What's The Purpose Of DOS Attack Fin Scan?
I've been having some weird issues with a home network, and it seems to me like I have some vulnerability I don't know about. To be honest, though, I'm not a big network/security guy and I kind of feel out of my depth. I'm hoping someone else can help me figure out what's going on.
For at least the last two months I have been seeing weird entries in my router logs. Basically, at least every few days, I see some entry in my router logs that says "Dos Attack" and "FIN Scan"/"Ack Scan" or "Smurf". Sometimes the remote IPs labelled as the attack source show up in whois as owned by Google, or an ad company called OpenX.
At first I thought, well, if my router only records the entries, then it must be blocking them, so it's fine. But I'm not so sure now. Take a look at a recent series of log entries for example:
[DoS attack: Smurf] attack packets in last 20 sec from ip [192.168.1.6], 15:56:22
[DHCP IP: (192.168.1.2)] to MAC address 33:33:33:33, 12:33:00
[DHCP IP: (192.168.1.2)] to MAC address 33:33:33:33, 12:32:49
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [173.241.250.212], 10:45:25
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [173.241.250.143], 10:45:25
[DHCP IP: (192.168.1.6)] to MAC address 22:22:22:222, 09:11:05
What concerns me about a log entry like this is that the "attack packets" change IP address -- not just to one in my internal network, but to the computer I had used earlier that night (I was asleep when the attack packets were logged, and my computer was supposedly asleep). That makes me think the "attack packets" somehow allowed someone access to my system or my network. What is even stranger to me is, while this has been happening for a while now, the most recent entries showing this kind of remote-to-local IP switch was for a Mac machine, whereas the previous ones were related to a physically different Windows machine.
Before this last entry I took some steps to protect my network just in case. On top of upgrading my router, all of the other machines on the network have been DBANd and had Windows reinstalled fresh, I upgraded my modem to it's newer version, I disabled wireless radio entirely on my router so there is no wireless network and no guest wireless network at all, and I also changed my external/public IP with my service provider.
Has anyone seen something like this before? Am I digging into a problem that doesn't exist, or is it possible I'm the target of some bot or attack?
A DoS attack fin scan stands for “denial of service,” which means that it is intended to shut down an entire machine or network. It becomes inaccessible to users. DoS attacks do this by flooding a router with traffic or sending so much information that it crashes. The DoS attack ACK can deprive users of functionality, which can be frustrating in the least and debilitating at the worst.