Results 1 to 6 of 6

Thread: Problems with network, lost speed considerably

  1. #1
    Senior Member
    Join Date
    Apr 2004
    Posts
    228

    Problems with network, lost speed considerably

    Hi guys

    I live in a large house (ex hotel) and we have a wireless network, which had sudenly gone wrong. The network is encrypted although not much else was done for it's protection as there is no constant admin on the site. In the last couple of weeks the speed has droped considerably, and we can not understand what's happend.

    I suspect it might be a fault of a couple tennants.

    I did reset the router and all of it's settings as a precausion, but the connetction is still SLOOOW.

    I looked through a firewal log, and there seems to be an auwful lot of UDP floods going to these machines, which means their machines might be infected with something.

    Any chance anyine could look through a chunk of the firewall log and tell me if my suspicions are true?

    04/17/2009 01:43:33 **UDP Flood Stop** (from ATM1 Inbound)
    04/17/2009 01:43:33 **UDP flood** 69.132.55.98, 26310->> 192.168.2.41, 64119 (from ATM1 Inbound)
    04/17/2009 01:43:32 **UDP flood** 94.52.190.38, 11642->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:32 **UDP flood** 69.11.112.62, 21239->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:32 **UDP flood** 192.168.2.32, 1948->> 212.58.250.112, 443 (from ATM1 Outbound)
    04/17/2009 01:43:31 **UDP flood** 201.222.214.80, 17540->> 192.168.2.41, 64119 (from ATM1 Inbound)
    04/17/2009 01:43:31 **UDP flood** 189.107.69.205, 21822->> 192.168.2.41, 64119 (from ATM1 Inbound)
    04/17/2009 01:43:31 **UDP flood** 66.110.150.29, 28212->> 192.168.2.41, 64119 (from ATM1 Inbound)
    04/17/2009 01:43:30 **UDP flood** 221.7.196.90, 62040->> 192.168.2.41, 64119 (from ATM1 Inbound)
    04/17/2009 01:43:30 **UDP flood** 124.244.139.107, 11973->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:30 **UDP flood** 74.177.79.73, 16729->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:30 **UDP flood** 68.0.112.240, 51709->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:30 **UDP flood** 70.116.23.9, 59620->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:30 **UDP flood** 80.180.117.13, 25266->> 80.235.193.227, 56484 (from ATM1 Inbound)
    04/17/2009 01:43:29 **UDP flood** 125.24.152.190, 11351->> 80.235.193.227, 64541 (from ATM1 Inbound)
    04/17/2009 01:43:29 **UDP flood** 90.230.204.11, 61037->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:29 **UDP flood** 86.101.96.96, 21734->> 80.235.193.227, 56505 (from ATM1 Inbound)
    04/17/2009 01:43:28 **UDP flood** 67.186.211.211, 57942->> 192.168.2.41, 64119 (from ATM1 Inbound)
    04/17/2009 01:43:28 **UDP flood** 85.193.220.3, 9403->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:28 **UDP flood** 24.65.66.188, 63368->> 192.168.2.41, 64119 (from ATM1 Inbound)
    04/17/2009 01:43:27 **UDP flood** 75.43.207.44, 65102->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:27 **UDP flood** 58.55.74.108, 42142->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:27 **UDP flood** 119.71.181.19, 31128->> 80.235.193.227, 64541 (from ATM1 Inbound)
    04/17/2009 01:43:26 **UDP flood** 72.22.7.8, 15841->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:26 **UDP flood** 86.220.141.123, 56133->> 192.168.2.41, 64119 (from ATM1 Inbound)
    04/17/2009 01:43:26 **UDP flood** 190.27.163.168, 10024->> 80.235.193.227, 64541 (from ATM1 Inbound)
    04/17/2009 01:43:25 **UDP flood** 118.105.248.47, 13785->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:24 **UDP flood** 68.12.27.131, 11087->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:24 **UDP flood** 125.25.49.120, 17306->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:23 **UDP flood** 121.31.195.228, 2285->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:23 **UDP flood** 99.184.134.27, 61551->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:23 **UDP flood** 86.97.12.182, 15240->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:23 **UDP flood** 78.1.140.150, 50804->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:23 **UDP flood** 60.53.251.2, 27668->> 192.168.2.41, 64119 (from ATM1 Inbound)
    04/17/2009 01:43:22 **UDP flood** 201.1.212.34, 15624->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:22 **UDP flood** 60.210.211.105, 20291->> 192.168.2.41, 64119 (from ATM1 Inbound)
    04/17/2009 01:43:22 **UDP flood** 87.220.18.108, 40558->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:22 **UDP flood** 202.9.6.62, 37245->> 80.235.193.227, 64541 (from ATM1 Inbound)
    04/17/2009 01:43:21 **UDP flood** 71.138.183.227, 60442->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:21 **UDP flood** 82.225.65.3, 7420->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:21 **UDP flood** 68.214.196.13, 55370->> 192.168.2.41, 64119 (from ATM1 Inbound)
    04/17/2009 01:43:21 **UDP flood** 85.228.241.21, 11830->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:21 **UDP flood** 90.240.115.45, 21866->> 192.168.2.41, 64119 (from ATM1 Inbound)
    04/17/2009 01:43:20 **UDP flood** 212.150.7.124, 20526->> 192.168.2.41, 64119 (from ATM1 Inbound)
    04/17/2009 01:43:20 **UDP flood** 121.116.29.236, 15003->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:20 **UDP flood** 114.47.99.176, 11711->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:20 **UDP flood** 91.11.211.94, 21745->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:20 **UDP flood** 85.228.241.21, 11830->> 80.235.193.227, 56429 (from ATM1 Inbound)
    04/17/2009 01:43:19 **UDP flood** 84.166.114.245, 15332->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:18 **UDP flood** 85.175.63.188, 40638->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:18 **UDP flood** 84.126.91.29, 55569->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:18 **UDP flood** 118.167.45.194, 13054->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:18 **UDP flood** 90.200.15.55, 7790->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:18 **UDP flood** 89.241.146.156, 54372->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:18 **UDP flood** 89.230.120.105, 63532->> 192.168.2.41, 64119 (from ATM1 Inbound)
    04/17/2009 01:43:18 **UDP flood** 65.27.128.230, 50933->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:17 **UDP flood** 70.177.200.29, 62371->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:17 **UDP flood** 62.87.146.163, 25723->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:17 **UDP flood** 90.154.129.230, 13462->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:16 **UDP flood** 89.161.86.127, 20904->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:15 **UDP flood** 88.242.64.241, 9508->> 192.168.2.41, 64119 (from ATM1 Inbound)
    04/17/2009 01:43:14 **UDP flood** 87.97.193.251, 13722->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:14 **UDP flood** 192.168.2.32, 1948->> 212.58.250.112, 443 (from ATM1 Outbound)
    04/17/2009 01:43:14 **UDP flood** 84.25.155.217, 38158->> 192.168.2.41, 64119 (from ATM1 Inbound)
    04/17/2009 01:43:14 **UDP flood** 98.196.90.168, 57614->> 80.235.193.227, 64541 (from ATM1 Inbound)
    04/17/2009 01:43:14 **UDP flood** 190.191.85.111, 21350->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:14 **UDP flood** 192.168.2.73, 46996->> 92.41.255.143, 33925 (from ATM1 Outbound)
    04/17/2009 01:43:13 **UDP flood** 71.34.174.5, 52579->> 80.235.193.227, 56503 (from ATM1 Inbound)
    04/17/2009 01:43:13 **UDP flood** 116.25.214.143, 29229->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:13 **UDP flood** 192.168.2.41, 64119->> 213.16.83.39, 16793 (from ATM1 Outbound)
    04/17/2009 01:43:13 **UDP flood** 118.166.120.177, 10333->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:13 **UDP flood** 210.185.184.229, 54146->> 80.235.193.227, 58347 (from ATM1 Inbound)
    04/17/2009 01:43:12 **UDP flood** 90.198.52.131, 58151->> 192.168.2.40, 56316 (from ATM1 Inbound)
    04/17/2009 01:43:12 **UDP flood** 83.166.220.224, 6886->> 80.235.193.227, 56429 (from ATM1 Inbound)
    04/17/2009 01:43:12 **UDP flood** 192.168.2.40, 58564->> 122.99.88.154, 2238 (from ATM1 Outbound)
    Don\'t post if you\'ve got nothing constructive to say. Flooding is annoying

  2. #2
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    suggest you runner a sniffer (e.g. wireshark) to see exactly what is going on. I suspect the traffic is to some *unix box(es). Services (e.g. xinetd) on *unix boxes typically dynamically allocate ports above 10000.

    post the sniffer log here and lets take a closer look.

    csr
    In God We Trust....Everything else we backup.

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    I would guess someone is running some sort of P2P
    Last edited by SirDice; April 17th, 2009 at 02:16 PM.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Yeap...I think sir dice is right.

    I see huge udp traffic in my logs when people torrent.

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  5. #5
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,253
    Yup what ^ and ^^ said.

    IP's belong to Turkish, Russian, US and other ISP's some one is file sharing or infected with conflicker. (sp)
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  6. #6
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    You might try disabling UPnP if it's enabled in the router. File sharing typically
    slows to a trickle if UPnP's disabled and no ports are forwarded to the offending
    machines (192.168.2.40 and 192.168.2.41 from the looks of it).

    Is that a Belkin router you're running? A lot of routers come with UPnP enabled
    by default as it's a convenient way of dealing with webapps like games (including
    Xboxes). If you disable UPnP, you can always re-enable it.

    It might not be a bad idea to see exactly what you have on the network, assuming
    you have admin rights. Nmap's great for exploring networks, as long as they belong
    to you. With everything going "IP" these days, it's good to have a handle on exactly
    what's on your network. Wireshark's, as CSR suggests, is even better for pinpointing
    problems.

    http://nmap.org/download.html
    “Everybody is ignorant, only on different subjects.” — Will Rogers

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 02:51 PM
  2. The history of the Mac line of Operating systems
    By gore in forum Operating Systems
    Replies: 3
    Last Post: March 7th, 2004, 08:02 AM
  3. A look into IDS/Snort Whole thing by QoD
    By qod in forum The Security Tutorials Forum
    Replies: 6
    Last Post: February 27th, 2004, 03:03 AM
  4. Network Scanning Policy - Template
    By thehorse13 in forum Network Security Discussions
    Replies: 5
    Last Post: June 1st, 2003, 02:03 AM
  5. Denail Of Service FAQ
    By Ennis in forum The Security Tutorials Forum
    Replies: 4
    Last Post: November 15th, 2001, 07:42 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •