Ask Slashdot: Mitigating DoS Attacks On Home Network?

First time accepted submitter Gavrielkay writes "We seem to have attracted the attention of some less than savory types in online gaming and now find our home network relentlessly DoSed. We bought a new router that doesn't fall over quite so easily, but it still overwhelms our poor little DSL connection and prevents us web browsing and watching Netflix occasionally. What's worse is that it seems to find us even if we change the MAC address and IP address of the router. Often the router logs IPs from Russia or Korea in these attacks (no packet logging, just a blanket 'DoS attack from...' in the log. But more often lately I've noticed the IPs trace back to Microsoft or Amazon domains. Are they spoofing those IPs? Did they sign us up for something weird there? And how do they find us with a new MAC address and IP within minutes? We're looking for a way to hide from these idiots that doesn't involve going to the Feds, although that is what our ISP suggested. Piles of money for a commercial grade router is out of the question. We are running antivirus and anti-malware programs and haven't seen any evidence of hacked computers so far."

Re:What evidence do you have that you're being DoS

[Leroy Brown]

Ditto.

My next question is: is his machine compromised and part of a botnet. I.e. is he the one doing the DoSing, and his router is falling over as a result.

Cloud providers...

[ayjay29]

Hi,

>> I've noticed the IPs trace back to Microsoft or Amazon domains

This is probably stuff running on VMs in Amazon or Azure cloud services. Users can create VMs with insecure passwords and they are often the target of attacks.

Re:What evidence do you have that you're being DoS

[next_ghost]

The DSL router itself could be compromised as well. I'd start by booting up a Linux live CD, disconnecting everything else from the network and changing the external IP address again. Then I'd wait to see if they find you again. If they don't, start plugging everything back one device at a time, again checking if they find you after plugging the last device in.

Re:To answer part of your question

[istartedi]

I'm not a gamer either, but i suspect most games are controlled by server connections with no p2p connectivity.

If I were building the kind of games you see depicted on Big Bang Theory, the gameplay would be through the server; but the chit-chat with the headphones would be p2p. There's no point routing all that chit-chat through the server. I guess you could play the game without the headphones; but it would be difficult to coordinate attacks with your partners.

When I thought about this a bit more, it occurred to me that the person being DoS'd should contact the game company. Now it gets interesting.

The game company has two aspects of its reputation to defend. 1. It doesn't want players being DoS'd. 2. It doesn't want to LART players based on spurious accusations.

That means it would have to make sure the suspect is guilty. They could have the user switch IP several times, and only display the new IP to the suspect. If displaying the new IP to the suspect resulted in the DoS being redirected, but displaying the new IP to other users didn't, then that seems like a smoking gun to me.

Now we get into the whole cost/benefit analysis for the game company to do something like that. It's probably easier just to log complaints against users, and pull the plug on people after N complaints. If say, 8 users from different walks of life have complained that X is DoS'ing them because he got pissed off, then there's a pretty good chance X is guilty. The best thing about this approach is that it works for all kinds of bad behavior, not just DoS'ing. You're going to have to handle complaints about users anyway, so there you have my answer for now:

Complain to the game company, but not until you've checked to make sure that something else isn't compromising your system..

Re:What evidence do you have that you're being DoS

[dills]

This is not a DoS attack. Look at how infrequent the packets are...it's essentially background noise that every IP address will see.

This feels like 2002 all over again, when people had host-based firewalls and would freak out any time they got hit with a port scan, not really understanding what they were looking at.

Re:What evidence do you have that you're being DoS

[killkillkill]

Yeah, seems more likely to me he's got a zombie machine on his network participating in DDoS of another target that actually is worth targeting.

Re: What evidence do you have that you're being Do

[Anonymous Coward]

You may have a long log file with those messages, but look at the time stamps... Getting hit once every minute, sometimes every 5 or 10 minutes? That's not a DoS. You would need to see a lot of those per second for it to impact your connection. I would say that is likely just normal Internet chatter/scanning.

Re:What evidence do you have that you're being DoS

[Anonymous Coward]

Not everyone is as smart as you are. Rather than being a snarky fuck, can you either provide more detailed advice for OP or just not post at all? I never understand why people like yourself insist on letting the world know how fucking brilliant you are, and how everything else is beneath you and a waste of your time. Fucking narcissist.

Re:What evidence do you have that you're being DoS

[SpaceLifeForm]

You are fine. That is normal background noise. Not really a DoS, just normal probes, which are not frequent enough to be considered a DoS. Ignore the terminolgy that netgear is using. The slowness you encounter at times likely is upstream from you. You should expect it in the evening.

Not a DoS

[BlackHawk-666]

Given the log you posted, you are most definitely not being hit with a DoS attack. You are barely taking any traffic at all, with only a few hits / minute

[DoS attack: ACK Scan] from source: 54.249.0.5:80 Saturday, October 12,2013 12:04:31
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 11:46:15
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 11:43:49

I mean look at that...there's 21 minutes worth of time passing in just 3 log entries, that's just plain old net noise.

It's more likely that your ISP is suffering backhaul congestion, or you are running a torrent client, or someone is DLing ultra pr0n at some insane rate or you left your wi-fi open and someone is hijacking it.

Go to http://www.speedtest.net/ [speedtest.net] and run a bandwidth check on your network.

Re:What evidence do you have that you're being DoS

[muridae]

The problem with one device running wireshark and other devices all connected to a router is that, by virtue of IP, the wireshark running box won't see the traffic sent to the other PCs. You need to either set up a good Knoppix or Kali Linux boot disc device to act as a pass through, or get a cheap hub, or learn about ARP poisoning to get the traffic to first go to the monitoring box, then get passed along to the target device.

Ideally, Your network would be a very simple DSL modem, not a modem+router. Just a modem or your router reconfigured to bridge mode. Then a hub, yeah, the dumb collision prone boxes are very useful still. Uplink of the hub goes to the modem, and your sniffing box and a good NAT+firewall router get connected to it. Then, behind that NAT and firewall goes your computer. Against, ideally, the sniffing computer will not have requested an IP address, will not even have put it's ethernet port into anything but a passive state. Then you can start up wireshark. After that, start up your machine you think is attracting the attacks. You can sort wireshark traffic by incoming and outbound. And if changing the externally visible IP hasn't helped, you want to look at outbound to see what you are sending to who to get yourself noticed.

I have done exactly this, and it isn't fun or easy, but it did help pass a few Cisco network tests later. Once you get into packet sniffing, and ARP poisoning switches, and packet manipulation of those ARP poisoned packets, you can do all kinds of interesting things. Upsidedownternet doesn't have to be a proxy, it can be done with any switched network if done right. And then, after you graduate from wired networks to sniffing on wireless (and collecting large logs to break keys, or doing deauth attacks on your own gear to see how your modem+router and PC stand up) then you can start in on a whole world of fun and crazy bit-level cleverness.

disclaimer: I've cracked WEP back in the PCMCIA days of having a high speed 802.11b card (custom firmware to go into monitor mode) but it was on my own network or with permission (parents wanted to know how long it would take for a neighbor to borrow their wifi, I remember leaving the linux box running about an hour and a half, but sibling had lots of traffic going). WPA deauth attacks are the same way, don't screw with other people without permission. But once you have permission, go wild; showing my younger sibling their AIM chats when they thought 'the network is encrypted, you can't see me' was a hilarious way to spend my first summer home from college.