• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

router: **Smurf** from google

Recently I noticed some "Smurfs" on the security log from my router every time I open (any) internet browser.

It looks like the google (owner of IP  216.58.208.0) is trying to connect to my machines (I have tried using different pcs running windows). Do you have any idea why is this happening?

On the pc that I am writing this post I did a "clean" install of firefox and disabled all addons (including the google search bar) but the problem continues...

Norton Power Eraser does not detect anything on the machine...

Can you please support?

Thanks,

Alex.


2014-12-06  08:33:59 **Smurf** 216.58.208.0, 80->> 192.168.2.102, 51684 (from WAN Inbound)
2014-12-06  08:33:57 **Smurf** 216.58.208.0, 80->> 192.168.2.102, 51686 (from WAN Inbound)
2014-12-06  08:33:56 **Smurf** 216.58.208.0, 80->> 192.168.2.102, 51684 (from WAN Inbound)
2014-12-06  08:33:55 **Smurf** 216.58.208.0, 443->> 192.168.2.102, 51680 (from WAN Inbound)
2014-12-06  08:33:53 **Smurf** 216.58.208.0, 443->> 192.168.2.102, 51680 (from WAN Inbound)
2014-12-06  08:33:52 **Smurf** 216.58.208.0, 443->> 192.168.2.102, 51636 (from WAN Inbound)
2014-12-06  08:33:51 **Smurf** 216.58.208.0, 443->> 192.168.2.102, 51643 (from WAN Inbound)
2014-12-06  08:33:49 **Smurf** 216.58.208.0, 80->> 192.168.2.102, 51678 (from WAN Inbound)
2014-12-06  08:33:48 **Smurf** 216.58.208.0, 443->> 192.168.2.102, 51676 (from WAN Inbound)
2014-12-06  08:33:47 **Smurf** 216.58.208.0, 443->> 192.168.2.102, 51668 (from WAN Inbound)
2014-12-06  08:33:46 **Smurf** 216.58.208.0, 443->> 192.168.2.102, 51672 (from WAN Inbound)
2014-12-06  08:33:45 **Smurf** 216.58.208.0, 443->> 192.168.2.102, 51653 (from WAN Inbound)
2014-12-06  08:33:43 **Smurf** 216.58.208.0, 80->> 192.168.2.102, 51648 (from WAN Inbound)
2014-12-06  08:33:42 **Smurf** 216.58.208.0, 443->> 192.168.2.102, 51675 (from WAN Inbound)
2014-12-06  08:33:41 **Smurf** 216.58.208.0, 443->> 192.168.2.102, 51643 (from WAN Inbound)
2014-12-06  08:33:39 **Smurf** 216.58.208.0, 443->> 192.168.2.102, 51672 (from WAN Inbound)
2014-12-06  08:33:38 **Smurf** 216.58.208.0, 80->> 192.168.2.102, 51631 (from WAN Inbound)
2014-12-06  08:33:37 **Smurf** 216.58.208.0, 443->> 192.168.2.102, 51645 (from WAN Inbound)
2014-12-06  08:33:36 **Smurf** 216.58.208.0, 443->> 192.168.2.102, 51653 (from WAN Inbound)
2014-12-06  08:33:35 **Smurf** 216.58.208.0, 443->> 192.168.2.102, 51641 (from WAN Inbound)
2014-12-06  08:33:34 **Smurf** 216.58.208.0, 443->> 192.168.2.102, 51643 (from WAN Inbound)
2014-12-06  08:33:33 **Smurf** 216.58.208.0, 443->> 192.168.2.102, 51639 (from WAN Inbound)
2014-12-06  08:33:31 **Smurf** 216.58.208.0, 443->> 192.168.2.102, 51627 (from WAN Inbound)
2014-12-06  08:33:30 **Smurf** 216.58.208.0, 80->> 192.168.2.102, 51631 (from WAN Inbound)

Replies

Kudos0

Re: router: **Smurf** from google

Yup having the same thing happening to me and i just don't know what is it

Kudos0

Re: router: **Smurf** from google

viralcodex:

Yup having the same thing happening to me and i just don't know what is it

 http://www.symantec.com/connect/articles/demystifying-denial-service-att...

Kudos0

Re: router: **Smurf** from google

Apostolos: perhaps I an mis-interpreting the information discussed in the link you referenced ... but if the OP was being hit with a DOS then wouldn't the log show various IP addresses from the range 216.58.208.xx rather than just the single IP address 216.58.208.0 ?
Kudos0

Re: router: **Smurf** from google

geek47:
Apostolos: perhaps I an mis-interpreting the information discussed in the link you referenced ... but if the OP was being hit with a DOS then wouldn't the log show various IP addresses from the range 216.58.208.xx rather than just the single IP address 216.58.208.0 ?

 216.58.208.0, 80->> 192.168.2.102, 51684 (from WAN Inbound)
216.58.208.0, 443->> 192.168.2.102, 51680 (from WAN Inbound)

                                                                   XXXXX and so on...

Kudos0

Re: router: **Smurf** from google

80, 443 are different ports but from same IP address (216.58.208.0). If the DOS was initiated by sending an ICMP to network's broadcast address, then wouldn't the OP see responses from more than just multiple ports on a single IP address? Wouldn't the OP see responses from multiple IP addresses (and perhaps multiple ports on those multiple IP addresses)?
Kudos1 Stats

Re: router: **Smurf** from google

80 is http, 443 is https but there are also Dynamic ports.

I do not know if OP's router has ICMP disabled, or ip proxy-arp, or ip redirects or ip unreacheables disabled as well.

First thing should be to run the netstat -ano command and see status of active connections, ports, IP's etc.

If router is properly configured there is no worry.

Kudos0

Re: router: **Smurf** from google

Thanks!
Kudos0

Re: router: **Smurf** from google

I am still a bit confused. My understanding of a "smurf" attack is that someone sends a spoofed ICMP to a router's broadcast address (in this case presumably 216.58.208.255). The originating IP address in the spoofed ICMP has been set to the victim's address. The router broadcasts the spoofed ICMP to all addresses in its network ... an then the victim receives ICMP replies from all addresses in the router's broadcast range ... thus becoming victim of DOS. Yet in this case, the OP is only receiving packets from one IP address. What am I missing?
Kudos0

Re: router: **Smurf** from google

geek47:
I am still a bit confused. My understanding of a "smurf" attack is that someone sends a spoofed ICMP to a router's broadcast address (in this case presumably 216.58.208.255). The originating IP address in the spoofed ICMP has been set to the victim's address. The router broadcasts the spoofed ICMP to all addresses in its network ... an then the victim receives ICMP replies from all addresses in the router's broadcast range ... thus becoming victim of DOS. Yet in this case, the OP is only receiving packets from one IP address. What am I missing?

By default, router does not forward layer 2 broadcasts...

Kudos0

Re: router: **Smurf** from google

Sorry for my being so dense ... are you saying that the google router is properly configured and not broadcasting the spoofed ICMP it receives to the rest if its network?
Kudos0

Re: router: **Smurf** from google

When I do a "netstat -anb" I get (extract):
  TCP    192.168.2.102:49171    192.168.2.1:80         TIME_WAIT
  TCP    192.168.2.102:49172    192.168.2.1:80         TIME_WAIT
  TCP    192.168.2.102:49175    192.168.2.1:80         TIME_WAIT
  TCP    192.168.2.102:49183    192.168.2.1:80         TIME_WAIT
  TCP    192.168.2.102:49184    192.168.2.1:80         TIME_WAIT
  TCP    192.168.2.102:49186    192.168.2.1:80         TIME_WAIT
  TCP    192.168.2.102:49187    192.168.2.1:80         TIME_WAIT
  TCP    192.168.2.102:49188    192.168.2.1:80         TIME_WAIT
  TCP    192.168.2.102:49189    192.168.2.1:80         TIME_WAIT
  TCP    192.168.2.102:49190    192.168.2.1:80         TIME_WAIT
  TCP    192.168.2.102:49191    192.168.2.1:80         TIME_WAIT
  TCP    192.168.2.102:49192    192.168.2.1:80         TIME_WAIT
  TCP    192.168.2.102:49193    192.168.2.1:80         TIME_WAIT
  TCP    192.168.2.102:49194    192.168.2.1:80         TIME_WAIT
  TCP    192.168.2.102:49199    192.168.2.1:80         TIME_WAIT
  TCP    192.168.2.102:49200    192.168.2.1:80         TIME_WAIT
  TCP    192.168.2.102:49204    192.168.2.1:80         TIME_WAIT
  TCP    192.168.2.102:49205    192.168.2.1:80         TIME_WAIT
  TCP    192.168.2.102:49206    216.58.208.0:443       SYN_SENT
[firefox.exe]

And at the same time on the router I have:
2014-12-06  18:01:11 **Smurf** 216.58.208.0, 443->> 192.168.2.102, 49206 (from WAN Inbound)
2014-12-06  18:01:10 **Smurf** 216.58.208.0, 443->> 192.168.2.102, 49195 (from WAN Inbound)
2014-12-06  18:01:06 **Smurf** 216.58.208.0, 443->> 192.168.2.102, 49206 (from WAN Inbound)
2014-12-06  18:01:04 **Smurf** 216.58.208.0, 443->> 192.168.2.102, 49206 (from WAN Inbound)

Why the internet browser (same happens with Internet Explorer) would communicate with 216.58.208.0? On the other hand, N360 security history does not show anything related with firefox...

The most strange is that the "**Smurf** 216.58.208.0 ..." is more frequent when I go to google. But if I go to norton.com the router does not show any problem...

Alex.

Kudos0

Re: router: **Smurf** from google

When I do a "netstat -anb" I get (extract):

Hi,

It's netstat -ano not netstat -and

And SYN_SEND Indicates active open.

Kudos0

Re: router: **Smurf** from google

Do you use Google with country redirects or Google ncr (no country redirect??)  http://www.google.com/ncr

Kudos0

Re: router: **Smurf** from google

I have tried on the second computer (also running win7) and after opening FireFox (the home page is a blank page and I did not open any website) I get:

2014-12-06  18:59:17 **Smurf** 216.58.208.0, 443->> 192.168.2.100, 49173 (from WAN Inbound)
2014-12-06  18:59:15 **Smurf** 216.58.208.0, 443->> 192.168.2.100, 49173 (from WAN Inbound)
2014-12-06  18:59:11 **Smurf** 216.58.208.0, 443->> 192.168.2.100, 49173 (from WAN Inbound)
2014-12-06  18:59:08 **Smurf** 216.58.208.0, 443->> 192.168.2.100, 49173 (from WAN Inbound)
2014-12-06  18:54:51 sending ACK to 192.168.2.100

The difference between FireFox and IntenetExplorer is that on IE if I go to www.norton.com I get:

2014-12-06  19:04:30 **Smurf** 216.58.208.0, 80->> 192.168.2.100, 49327 (from WAN Inbound)
2014-12-06  19:04:28 **Smurf** 216.58.208.0, 80->> 192.168.2.100, 49321 (from WAN Inbound)
 

The google that I use is "https://www.google.co.uk/intl/en/".

I even added to the etc\hosts file:

127.0.0.1 pagead.googlesyndication.com
127.0.0.1 pagead2.googlesyndication.com
127.0.0.1 www.google-analytics.com
127.0.0.1 ssl.google-analytics.com
127.0.0.1 google.com

I am not sure if it is related but youtube is not working, and on router I get a lot of:

2014-12-06  19:20:09 **Smurf** 216.58.208.0, 443->> 192.168.2.102, 50391 (from WAN Inbound)
2014-12-06  19:20:07 **Smurf** 216.58.208.0, 443->> 192.168.2.102, 50391 (from WAN Inbound)
2014-12-06  19:20:03 **Smurf** 216.58.208.0, 443->> 192.168.2.102, 50388 (from WAN Inbound)

Doing a ping:

C:\>ping youtube.com

Pinging youtube.com [216.58.208.0] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 216.58.208.0:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

But on the router I get something new:

2014-12-06  19:20:50 **Smurf** 192.168.2.102->> 216.58.208.0, Type:8, Code:0 (from WLAN_g Inbound)
2014-12-06  19:20:45 **Smurf** 192.168.2.102->> 216.58.208.0, Type:8, Code:0 (from WLAN_g Inbound)
2014-12-06  19:20:40 **Smurf** 192.168.2.102->> 216.58.208.0, Type:8, Code:0 (from WLAN_g Inbound)

Alex.

Kudos0

Re: router: **Smurf** from google

Apostolos:

It's netstat -ano not netstat -and

I used netstat -anb because if I used the option "o" then I would get the process PID number instead of the process name (as with option "b"). However, the downside of running the option "b" is that one need to open the commandline as an administrator...

Alex.

Kudos0

Re: router: **Smurf** from google

Hi Alex,

Type 8 is an Echo Request because you ran the ping command, the Echo Request ICMP will have a Type field of 8 and a Code field of 0. Echo Replies have a Type field of 0 and a Code field of 0.

Can you try, as a test, to disable ICMP in your router and check again?

Do you have the same results??

Kudos0

Re: router: **Smurf** from google

Can you try, as a test, to disable ICMP in your router and check again?

At the moment, the router's firewall has the following settings enabled:

  • Intrusion Detection Feature

SPI and Anti-DoS firewall protection     
RIP defect     
Discard Ping To WAN Interface     

  • Stateful Packet Inspection

Packet Fragmentation     
TCP Connection     
UDP Session     
FTP Service     
TFTP  Service

The router is "little" old but that does not explain why I only started to have this problem recently...

Alex.

Kudos0

Re: router: **Smurf** from google

If you have a home router it's not possible to apply a Reflexive ACL, but most home routers support simple ACL's.

Try to apply an ACL, ( inbound traffic), for ICMP.

Altenatively, if the router supports it, try to disable UPnP, and enable UDP Flood filtering, TCP SYN Flood Attacks filtering & ICMP Flood Attack filtering. (Set a small value of packets or none). Basically set your router to ignore/drop ping packets from WAN. (I think it's already set from what you have described).

Do you run any torrent client sw?

Kudos0

Re: router: **Smurf** from google

Apostolos:

Do you run any torrent client sw?

No, I have not any client running...

The current (overview) of the settings are:

Home Network (LAN)
IP Address      192.168.2.1
Subnet Mask     255.255.255.0
DHCP Server     Enabled
Firewall        Enabled
UPnP            Disabled
Wireless        Enabled

Alex

Kudos0

Re: router: **Smurf** from google

Today I tried with a different router (TL-WR1043ND).

With the new router I do not have any problem accessing to youtube and the router security log does not shown any activity. I have attached the current settings of both routers.

On the TP-Link, there is a note saying "FLOOD Filtering will take effect only when the Traffic Statistics in System Tools is enabled". Thus, I have enabled the Statistics on the System Tools but I do not see any difference...

Am I doing something wrong?

Alex.

Kudos0

Re: router: **Smurf** from google

Hi Alex

Since yesterday morning I believe I have the same problem  as you do (SMC router):

12/07/2014  11:58:05 **Smurf** 216.58.208.0, 80->> 192.168.1.20, 50547 (from WAN Inbound)
12/07/2014  11:58:01 **Smurf** 216.58.208.0, 80->> 192.168.1.20, 50543 (from WAN Inbound)
12/07/2014  11:58:00 **Smurf** 216.58.208.0, 80->> 192.168.1.104, 56600 (from WAN Inbound)
12/07/2014  11:57:59 **Smurf** 216.58.208.0, 80->> 192.168.1.20, 50539 (from WAN Inbound)
12/07/2014  11:57:58 **Smurf** 216.58.208.0, 80->> 192.168.1.104, 56600 (from WAN Inbound)
12/07/2014  11:57:57 **Smurf** 216.58.208.0, 80->> 192.168.1.20, 50547 (from WAN Inbound)
 

Is this still happening? I can't access Google Drive, Maps, Youtube, Translator, etc. because all of them translates to the 216.58.208.0 address.

Sorry for posting this question here but by now, this is the only post I can find about this subject.

Carlos

Kudos0

Re: router: **Smurf** from google

I stopped having the problem after I changed the router (but I am not sure if I am using the correct security settings). Maybe the ISP has changed something because this situation is recent (I only noticed the problem a few days ago).

Alex.

Kudos0

Re: router: **Smurf** from google

Funny thing is that im also having the same logs,and can't acess anything from google, youtube etc. 

So from what you said i think the problem is with the router perhaps, will try to maybe change it and see if something happens

Kudos0

Re: router: **Smurf** from google

I changed the router to a very old wireless US Robotics and the problem stopped. Net speed is normal and I can connect to all Google's sites.

Still trying to understand the strange router/216.58.208.0 IP behaviour.

Thank you.

Carlos

Kudos0

Re: router: **Smurf** from google

Hello

I have the same problem, the ip is  the same (the IP is from Google) and I cannot enter in google´s sites

I already did so many things, dns cache wipe, delete the host file in windows, scan for virus and malaware, use dns from google, i reset the router, but nothing works, i have 4 computers and all are the same.

I them use my smartphone and while using the wifi, is the same, but them I use the internet of the  smartphone operador, vodafone, and I can go to youtube and all the sites that were block.

I them use proxy in the computer and for my suprise I can go to all googles sites,

Its very strange, it´s like google is blocking my internet provider IP...and I from Portugal, so I don´t have problems with that sort of things...

Kudos0

Re: router: **Smurf** from google

Im also from portugal and having the exact same problem as you do xD, whats your internet provider?

Kudos0

Re: router: **Smurf** from google

I am also from Portugal... Cabovisao.

Kudos0

Re: router: **Smurf** from google

MEO, maybe is  something with portuguese IP

Kudos0

Re: router: **Smurf** from google

I am not sure if it is a problem with ISP because I just did a direct connection to the cable modem (i.e. bypassed the router) but I did not have any problem connection to www.youtube.com. Meanwhile, N360 security history did not detected any anything out of normal. Thus, the problem should be located within the router.

On the other hand, some years ago I had to change from my syslink router to the smc router because I did not have access to the internet. I remember that the ISP told me that that was due to some kind of an update on the service... but nevertheless, it is very strange only to having problems with google services (216.58.208.0).

Alex.

Kudos0

Re: router: **Smurf** from google

Well I Don´t have a modem to try it, I only have the router, but like I said before, using proxy and using the reuter the connection works

Its very strange, My router is old, smc (SMC7904BRA2), but i never had any trouble. and it´s only google sites...

I am writting in the forum of my provider (MEO) and there are others that have problens has well.

Kudos0

Re: router: **Smurf** from google

oops I forget a W in my router, is SMC7904WBRA2...

Kudos0

Re: router: **Smurf** from google

My router is of that brand and model.

Maybe it become technically outdated.

This thread is closed from further comment. Please visit the forum to start a new thread.