DoS attack on a required port

Hey everybody, I'm new to the forum and I've been looking through google.com for some place that can help me deal with a Denial of Service attack that I am experiencing.

I'm a typical home user with a Netgear DG834 ADSL Router/Firewall. I often play DirectX "7" games across the internet - and one of the ports required is 2300.

My router has SPI capabilities, I'm sure most of you know what that is - and the DoS attacks are not started until I actually begin playing (using port 2300) - which adds to the frustration, because once I start playing, my router technically thinks that packets coming through 2300 is legitiment traffic - obviously, it's not. But at the same time, some of the traffic (the gaming traffic) is legitiment

The source ports were random but from a specific IP, the IP changed on different days, but remained the same during the attack. Spoofed IP obviously. DoS was targetted at my.ip ; 2300

I tried blocking the source IP by adding a profile to tell the router not to respond to traffic from that IP, but the packets still came through.

This never used to happen before - it only started becoming a problem recently. (A couple of weeks ago). Do I have some kind of virus or infection that is creating this vulnerability ? Or does someone in the gaming world not want me to play ?

Any suggestions, solutions, advice or information is greatly appreciated
Thanks very much in advance, and thanks for reading.

Jason

 

Hi Jason,

Welcome to Wilders.
I don't think I can solve your problem, but until someone more knowledgeable comes along...
Are you sure that it is not legitimate game traffic?
You connect to a server that lists all active games (one IP).
Then you choose an active game to play and connect to that server (another IP that is different depending on the game server you choose).
Is it possible that your firewall is treating the game like a DOS attack?
It only happens when you play. I would think that if someone picked up your IP, they would attack you at other times, not only while you play.
Unless my idea about a compromised game server is correct.

 

Thanks for the reply

The gaming environment is different - it's basically like a lobby/chat room where players gather and join a room, and then a host will launch the game from there.

I assume that anyone with the right hacking tools can obtain your IP whilst you are in the lobby. However, the lobby does not use port 2300, only the game (Direct X 7 "DirectPlay") uses it. Hence, when the host has launched and port 2300 receives traffic from other players to connect, the DoS attack is initiated, the game becomes very laggy - not frame lag, internet lag (it's a driving game) , and often means I have to quit so as not to ruin the game for others - or sometimes, if the DoS is intense enough, I am not even able to join when the host launces. I know it's not legitiment gaming traffic, because even after I quit, the flood of bogus packets continue.

It is possible that the servers are causing this problem - your theory on corrupted game servers seems likely. Although the attack does seem very deliberate, I plan to give my system a full clean and re-install the game, and hope for the best.

If anyone has better suggestions, please let me know, because I'm totally out of ideas

Jason

 

For how long after you leave the game do continue receiving packets?
The Game Server may still send out packets because it is so busy processing the other players. Since it is a port that the game is using it may be legitimate.
It may be that your firewall is treating the game traffic as a DOS attack. People have a lot of problems configuring their firewall to work with one game or another.

 

It's variated. Sometimes 10 minutes, sometimes more, sometimes it does not stop at all, even after I leave the game AND the lobby. I still believe it is a deliberate DoS attack, because, in the past, the same router configuration never delivered any problems whatsoever

It is certainly possible that my router is treating the traffic as a DoS - but the fact it never used to happen before on the same configuration is what makes me doubtful.

Thanks again for taking time assist me with this problem

Jason