Chosen Solution

Okay, I really need lots of help with this. Recently our broadband has been cutting out and we loose phone and internet to our computers on our network. We still get access to our router but nothing loads or connects. We use AT&T Uverse for out isp and we have a 3801HGV router. The problem happens randomly and until recently, I didn’t know why it was happening. I have been on the line with the AT&T tech support and I have had 2 technicians come to our house. In the past 3 months I have had 2 routers replaced. The internet will cut out randomly and we wont be able to get it back for anywhere from 5 minutes to 4 hours. I connected to my router and accessed the logs only to find out that every time it goes out there are thousands of unknown inbound sessions stopped. They are all from the same group of ip addresses each time. It looks like this: INF 2012-11-10T21:24:29-06:00 fw,fwmon src=37.221.160.59 dst=(our home ip) ipprot=17 sport=36245 dport=2294 Unknown inbound session stopped It does that 1000s of times ever second. I then looked up this ip and found that this one is coming from Romania, and the other ones come out of Singapore and Russia. I then proceeded to find that the reason we loose broadband connection is our router firewall disconnecting us in an attempt to stop the connections. This has been happening for about 1 1/2 weeks and during that time members of our wireless network have had fraudulent charges to their credit cards as well as stolen information, such as phone and email addresses. I really want to stop this from happening. We have disconnected our router and all our computers from the interned but, as a result, we cannot use our phone line, as well as several other functions that we need. I have to type this on my iPhone. I really need this to stop. It is not only us, I checked a few of my neighbors router logs and they all have the same ip addresses doing the same thing, even if they have Comcast. This is driving me crazy. Any help I can get I will take, this is a serious issue.

Sounds like some one is trolling fixed IP addresses looking for a weak firewall (router). Not much you can do here as they’re attacking something that is exposed from the internet side (static IP address). Make sure to use a complex password on the Router and reset it weekly for the time being (with a new password as well). While limiting your exposure within your network or WiFi AP’s is a good idea it won’t help you here. One possible cause here could have been someone internally hitting an internet site that monitored the IP address and that is how your IP address was found as static. It’s best not to allow users internally use this static address for outbound sessions so it is less likely to be discovered. As you also need user access to the internet you could try setting up a second Router which does not have an assigned address (DHCP assigned from your ISP) Letting your users access it outward and limit the inbound connections to a single host internally and control what is on this exposed bastion host. For now I would see if you can get a new IP address make sure you don’t have a DNS record for it and host as much as you can on a service provider web server than trying to do it your self.

One other thing you can do is use a white list to block an IP address or a range of IP addresses. Here’s an example on one routers manual White listing

Sounds like you needs to take these steps. Reset you router to default setting then set the password to a new one from the default. Make sure your wireless is encrypted to let only those who know the password on. If you have a set number of computers on the wireless network setup Mac filtering

to understand your problem, some more information would be helpful:

  • do you use a static or a dynamic IP address?
  • how do you point to your IP (which DNS service are you using)?
  • which services are running behind your router (Domain server, Mail server, hosting services,…)? Edit: I just did a quick checkup on the 2Wire thing you call router…. never heard of this piece of electronics before but google is my friend. My advice: get that thing OFFLINE and continue using it as an AP for something you don’t really need or just scrap it. This “thing” is absolutely insufficient to act as stand-alone router, it would rather drop packages than rejecting connections, for this and 100 other reasons automated attackers are able to punch holes into the firewall from time to time and just won’t stop trying all over again and again because they never get fully blocked. Recommendation: If your company or lets say your network is VERY small, you should at least invest 50-80 bucks for hardware, which is able to:
  • support a semi-basic but efficient firewall
  • can handle a routing table large enough to manage your traffic
  • suits your personal needs and desires Typically for similar solutions I personally prefer to use devices running embedded LINUX and run them on custom firmware like DD-WRT. You can check out their website, they also have a huge router database which can help you with your hardware decision. For some devices you might prefer the genuine firmware but if they are listed there you can be sure that they will deliver the performance you need.

Did you ever find an answer? It’s happening to me and no one can help me. I mean no one.