What's the purpose of DOS attack fin scan?
I've been having some weird issues with a home network, and it seems to me like I have some vulnerability I don't know about. To be honest, though, I'm not a big network/security guy and I kind of feel out of my depth. I'm hoping someone else can help me figure out what's going on.
For at least the last two months I have been seeing weird entries in my router logs. Basically, at least every few days, I see some entry in my router logs that says "Dos Attack" and "FIN Scan"/"Ack Scan" or "Smurf". Sometimes the remote IPs labeled as the attack source show up in whois as owned by Google, or an ad company called OpenX.
At first I thought, well, if my router only records the entries, then it must be blocking them, so it's fine. But I'm not so sure now. Take a look at a recent series of log entries for example:
[DoS attack: Smurf] attack packets in last 20 sec from ip [192.168.1.6], 15:56:22
[DHCP IP: (192.168.1.2)] to MAC address 33:33:33:33, 12:33:00
[DHCP IP: (192.168.1.2)] to MAC address 33:33:33:33, 12:32:49
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [173.241.250.212], 10:45:25
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [173.241.250.143], 10:45:25
[DHCP IP: (192.168.1.6)] to MAC address 22:22:22:222, 09:11:05
What concerns me about a log entry like this is that the "attack packets" change IP address -- not just to one in my internal network, but to the computer I had used earlier that night (I was asleep when the attack packets were logged, and my computer was supposedly asleep). That makes me think the "attack packets" somehow allowed someone access to my system or my network. What is even stranger to me is, while this has been happening for a while now, the most recent entries showing this kind of remote-to-local IP switch was for a Mac machine, whereas the previous ones were related to a physically different Windows machine.
Before this last entry I took some steps to protect my network just in case. On top of upgrading my router, all of the other machines on the network have been DBANd and had Windows reinstalled fresh, I upgraded my modem to it's newer version, I disabled wireless radio entirely on my router so there is no wireless network and no guest wireless network at all, and I also changed my external/public IP with my service provider.
Has anyone seen something like this before? Am I digging into a problem that doesn't exist, or is it possible I'm the target of some bot or attack?
Regarding the DOS attack fin scan - Disconnect the "192.168.1.6" IP address from your router. If your router gateway is "192.168.1.1" then the dos attack log from 192.168.1.6 is another computer connected to your router. If you don't know how to disable it in the router settings, configure a rule in your firewall to block traffic from 192.168.1.6. IF you are in fact experiencing a DoS attack, which I think is highly unlikely, there is very little that can be done at your end to prevent it - to put it bluntly, if a hacker, wanted to render your connection unuseable, there's no way you can stop him - you're going down - it does not matter what router you use, you will be taken down. The question is why would he want to waste valuable resources targeting you - what's the motive, where's the benefit?
In years gone by, DoS attacks could be done very simply, but equipment manufacturers have patched their code and closed all of the simpler, less resource intensive attacks, so that for a DoS attack now to be successful, it requires a botnet, an army of compromised systems, which takes time to build, and which no hacker is going to risk exposure on a consumer.
ACK scans & FIN scans as DoS attacks are historic exploits, incapable of shutting a modern router down - the CPU should not be responding to them, they should be discarded by the NAT process, unless they occur on ports that you have forwarded. (EDIT) A typical DoS detection process will not respond to a single ‘attack’, it is normal for a router to have a threshold set e.g. 20 per second, but this does not tell you exactly what rate they are arriving. I would say that if the router is able to process the message and drop it, and if the logs show ‘DoS attack’ messages minutes apart then the router should not be stressed in any way simply by traffic volume as that level of traffic is quite insignificant.
If the router is reacting badly to something e.g. a malformed message then perhaps this could impact on router performance, but that’s just an assumption on my part. If I was to ask the question of engineering I would expect the answer to be along the lines of ‘not that we know of’. They would need quite detailed information to be able to investigate. If the DoS attacks are quite regular you could perhaps capture the traffic using a Packet Capture utility e.g. Microsoft Network Monitor or Wireshark. Connect a computer directly to the modem and capture traffic over the period of time that you would expect the DoS attacks to appear. You should also try to keep your WAN MAC address consistent so that you are not allocated a different IP address when connected to the modem, this is done in the router WAN Settings by selecting the option ‘Use Computer MAC Address’. One thing I’m not entirely sure of is if the computer OS might drop malformed packets before the Packet Capture tool can see it. By the way, changing the MAC address in this way with a cable service (the opposite of what I am suggesting here) will often result in the DoS Attacks disappearing, at least temporarily.