This discussion is locked
igirl1
Level 1 (35 points)
Apple Watch

Q: Router logs = DoS attack: STORM coming from my Mac!!!!

I recently switched to a new router and have found these in my logs all over the place -

+[DoS attack: STORM] attack packets in last 20 sec from ip [myMAC'sIP], Sunday, Aug 01,2010 06:08:56+

Originating from my Mac, I'm now doing detective work to find the source to determine whether it's harmless or not. In any case, I would like to know what's causing these.

I'm not running much - if anything but they still show up. Suspects include -
Dropbox, Yahoo Messenger, Google Notifier, Dashboard Client, MainMenu, GrowlHelperApp

I'm using Little Snitch, but can't determine where it's coming from.

2009 MacMini, 2010 MacBook, Apple TV 3.0.1 160GB, Power Mac 8500, Mac OS X (10.6.4), Dell 2408WFP monitor, 8TB external

Posted on Aug 1, 2010 7:40 AM

by William Kucharski,Solvedanswer
William Kucharski William Kucharski
Level 6 (15,128 points)
Mac OS X
A:
You very likely don't - I suspect you have a Netgear router, and the problem is related to this one:

http://discussions.apple.com/thread.jspa?messageID=11382733&#11382733

Posted on Aug 3, 2010 3:27 AM

Close
igirl1

Q: Router logs = DoS attack: STORM coming from my Mac!!!!

  • All replies
  • Helpful answers

  • by Holi Macaroni,

    Holi Macaroni Holi Macaroni Aug 1, 2010 7:56 AM in response to igirl1
    Level 1 (0 points)
    Aug 1, 2010 7:56 AM in response to igirl1
    Hi Karyn,

    Maybe this thread can shed some light: http://discussions.apple.com/thread.jspa?threadID=1889712&tstart=0.

  • by igirl1,

    igirl1 igirl1 Aug 1, 2010 8:25 AM in response to Holi Macaroni
    Level 1 (35 points)
    Apple Watch
    Aug 1, 2010 8:25 AM in response to Holi Macaroni
    Thank you - that's sort of a dead end conversation though lots of linked resources...

    I guess the simple question is - since these appear to now be originating from MY MAC now - how do I find the source, and/or stop them?

    It's only a very few every so often - I haven't see even one for over an hour and a half now... so it's not like it's choking out my bandwidth - just annoying to know they are there at this point.

  • by William Kucharski,Solvedanswer

    William Kucharski William Kucharski Aug 3, 2010 3:27 AM in response to igirl1
    Level 6 (15,128 points)
    Mac OS X
    Aug 3, 2010 3:27 AM in response to igirl1
    You very likely don't - I suspect you have a Netgear router, and the problem is related to this one:

    http://discussions.apple.com/thread.jspa?messageID=11382733&#11382733

  • by igirl1,

    igirl1 igirl1 Aug 3, 2010 9:06 AM in response to William Kucharski
    Level 1 (35 points)
    Apple Watch
    Aug 3, 2010 9:06 AM in response to William Kucharski
    William Kucharski wrote:
    You very likely don't - I suspect you have a Netgear router, and the problem is related to this one:

    http://discussions.apple.com/thread.jspa?messageID=11382733&#11382733


    Interesting you mention Netgear routers (though the doc you point to does not) - I have a new Netgear N300 - WNR2000v2 - which works well, but I'm watching the logs to make sure we are secure.

    Today, I've now been able to shut down every single attached device except the desktop Mac. If it persists - next step is to shut the desktop down and access the logs via laptop running the exact same OS and Browser. If it's still there then I have to think the doc above may be right and it's something to do with the router itself.

    Assuming this is the case - there is no "Maximum incomplete TCP/UDP sessions number from same host" and turning off the firewall isn't a great solution IMHO. It's only a few days old so I can return it and buy something else.

    Recommendations for WLAN-N routers without these issues (on the inexpensive side)?

  • by William Kucharski,

    William Kucharski William Kucharski Aug 3, 2010 7:41 PM in response to igirl1
    Level 6 (15,128 points)
    Mac OS X
    Aug 3, 2010 7:41 PM in response to igirl1
    Netgear routers are one of the few brands that spew the "DoS attack: STORM" messages but are not the only ones with over-sensitive SPI firewalls.

    Unfortunately, it also appears that Netgear does not allow you to modify the parameter in question.

    Personally, I think Apple's AirPort routers (Express, Extreme Base Station and Time Capsule) are some of the best available in terms of reliability and adherence to the appropriate networking standards, but unfortunately all brands have their quirks.

  • by igirl1,

    igirl1 igirl1 Aug 4, 2010 7:42 AM in response to William Kucharski
    Level 1 (35 points)
    Apple Watch
    Aug 4, 2010 7:42 AM in response to William Kucharski
    William Kucharski wrote:
    Netgear routers are one of the few brands that spew the "DoS attack: STORM" messages but are not the only ones with over-sensitive SPI firewalls.


    Wish there were a list of those that have these issues - or some way of knowing which ones allow adjusting for more connections.

    Unfortunately, it also appears that Netgear does not allow you to modify the parameter in question.


    The router is new and will be returned.

    Personally, I think Apple's AirPort routers (Express, Extreme Base Station and Time Capsule) are some of the best available in terms of reliability and adherence to the appropriate networking standards, but unfortunately all brands have their quirks.


    Thanks. I do have to be a little sensitive as I have a PC user on this network and likely need UPnP. As much as I like Apple products, the hardware features are also very slight compared with everything else on the market at their price points. That said, until recently we were getting by just fine using a G router and one band - even for streaming Video_TS, w/Apple TV and a ROKU box for Netflix steaming. An "Express" might do the job. Time to go shopping and do more research.

    Thanks again - this was very tricky to track down the source of these issues,