Network Attack

[cchow]

Since November of 2016, I have set up 2 computers in my office, both of them are Dell Precision M6800 with identical configurations; both machines are on Windows 10 OS. Comcast is my ISP provider and to connect to the Internet, both machines are using an Ethernet cable and connected to the same Xfinity router (WAN) port on the router. Both have Kaspersky Internet Security installed. These 2 machines are also network together for file sharing purposes etc. For the purpose of this discussion, I will refer to the above office set up as Office 1. 3 days out of a week, I will take the same two machines and set them up in my satellite office which I will call Office 2. Except that at Office 2, I use CenturyLink DSL as my ISP provider.

About 3 months ago, only I of the 2 machines (and it is always the same one) began getting alert/pop-up from the Kaspersky program. The message is always the same:

The network attack has been blocked.
Protocol: ICMP
Attacking computer IP: 133.0.36.65
The attacking computer has not been blocked: its address is possibly spoofed.
Time and Date (on average 5 to 7 times a day and at different time of the day)

This occurs only when I am working from Office 1, but never at Office 2.

I contacted Kaspersky support to find out if this is something that I should be concerned of and all they said was the Network Attack Block Network Attack Blocker component is to block network attacks including port scanning, denial-of-service attacks, buffer-overrun attacks and other remote malicious actions taken against the programs and services working with the network. Basically they told me the feature is doing what it’s designed to do and there is nothing else I need to do. Frankly, they weren’t very helpful at all.

There is a way for me to turn off the pop up alert message but I am a bit worried about the number of these incidents occurring on a daily basis. I am curious as to why only one of the two machine is getting the Network Attack alert, and what might be the cause for this? Also, why only at one office and not the other. I would love to know if there are any steps that should do to stop these apparent ‘Network Attacks’?

Thank you in advance for any advice anyone can offer.

CK

 

[Trouble]

No idea. That's a real stumper.
IF it happened in both locations then I would suspect some malware or such, but.....
Since it only happens on the one computer in only the one location, then the issue would appear geographical.
Have you tested the problem machine in other environments, home, neighbors, coffeeshop, library, etc., ??
Does the problem location have any additional network nodes not present in the other location, something other than the Century Link router that is??

You mentioned that both the computers are identical (which is pretty rare).....
Is there a chance that the problem machine may have had a piece of software installed on it that was not installed on the other machine?
Perhaps something to do with Century Link

The IP address identified in one in a block of IPs held by Asia Pacific Network Information Centre (APNIC)
https://who.is/whois-ip/ip-address/133.0.36.65
OR
Perhaps more accurately Japan Tokyo Japan Network Information Center
http://whois.domaintools.com/133.0.36.65

 

[Regedit32]

I'd guess your Network has somehow got caught up in an ARP Spoofing Attack.

These send modified packets from a trusted computer on the network, to another computer on the network targeting the computers MAC address. That is unique on all computers, which would explain why only one computer is getting the alert from your Security software.

In a nutshell, a host machine not on your Network spoofs an actual computer on your network, sending packets to the target machine (the one you get those alerts on), using false packets that pretend to be from the Office 2 computer when in fact they are from the Host of the attack.

I'm not overly familiar with Kaspersky Internet Security, but if calling them again, perhaps they can instruct you on what third party packet filtering applications you can use along side Kaspersky that would not interrupt your Security. You can use such tools to filter packets and block any using the ARP tactic, as well as IP spoofing tactics.

 

[cchow]

No idea. That's a real stumper.
IF it happened in both locations then I would suspect some malware or such, but.....
Since it only happens on the one computer in only the one location, then the issue would appear geographical.
Have you tested the problem machine in other environments, home, neighbors, coffeeshop, library, etc., ?? Yes, I have. When I am working from Office 2 it is 60 miles away from Office 1.

Does the problem location have any additional network nodes not present in the other location, something other than the Century Link router that is?? No. At Office 1 both machines are wired connected to the Comcast Xfinity Gateway Router. At Office 2, both machines are 'WiFI' connected to the CenturyLink DSL router. One thing I haven't try is when I am at Office 1, to WiFi connect to the Comcast Xfinity router instead to see if the same machine gets the Network Attack alert. Will give this a shot and see. Also, at Office 1, I have 2 printers wired connected to the Comcast Xfinity Router. Whereas at Office 2, the 2 printers are WiFi connected to the CenturyLink DSL.

You mentioned that both the computers are identical (which is pretty rare).....When I ordered the 2 machines, they were built with the same exact specifications with one difference- one has a bigger processor than the other,

Is there a chance that the problem machine may have had a piece of software installed on it that was not installed on the other machine? Yes these are the 2 software programs that are on the problem machine and are on the other: Ekahau HeatMapper (a Wireless Site Survey Application), the other is MAGIX Photostory (a photo editing program)
Perhaps something to do with Century Link

The IP address identified in one in a block of IPs held by Asia Pacific Network Information Centre (APNIC)
https://who.is/whois-ip/ip-address/133.0.36.65
OR
Perhaps more accurately Japan Tokyo Japan Network Information Center
http://whois.domaintools.com/133.0.36.65

Thank you very much for your reply. Please note my response in red.

 

[cchow]

I'd guess your Network has somehow got caught up in an ARP Spoofing Attack.

These send modified packets from a trusted computer on the network, to another computer on the network targeting the computers MAC address. That is unique on all computers, which would explain why only one computer is getting the alert from your Security software.

In a nutshell, a host machine not on your Network spoofs an actual computer on your network, sending packets to the target machine (the one you get those alerts on), using false packets that pretend to be from the Office 2 computer when in fact they are from the Host of the attack.

I'm not overly familiar with Kaspersky Internet Security, but if calling them again, perhaps they can instruct you on what third party packet filtering applications you can use along side Kaspersky that would not interrupt your Security. You can use such tools to filter packets and block any using the ARP tactic, as well as IP spoofing tactics.

Thank you very much for your reply. Both of my machines are using Intuit QuickBooks Enterprise Solutions and both machines work off the same company files. One of the 2 machine is the 'host' computer, the other (which is the one that is getting the Network Attack' alerts is the 'client' computer. As such, I assume there are packets of data going back and forth constantly between the 2 machines. I am not sure if this is similar to what you've described or could this has anything to do with my issue?