Hi Everyone,
I've got a Netgear router doing some logging and it's reporting tons of
stuff like this:
[DOS attack: FIN Scan] attack packets in last 20 sec from ip [66.75.159.89], Friday, 08 Feb 2008 13:01:00
[DOS attack: FIN Scan] attack packets in last 20 sec from ip [77.73.32.120], Friday, 08 Feb 2008 13:00:37
[DOS attack: FIN Scan] attack packets in last 20 sec from ip [69.28.145.39], Friday, 08 Feb 2008 13:00:29
[DOS attack: ACK Scan] attack packets in last 20 sec from ip [66.75.159.110], Friday, 08 Feb 2008 13:00:15
[DOS attack: FIN Scan] attack packets in last 20 sec from ip [63.215.202.17], Friday, 08 Feb 2008 12:59:35
[DOS attack: FIN Scan] attack packets in last 20 sec from ip [69.28.145.39], Friday, 08 Feb 2008 12:59:27
[DOS attack: FIN Scan] attack packets in last 20 sec from ip [63.215.202.17], Friday, 08 Feb 2008 12:59:27
A couple of weeks ago I looked up some of these IP addresses, and they
were all from Akamai Technologies. I sent emails to the abuse address
asking what's going on, and was informed that Akamai Technologies
provides duplicate servers (sorry if the lingo is incorrect) for
customers with high volume websites, and that this activity is most
likely due to someone browsing one of these websites. However no one
was doing any such browsing at the time.
My question is, why would results from a browser request look like a DOS
attack to a Netgear router? And could these packets be generated by the
server even if the user just left the browser sitting on a website?
They don't seem to be affecting response time too much, but I would like
to know what's going on.
*Peter Dow* /
Dow Software Services, Inc.
909 793-9050
pdow@xxxxxxxxxxxxxxx <mailto:pdow@xxxxxxxxxxxxxxx> /
