What's new

AIProtect "external attack" from internal IP after M$ update?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

kab

Occasional Visitor
Last night, AIProtect caught a bunch of "RPC Novell NetWare NFS Portmapper RPC Module Stack Overflow" attacks coming from my Win10 PC during or immediately after M$ update. I hit the "update and shutdown" option ~10m earlier, went off to read and didn't notice anything until this morning, so I don't know if it happened during or after the update. Don't find anything being generally reported about similar problems -- but searching for any part of the Security Alert string turns up a gajillion irrelevant topics, none relevant.

RPC_Capture.PNG


The blanked out address is the LAN (non-routable) IP for the Win10 host. My concern is that the attack claims to originate from that machine - but nothing shows up for any virus scan &c.

Any guesses? Found some older articles about DDOS using UDP packets w/ forged IP; recent Memcrashed attack at github. No idea if related.
 
Last edited:
Last night, AIProtect caught a bunch of "RPC Novell NetWare NFS Portmapper RPC Module Stack Overflow" attacks coming from my Win10 PC during or immediately after M$ update. I hit the "update and shutdown" option ~10m earlier, went off to read and didn't notice anything until this morning, so I don't know if it happened during or after the update. Don't find anything being generally reported about similar problems -- but searching for any part of the Security Alert string turns up a gajillion irrelevant topics, none relevant.

View attachment 12331

The blanked out address is the LAN (non-routable) IP for the Win10 host. My concern is that the attack claims to originate from that machine - but nothing shows up for any virus scan &c.

Any guesses?

Are you saying a PC with an internal IP address is externally attacking the WAN port (IP 255.255.255.255) of your router?

OE
 
Well, it *looks* like a valid internal IP address. If you read about UDP DDOS attacks, you'll see that one of the (several) issues is that UDP can trivially spoof IP addrs. Since this was on my "generic" IPv4 network while getting the M$ update, it's no surprise that the internal NAT'd IP could be found. Lot's of "if's" there, and I don't know yet that this even was some form of UDP attack. The Win10 machine thinks it's clean after a scan, and the router itself seems OK. I do have several hosts using NFS and other UDP services, so it's worth combing through them to close off UDP ports, just in case.
 
Did you end up finding the source of these?

I have exactly the same thing happening on my RT-AC88U
 
I just installed an evaluation version of Windows Server to play around with, and noticed the same problem right away. It's installed from an official ISO and has all Windows updates and an antivirus installed.

I'll try disabling the NFS plugin and report back if that works.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top