Forum Discussion

SpookyWatcher's avatar
SpookyWatcher
New Contributor

Pretty bad SYN ACK coming from 212.133.164.*** and follows to any ip in 68.111.***.*** that I get assigned

Every now and again, I like to connect my computer direct to the modem via live boot of kali linux with custom IPTABLES and wireshark to sniff out what's going on.

For at least 8 days now (could be much longer) logged massive syn ack's from turkey with the IP range of 212.133.164.***  They are using about 45 different ip's in that range.  So leased a new IP from cox by using 5 different computers connected straight to modem with different live boot linux iso's and instantly it followed each time.  So I grabbed a new iso of linux and live booted it (of course after verifying the download and sign) and then downloaded a different iso of manjaro ubuntu arch kali etc.

All live boot iso's connected directly to the modem and IP hopping (by switching to 5 diff computers) still showed the same attack from that turkey IP range.

So last I tethered it to an LTE device to see if it was an infection on my end and there was nothing.  Nice and quiet. (granted that's an ipv6)

But that makes me think that I'm pretty sure my end is not infected but wondering if anyone else in the cox 68.111.***.*** range was getting the same hammering from turkey with the range coming from 212.133.164.***

Just trying to eliminate that it's not an infection on my end or at the modem level (modem haunt etc.)

Thx    p.s.  There are no windows installs connected to my network.  Only linux and apple on main and all other IOT's are on seperate vlans.  And again it followed when my network was not connected and it was just straight to modem with 5 different computers using 5 different distros.

2 Replies

  • Bruce's avatar
    Bruce
    Honored Contributor III

    Cox apparently doesn't sniff at their edge routers.

    • SpookyWatcher's avatar
      SpookyWatcher
      New Contributor

      Not too long after creating this thread the intense and relentless hammering from 212.133.164.*** finally stopped.  Lasted at least 9 days.  Hadn't looked before that time for a while so it could have been longer.  But now it's just the normal occasional drive by.