I was experiencing very low connectivity on my wireless, so I checked the router logs.
Here’s what I saw:
Jul 09 11:07:24 Per-source ACK Flood Attack Detect (ip=74.125.130.129) Packet Dropped
Jul 09 11:07:24 Whole System ACK Flood Attack from WAN Rule:Default deny
Jul 09 11:06:24 Per-source ACK Flood Attack Detect (ip=74.125.200.189) Packet Dropped
Jul 09 11:06:24 Whole System ACK Flood Attack from WAN Rule:Default deny
Jul 09 11:05:24 Port Scan Attack Detect (ip=74.125.200.113) Packet Dropped
Jul 09 11:05:24 Per-source ACK Flood Attack Detect (ip=74.125.200.113) Packet Dropped
Jul 09 11:05:24 Whole System ACK Flood Attack from WAN Rule:Default deny
Jul 09 11:04:24 Per-source ACK Flood Attack Detect (ip=74.125.200.113) Packet Dropped
Jul 09 11:04:24 Whole System ACK Flood Attack from WAN Rule:Default deny
Jul 09 11:03:24 Per-source ACK Flood Attack Detect (ip=74.125.200.189) Packet Dropped
....
Jul 09 10:40:24 Per-source UDP Flood Attack Detect (ip=74.125.68.189) Packet Dropped
Jul 09 10:40:24 Per-source ACK Flood Attack Detect (ip=74.125.68.189) Packet Dropped
Jul 09 10:40:24 Whole System ACK Flood Attack from WAN Rule:Default deny
Jul 09 10:40:24 Whole System UDP Flood Attack from WAN Rule:Default deny
Jul 09 10:39:24 Per-source ACK Flood Attack Detect (ip=74.125.200.95) Packet Dropped
Jul 09 10:39:24 Whole System ACK Flood Attack from WAN Rule:Default deny
Jul 09 10:38:24 Per-source UDP Flood Attack Detect (ip=74.125.68.189) Packet Dropped
Jul 09 10:38:24 Per-source ACK Flood Attack Detect (ip=74.125.130.81) Packet Dropped
Jul 09 10:38:24 Whole System ACK Flood Attack from WAN Rule:Default deny
Jul 09 10:38:24 Whole System UDP Flood Attack from WAN Rule:Default deny
This is a partial log. As it can be seen the IP address logged as an attacker keeps on changing. I suspect this ACK Flood Attack is killing my Internet connectivity, am I correct?
I tried blocking these addresses, but the router administration page just allows to block ips falling in the same subnet. How do I block this attack?
Also, does this flood attack count in my Internet bandwidth usage?
What actions need to be taken for
- Securing my router from such connections(it’s already dropping those packets so I suppose it’s secure, but still it’s denying me external connectivity, which is what I want to get secured against too).
- In case the bandwidth is counted against my usage, as seen by my ISP which is billable to me, I don’t want to pay for.
Note: I checked some of these IPs, and it seems to be the company I work for. That makes me rethink, is it the reason for low connectivity?
