AIProtect "external attack" from internal IP after M$ update?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

kab

Occasional Visitor
Last night, AIProtect caught a bunch of "RPC Novell NetWare NFS Portmapper RPC Module Stack Overflow" attacks coming from my Win10 PC during or immediately after M$ update. I hit the "update and shutdown" option ~10m earlier, went off to read and didn't notice anything until this morning, so I don't know if it happened during or after the update. Don't find anything being generally reported about similar problems -- but searching for any part of the Security Alert string turns up a gajillion irrelevant topics, none relevant.

RPC_Capture.PNG


The blanked out address is the LAN (non-routable) IP for the Win10 host. My concern is that the attack claims to originate from that machine - but nothing shows up for any virus scan &c.

Any guesses? Found some older articles about DDOS using UDP packets w/ forged IP; recent Memcrashed attack at github. No idea if related.
 
Last edited:

OzarkEdge

Part of the Furniture
Last night, AIProtect caught a bunch of "RPC Novell NetWare NFS Portmapper RPC Module Stack Overflow" attacks coming from my Win10 PC during or immediately after M$ update. I hit the "update and shutdown" option ~10m earlier, went off to read and didn't notice anything until this morning, so I don't know if it happened during or after the update. Don't find anything being generally reported about similar problems -- but searching for any part of the Security Alert string turns up a gajillion irrelevant topics, none relevant.

View attachment 12331

The blanked out address is the LAN (non-routable) IP for the Win10 host. My concern is that the attack claims to originate from that machine - but nothing shows up for any virus scan &c.

Any guesses?

Are you saying a PC with an internal IP address is externally attacking the WAN port (IP 255.255.255.255) of your router?

OE
 

kab

Occasional Visitor
Well, it *looks* like a valid internal IP address. If you read about UDP DDOS attacks, you'll see that one of the (several) issues is that UDP can trivially spoof IP addrs. Since this was on my "generic" IPv4 network while getting the M$ update, it's no surprise that the internal NAT'd IP could be found. Lot's of "if's" there, and I don't know yet that this even was some form of UDP attack. The Win10 machine thinks it's clean after a scan, and the router itself seems OK. I do have several hosts using NFS and other UDP services, so it's worth combing through them to close off UDP ports, just in case.
 

ShaunMD

New Around Here
Did you end up finding the source of these?

I have exactly the same thing happening on my RT-AC88U
 

Beherit

Regular Contributor
I just installed an evaluation version of Windows Server to play around with, and noticed the same problem right away. It's installed from an official ISO and has all Windows updates and an antivirus installed.

I'll try disabling the NFS plugin and report back if that works.
 
Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top