Jump to content
Sign in to follow this  
kcj83

Invalid source IP address

Recommended Posts

Hi

 

Having some serious problems with my ADSL connection.

 

I have been receiving 100+ messages an hour from my firewall saying the following

 

"Intrusion: Invalid Source IP Address

Intruder: 255.255.255.255

Risk Level: Low

Source IP address: 255.255.255.255.This IP address is invalid.

Destination IP address:

Protocol: ICMP.

 

Click on the address to trace the attacker

You can get detailed information about this attack at Symantec Security Response"

 

I have tried the latest versions of the following:

 

Ad-aware,Spybot, Macaffe version 8 enterprise, Trend house scan, Norton Antivirus, Microsoft Anti Spyware, Panda online virus scan.

 

I have also tried blocking all ICMP traffic on my firewall but this still has'nt worked.

 

I have tried Hijack this and have not noticed anything unusual either.

 

I also play an online rpg and I am not sure if this is connected in someway as the online servers had dos/ddos attacks recently.

 

I have also called my ISP who were unable to help me!

 

Can anyone shed some light on the situation?

 

 

Thank you

Edited by kcj83

Share this post


Link to post
Share on other sites

I'm seeing the IP address 255.255.255.255 in my reject log

http://secinf.net/firewalls_and_VPN/FAQ_Fi...eeing_.html#3.2

 

This is happening a lot these days as more and more people use DSL or cable-modem connections. The reason is that unlike point-to-point connections (like T-1, frame relay, etc.), these new high-speed technologies drop you onto an ATM VLAN, which is a single broadcast domains. In fact, many cable-modem users are seeing multiple megabytes of traffic per day simply from such broadcasts.

 

You must remember that such packets MUST be local. Routers (generally) refuse to forward packets with the IP address of 255.255.255.255. This address is known as a "local broadcast" for this reason: it never travels past the local segment (or these days, the local "virtual" segment).

 

What are these packets for?

 

Check the list of ports at the top of this document. If it is not listed there, then the only way to figure this out is to capture them with a sniffer and view their contents.

 

For example, a common service that runs with a random port number is CORBA IIOP packets. Many services run at port 535, but it is frequently reconfigured to broadcast on other ports. If you look at the hex dump in the sniffer, you will see the letters "IIOP" somewhere in the contents.

 

In any case, this is rarely something to be concerned about. In fact, it advertises something about the person sending the traffic that can be used to hack them. Hackers rarely attack their own neighborhoods (because it is easy to detect), so it probably is accidental, not malicious.

 

It should be noted that with today's ATM networks, the source of the broadcast may not even be in the same state as you are; they may be hundreds of miles away. The word "local" means in terms of the network topology, not distance.

Share this post


Link to post
Share on other sites

Any idea how i could stop this?

 

I also noticed this is coming up on intrustion logs rather then reject?

Edited by kcj83

Share this post


Link to post
Share on other sites

Any idea how i could stop this?

I dont know if you can. I think thats how DSL works.

Maybe someone with DSL experience can tell you for sure.

Share this post


Link to post
Share on other sites

It only started yesterday and since then i can't log into the mmorpg that i'm very addicted to, besides that all i notice is my bandwidth is very slow, took an hour to download ad-aware!

 

Do you think it should be my ISP that deals with this?

Share this post


Link to post
Share on other sites

It only started yesterday and since then i can't log into the mmorpg that i'm very addicted to, besides that all i notice is my bandwidth is very slow, took an hour to download ad-aware!

 

Do you think it should be my ISP that deals with this?

I would say yes, contact your ISP. However, the techs that you call on the phone are not really trained to handle this type of issue thats probably why they couldnt help you earlier. Try emailing your ISP abuse department and include your firewall logs.

Share this post


Link to post
Share on other sites

Thanks for that i'll give it go and probably give them another call on monday

Try emailing their abuse department before calling them. If you are not sure of their email address let me know who your ISP is and I ll find out.

Share this post


Link to post
Share on other sites

I have been advised to try and use Zonealarm instead of Norton Firewall 2003 and this is giving me IP addresses of intrustion attempts.

In the last hour i have had 600+ attempts but what do I do now to prevent this?

 

my bandwidth is still being reduced and the attacks are endless!

Share this post


Link to post
Share on other sites

Your connection is probably slow because Norton is using up all your CPU and disk to log the "attack" that really isn't an attack.

 

IMO, if you have XP SP2 you are protected as well as you need to be from any inbound intrustion attempt, especially if you already have a hardware firewall.

 

For outbound threats, ZoneAlarm may help but you can cause similar problems to Norton if you play with the settings. Don't think that you need to log everything. Logging takes CPU time and disk space.

Share this post


Link to post
Share on other sites

The speed of my PC is not being greatly effected, and I did turn off norton to see if things got better but they remained the same.

The bandwidth has been reduced dramatically, although its enough to surf the web I just cannot log on to the mmorpg as it needs a decent amount of bandwidth. I know there is not a problem with there servers as many of my friends have not had any problems, and I can sometimes log on for a bit only to get timed out.

In just a couple of hours there has been 4500+ intrustion attempts 126 we're considered serious.

Unlike Norton, Zonealarm is giving me IP address and some dns names but I don't understand what action I can take next.

I have rang my ISP countless amounts of time but without sucess.

So what should I do now?

I been considering formatting my disk but theres like 10 hours of updates for the game and I don't even know if this will solve the problem!

Edited by kcj83

Share this post


Link to post
Share on other sites

It is totally normal to have hundreds of "intrusion attempts" per hour on a cable or DSL line. They are nothing to worry about. Software firewalls generally should not post scary warnings about inbound attempts because they are so common. If you keep your system up to date with patches the attempts won't do anything.

 

Have you run a set of full tests at PC Pitstop? If you post your results maybe we'll see something unusual.

 

Did you say you have a hardware firewall? What model? If so I would suspect that whatever these packets are they are coming from INSIDE your own network, not from the DSL line.

Share this post


Link to post
Share on other sites

No h/w firewall. The number of attempts just seemed unusually high, but maybe this is just a coincedence.

 

which tests should I run?

Share this post


Link to post
Share on other sites

I have tried another HDD with a fresh install but I'm still being hit by these attempts.

 

I ran some connection tests on both HDDs and the connection is not as bad as I first thought.

 

But I am still unable to log into the game, and this only started happening on Friday when these attempted attacks started.

 

I have talk to the customer service people of the game and they just can't give me an answer.

 

I've also asked a few friends if they've had any trouble but they seem to be able to log in just fine.

 

Any suggestions?

 

I might try a 56k connection today and see if I still have a problem logging in.

 

<edit> I tried a new ADSL modem last night for a change of MAC address and still not change, i am now really confused!

Edited by kcj83

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

×