While troubleshooting a flaky comfast/xfinity Internet connection, I noticed lots of firewall log entries indicating a sustained ICMP Flooding attack from two IPs over at least a couple days.
It turned out these were a voipspear false alarm.
VoIPspear charts were showing what are probably spurious results: consistent 50%-60% packet loss (and thus an MOS of just 1.5), every hour, for days, [att=1] [att=2]while the connection was regularly testing at 50Mbps or so via speedtest.net. Today I'm getting much better results: mostly ~10% packet loss: [att=3]
My initial guess/interpretation was that the router or something was blocking what it thought was an ICMP flood attack. But the better results occur even though the router continues to log DDoS attacks. Mysterious.
Router log entries were like this:
2016/4/20 10:19:28 Notice Firewall[248]: DoS Attack - ICMP Flooding IN=erouter0 OUT= MAC=munged SRC=162.243.146.179 DST=munged LEN=84 TOS=00 PREC=0x20 TTL=54 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=xxxx SEQ=11
I post VoIP Spear / VoIPspear's probe IPs here so the next time someone googles any of these IPs, having found them in their logs, they'll probably be able to figure out what's up.
IP Address
North America: Central 209.20.73.234
North America: East 97.107.131.83
North America: West 74.207.244.81
San Francisco 162.243.146.179
New York 162.243.87.191
Chicago 158.255.213.177
Vancouver, Canada 162.223.226.128
Miami 104.207.145.85
Europe
Amsterdam 146.185.165.80
London 37.235.54.150
Moscow 213.183.56.206
Paris 151.236.21.218
Frankfurt 151.236.15.38
Asia Pacific
Hong Kong 158.255.208.62
Chennai, India 103.6.87.82
Singapore 128.199.249.72
Japan 106.185.39.118
South America
Vina Del Mar, Chile 37.235.52.133
São Paolo, Brazil 54.207.66.238
↧