35:54 2007 1 Blocked by DoS protection 73.238.234.1 

This has been going on since yesterday. I have not noticed a decrease in internet performance. I am concerned that this could be an attack.

Is there anyway to further investigate this?

Joseph


----------



## Sgt_Grim_Reaper (Nov 11, 2004)

I'm thinking maybe 73.238.234.1 is the attacker's IP maybe? Anyone else know?


----------



## JHY-IC (Oct 5, 2005)

I did a WhoIs on the IP and it appears to be my Internet provider.


----------



## JHY-IC (Oct 5, 2005)

And they continue...

Mon Nov 12 11:55:15 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:55:17 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:55:20 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:55:21 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:55:29 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:55:38 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:55:39 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:55:44 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:55:45 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:55:47 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:55:50 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:55:50 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:55:52 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:55:54 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:55:56 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:55:58 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:56:05 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:56:14 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:56:17 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:56:17 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:56:22 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:56:24 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:56:32 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:56:35 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:56:35 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:56:37 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:56:37 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:56:38 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:56:39 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:56:45 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:56:46 2007 1 Blocked by DoS protection 73.238.234.1
Mon Nov 12 11:56:46 2007 1 Blocked by DoS protection 73.238.234.1

I forgot to mention that the Zonealarm firewall is not showing any alerts in its logs. The security logs are coming from my Belkin router.


----------



## JHY-IC (Oct 5, 2005)

Here are a few lines from my Zonealarm Pro "Firewall" log:

Packet sent from 192.168.2.1 (TCP Port 3086) to 192.168.2.2 (TCP Port 2869) was blocked
Packet sent from 192.168.2.1 (TCP Port 3085) to 192.168.2.2 (TCP Port 2869) was blocked
Packet sent from 192.168.2.1 (TCP Port 3084) to 192.168.2.2 (TCP Port 2869) was blocked
Packet sent from 192.168.2.1 (TCP Port 3083) to 192.168.2.2 (TCP Port 2869) was blocked
Packet sent from 192.168.2.1 (TCP Port 3079) to 192.168.2.2 (TCP Port 2869) was blocked


----------



## Sgt_Grim_Reaper (Nov 11, 2004)

It's blocking a DoS attack from your own provider?


----------



## kinbard (Jul 1, 2006)

DoS blocks are pretty common events. Just to be safe, pull yourself from the internet and do some security scans. Its possible you are the one sending out the dos.


----------

