Ask Slashdot: Mitigating DoS Attacks On Home Network? 319
First time accepted submitter Gavrielkay writes "We seem to have attracted the attention of some less than savory types in online gaming and now find our home network relentlessly DoSed. We bought a new router that doesn't fall over quite so easily, but it still overwhelms our poor little DSL connection and prevents us web browsing and watching Netflix occasionally. What's worse is that it seems to find us even if we change the MAC address and IP address of the router. Often the router logs IPs from Russia or Korea in these attacks (no packet logging, just a blanket 'DoS attack from...' in the log. But more often lately I've noticed the IPs trace back to Microsoft or Amazon domains. Are they spoofing those IPs? Did they sign us up for something weird there? And how do they find us with a new MAC address and IP within minutes? We're looking for a way to hide from these idiots that doesn't involve going to the Feds, although that is what our ISP suggested. Piles of money for a commercial grade router is out of the question. We are running antivirus and anti-malware programs and haven't seen any evidence of hacked computers so far."
Go to your ISP (Score:5, Informative)
Not on your end (Score:4, Informative)
If you're really being DOS'ed with more bytes per second than your little DSL can take, there isn't much you can do to mitigate it on your side. Either your ISP helps out, or you change your IP and they *don't* find your new one (how are they finding it?), or you make them stop (fat chance).
Re:What evidence do you have that you're being DoS (Score:5, Informative)
Also please post some speed tests from these sites:
http://www.speakeasy.net/speedtest/ [speakeasy.net]
http://www.speedtest.net/ [speedtest.net]
Don't forget to run more than one test on each to get a better sample.
Re:What evidence do you have that you're being DoS (Score:2, Informative)
This would seem like an obvious case here.
If your IP changes, how would the attackers be able to guess the new ip so fast?
Re:What evidence do you have that you're being DoS (Score:2, Informative)
This.
It is far more likely that he has a compromised internal network and his dsl is being overwhelmed by outbound spam, not an inbound DoS, especially since 'they' find him within minutes of an IP switch. Invest in a good virus scanner dude, and seriously consider a wipe and reload of every system.
Smells of rootkit (Score:5, Informative)
a suggestion for you that might help (Score:2, Informative)
1 unplug your gateway device (dsl modem) and your router
2 on a know clean system download and create a Windows Defender Offline flashkey/dvd (you will need either or both of the 32 and 64 bit versions)
3 shut down ALL of your computers
4 make and have %meal% (don't forget the dishes)
5 run WDO on one computer (make sure it completes successfully)
6 plug in your dsl modem and wait for the blinky lights to settle
7 plugin your router and wait for its blinky lights to settle
8 plugin the computer that was scanned (and only that one)
9 see if the problem shows back up
10A IF NO: then FOR EACH IN ListOfComputers do 5 ,8 and 9 with the next computer IF RemainingComputers = 0 then GOTO 11
10B THEN dial tel:8002255324 and explain the situation
11 Spend some of your Profit! on a better AV solution
Comment removed (Score:4, Informative)
Practical Advice, step by step (Score:4, Informative)
SO, to track that down, do this in exactly this order:
1. Prepare to reconfigure your router for new IP / MAC, but do not reboot it, yet. Make sure the router is NOT registering with some dynamic DNS service, if it is, that's probably part of the problem. Your ISP may be doing that for you, if so, ask them to change your reverse lookup name.
2. Power down every other computing device on the network. I'm assuming you have a wireless router? If so, track down everything that it connected to it, and power those down too. Save your most trusted device (an iPad perhaps?) for monitoring / reconfiging your router. If necessary, borrow a device from someone you trust.
3. Press "go" to reconfig the router, and observe. Your DOS should go away. If it does not, either the reconfig was unsuccessful, your ISP is somehow part of the problem, the router is registering itself somehow, or the router itself is infested.
4. Assuming the DOS abated, one by one, power up the devices you previously disconnected and observe. If the DOS starts after powering up a particular device, that's the culprit. There may be more than one. Do this slowly, to make sure as you power up a device, it's not waiting some period of time before calling home.
It would not be a bad idea to get your ISP on the phone, explain what you think is going on, and ask them to observe your traffic as you go through the above steps. If something "phones home", and you miss it, they should be able to see the traffic on their segment of the wire.
If you are successful at tracking down a culprit system, enlist the help of the anti-malware vendor in isolating the offending bits. Do this BEFORE you re-image the system. They would probably appreciate a sample. Of course, this assumes you are running anti-malware software on your endpoints.....
Hope this helps.
-Red
Re:What evidence do you have that you're being DoS (Score:4, Informative)
Re:What evidence do you have that you're being DoS (Score:5, Informative)
Most of dynamic addresses there translate to "ep-reverse.nimbus.bitdefender.net", and you say you use BitDefender, this - 63.228.223.103 - is "steamcommunity.com", and one with different port "205.188.155.221:995" is indeed a mail server as specified by port.
It very well might be just your router bullshitting you. Try asking at dslreports.com, or better yet, try searching there for similar problems.
Re:What evidence do you have that you're being DoS (Score:4, Informative)
The advice about recording transmissions sounds like good advice, and I've heard WireShark praised before for that kind of diagnosis.
If you do that, then you can identify what signals are coming from where. If it's a DDOS, of course, there will be a wide variety of different TCP addresses, but THAT is informative, too. Not directly helpful, but good evidence as to what is going on.
Don't be too sure that your anti-virus and anti-malware tools actually catch all viruses/malware. They are generally obsolete at the time they are released. They catch the ones known about at the time.
If the attacks are quite frequent, try booting off a live CD/DVD, say a recent KNOPPIX. (I think that has diagnostic tools. They don't all, so you may need a specialized distro.) That way you can be sure that nothing in the local software is causing the problem. And THEN record the results onto a USB stick.
P.S.: This is from theory. I've never actually experienced your problem.
P.P.S.: Did you release your TCP connection? I don't know how to do that under MSWind, which I'm guessing you are using, because you talk about being a gamer. But replacing your router won't automatically do that. It's probably done somewhere in network configuration.
Unlikely (Score:5, Informative)
Unless they're pounding the entire subnet for some reason, only hitting machines whose ping responds.
Most folks that'd DDOS you aren't that sophisticated, and if they are there's really nothing you can do until someone decides to focus their malice elsewhere.
The best bet for the poster is mitigation. Talk to the ISP, let them know the situation, and start feeding them a list of IPs to block at their head-end. While you as a client only have X bandwidth before it overwhelms your DSL, they have X^n and are usually amenable to blocking malicious traffic before it screws-up all the clients in an area.
But, to repeat what's already been said. If the attack's following you to new IPs your only bet is:
- Factory reset the router, then plug it (and only it) in.
- Have it get a fresh IP
- Wait 30 minutes and see if an attack starts
- Plug-in a known safe device to check the router. Fixed devices like an iPhone or Android phone should work (unlikely that's what's compromised).
- Use the device to check the router and see what kind of traffic is happening
- Slowly start reconnecting your devices, one at a time, waiting a safe amount of time in between each.
If the router starts getting hammered without anything connected you could have a compromised router. Just last year thousands of routers were compromised that had too simple a password and remote access enabled.
If it starts after a certain device is plugged-in, time to track-down the culprit or (better) format the compromised machine. You're probably safe 90% of the time, but one a machine is rooted it's a good policy to never trust it.
If the router is getting traffic and you know it's safe, then you might be seeing an attack on your network segment. Only your ISP can help.
-Matt
This is not a DOS attack. (Score:4, Informative)
Point 1: The fact that you mention mac addresses and dos in the same question shows that you do not know enough about networking to assess this situation properly.
Point 2: Home internet connections don't get DOSed. There is no profit in it to justify the the effort or risk. Anyone with the skill and capability to attack a network most certainly has better things to do.
Point 3: All of your symptoms fit perfectly with a local problem. None of them match a DOS very well.
You very likely have a compromised PC or a PC running something like torrents/other P2P software that isnt properly configured. Use up all your outbound bandwidth either way and you will have exactly the situation described.
obligatory: wtf is this doing on slashdot? Its a basic home user networking issue.
So what? (Score:4, Informative)
Discussion: We have a cable modem for internet service. I run a SSH honeypot (Kippo) to collect information on folks knocking on our door.
Friday morning, my Kippo honeypot recorded a dictionary attack run of 291 SSH login attempts (against root) in 12 minutes (from 178.141.148.236, look it up if you want). I don't even bother to record to record the crap coming against port 80.
This isn't unusual, not even for an IP address in a residential cable block! And the more you look for this kind of activity, like running a honeypot, or even reviewing your router logs, the more bewildered you'll become, particularly about how "normal" people's computers survive under these continuous attacks.
The answer, of course, is that so many do not, their home computers rooted within minutes of being connected to the net, or when a child in the household (using a Windows account with admin privileges) clicks on some enticing link in IE... Their computer gets added to one or more botnets, an eventually they toss it out because it's too slow.
Suggestions: Make sure your network is as secure as you can make it, then ask for help to make it better. Help those you care about do the same. Friends don't let friends use IE (or windows) is a good start.
Re:What evidence do you have that you're being DoS (Score:3, Informative)
This intensity is NOT a DoS. You'd get a flood of messages every second, not singular attempts once an hour.
This is likely just usual - bots and script-kiddies scanning networks for vulnerabilities. I get a dozen or two of those scans every day as well.
Nothing to worry about, but reminds you how Internet is not a friendly place and how you'd better be updated and not showing out more ports than neccessary.
Shitty connection is probably just that - a shitty connection, and your DSL's tech support would be more useful here. Call them when you're experiencing those slowdowns and try to troubleshoot it.
Re:What evidence do you have that you're being DoS (Score:2, Informative)
Better yet, put a managed switch which allows port mirroring (or a hub if you are old school) in front of your router and run wireshark on the mirrored port going into the router. That way you will capture any package going to and from the router. Even packages stopped by and sent from the router.