Ask Slashdot: Mitigating DoS Attacks On Home Network? 319
First time accepted submitter Gavrielkay writes "We seem to have attracted the attention of some less than savory types in online gaming and now find our home network relentlessly DoSed. We bought a new router that doesn't fall over quite so easily, but it still overwhelms our poor little DSL connection and prevents us web browsing and watching Netflix occasionally. What's worse is that it seems to find us even if we change the MAC address and IP address of the router. Often the router logs IPs from Russia or Korea in these attacks (no packet logging, just a blanket 'DoS attack from...' in the log. But more often lately I've noticed the IPs trace back to Microsoft or Amazon domains. Are they spoofing those IPs? Did they sign us up for something weird there? And how do they find us with a new MAC address and IP within minutes? We're looking for a way to hide from these idiots that doesn't involve going to the Feds, although that is what our ISP suggested. Piles of money for a commercial grade router is out of the question. We are running antivirus and anti-malware programs and haven't seen any evidence of hacked computers so far."
What evidence do you have that you're being DoSed? (Score:5, Insightful)
Everyone is being scanned at every second by bots, do you have any real evidence you're being DoSed? It could be a crappy connection. Seeing a modem light flashing a lot does not mean you're being packeted.
Re: (Score:2, Insightful)
Exactly. Let's see some logs, please, and let's have some detailed descriptions of your gear so that we can make more than just guesses.
Re:What evidence do you have that you're being DoS (Score:5, Informative)
Also please post some speed tests from these sites:
http://www.speakeasy.net/speedtest/ [speakeasy.net]
http://www.speedtest.net/ [speedtest.net]
Don't forget to run more than one test on each to get a better sample.
Re:What evidence do you have that you're being DoS (Score:4, Informative)
Re:What evidence do you have that you're being DoS (Score:5, Insightful)
Software geek?
Put ONE machine on your router.
Load up Wireshark.
Put DMZ options on the router to send all unsolicited traffic to that one PC's IP.
Watch what's being used and where it's coming from and where it's going.
To be honest, out of all the people who've ever come to me with a similar problem it's either a) a crap router, b) a crap ISP, c) Something on the machine/network talking OUT that's killing the connection (nothing external at all, e.g. P2P apps etc.), d) wireless connections being affected.
If you are genuinely changing your EXTERNAL IP (your internals mean nothing, your MAC means nothing), and it follows you that quickly, then YOU are broadcasting your location (or it's something internal to the network and nothing to do with packets from the Internet at all).
I know if I refresh my TF2 server list too often, my router can sometimes crap out.
Do some proper diagnosis. That means rather than guessing at something and trying things that have NO correlation (MAC addresses), that you follow Sherlock Holmes - when you have eliminated the possible, whatever remains must be the truth. Go through things and eliminate one at a time.
Put ONE device on the router. Change the router. Change the way you connect to the router. Look what's going out and coming in rather than guessing that you're being DDOS'd (I have yet to witness an actual DDOS in 15 years of network management). Or just talk to your damn ISP (who, almost certainly, will tell you there's nothing DDOS'ing you at all).
If you're getting a flood of recorded packets, you can see what they are, where they come from, and what prompts them and even how they have "found" you again. If you're just stabbing at solutions in the dark, then you're no better off at all.
And when you find out that this almost certainly is nothing to do with a deliberate external DDOS, come back here and apologise for wasting our time.
Re:What evidence do you have that you're being DoS (Score:4, Insightful)
Exactly, it doesn't even have to be sophisticated, setup Dynamic DNS on router/internal PC and it'll play follow the leader for years. "looks like http://imaspawncamper.noobstoddos.dynamicdns.moc/ [dynamicdns.moc] is back up on nother MAC and IP lulz"
Re: (Score:2)
And when you find out that this almost certainly is nothing to do with a deliberate external DDOS, come back here and apologise for wasting our time.
Not wasting my time. As a result of the question, I'm reading some very interesting and useful comments here, including yours. Thanks.
Re:What evidence do you have that you're being DoS (Score:4, Insightful)
And when you find out that this almost certainly is nothing to do with a deliberate external DDOS, come back here and apologise for wasting our time.
Pray tell, good sir. If your time is so precious, what are you doing on Slashdot?
Re: (Score:2)
You are perfectly right.
That guy has no clue what he was asking, he has no idea what an MAC address actually is and for what it is used, likely the same for IP addresses.
If that guy was under a DOS or DDOS attack on a DSL line he would likely not get a single bit downloaded (yeah exagerating).
Re: (Score:3)
The modem side won't have an IP or MAC, it's a layer 1 device, but since it's a DSL router (layer 3 is for routers, you know, IP layer?) it will have both. You know, so the computer can chat with the router at x.x.x.1 or be routed to the other devices in the network by IP? If you have a combined device, and don't have enough access to it's controls to change it's MAC, then get it into a simple Modem mode (sometimes called bridge mode) and hook up a single router that you do control as the first step in the
Re: (Score:3)
Better yet, put a managed switch which allows port mirroring (or a hub if you are old school) in front of your router and run wireshark on the mirrored port going into the router. That way you will capture any package going to and from the router. Even packages stopped by and sent from the router.
This is so right, I wish I had mod points. If it really is a DoS attack, and you need to find out how they get your IP, then this is the only way. It could be a trojan checking in on IRC, or it could just be some dodgy "cloud service" from a bogus company. If someone has your gmail password they could even look at the IP log of where it was accessed from (this works the other way too)
I keep a hub around for exactly this purpose. If you don't have a hub or a managed switch, there is the option of a PC with t
Re: (Score:2)
Are you sure that it isn't a malware on any of your computers that causes the whole problem?
Re:What evidence do you have that you're being DoS (Score:4, Interesting)
Re: (Score:2)
Re:What evidence do you have that you're being DoS (Score:4, Informative)
The advice about recording transmissions sounds like good advice, and I've heard WireShark praised before for that kind of diagnosis.
If you do that, then you can identify what signals are coming from where. If it's a DDOS, of course, there will be a wide variety of different TCP addresses, but THAT is informative, too. Not directly helpful, but good evidence as to what is going on.
Don't be too sure that your anti-virus and anti-malware tools actually catch all viruses/malware. They are generally obsolete at the time they are released. They catch the ones known about at the time.
If the attacks are quite frequent, try booting off a live CD/DVD, say a recent KNOPPIX. (I think that has diagnostic tools. They don't all, so you may need a specialized distro.) That way you can be sure that nothing in the local software is causing the problem. And THEN record the results onto a USB stick.
P.S.: This is from theory. I've never actually experienced your problem.
P.P.S.: Did you release your TCP connection? I don't know how to do that under MSWind, which I'm guessing you are using, because you talk about being a gamer. But replacing your router won't automatically do that. It's probably done somewhere in network configuration.
Re:What evidence do you have that you're being DoS (Score:4, Interesting)
The problem with one device running wireshark and other devices all connected to a router is that, by virtue of IP, the wireshark running box won't see the traffic sent to the other PCs. You need to either set up a good Knoppix or Kali Linux boot disc device to act as a pass through, or get a cheap hub, or learn about ARP poisoning to get the traffic to first go to the monitoring box, then get passed along to the target device.
Ideally, Your network would be a very simple DSL modem, not a modem+router. Just a modem or your router reconfigured to bridge mode. Then a hub, yeah, the dumb collision prone boxes are very useful still. Uplink of the hub goes to the modem, and your sniffing box and a good NAT+firewall router get connected to it. Then, behind that NAT and firewall goes your computer. Against, ideally, the sniffing computer will not have requested an IP address, will not even have put it's ethernet port into anything but a passive state. Then you can start up wireshark. After that, start up your machine you think is attracting the attacks. You can sort wireshark traffic by incoming and outbound. And if changing the externally visible IP hasn't helped, you want to look at outbound to see what you are sending to who to get yourself noticed.
I have done exactly this, and it isn't fun or easy, but it did help pass a few Cisco network tests later. Once you get into packet sniffing, and ARP poisoning switches, and packet manipulation of those ARP poisoned packets, you can do all kinds of interesting things. Upsidedownternet doesn't have to be a proxy, it can be done with any switched network if done right. And then, after you graduate from wired networks to sniffing on wireless (and collecting large logs to break keys, or doing deauth attacks on your own gear to see how your modem+router and PC stand up) then you can start in on a whole world of fun and crazy bit-level cleverness.
disclaimer: I've cracked WEP back in the PCMCIA days of having a high speed 802.11b card (custom firmware to go into monitor mode) but it was on my own network or with permission (parents wanted to know how long it would take for a neighbor to borrow their wifi, I remember leaving the linux box running about an hour and a half, but sibling had lots of traffic going). WPA deauth attacks are the same way, don't screw with other people without permission. But once you have permission, go wild; showing my younger sibling their AIM chats when they thought 'the network is encrypted, you can't see me' was a hilarious way to spend my first summer home from college.
Re: (Score:2)
I have a speed test site provided by my ISP, which usually runs fine, but when the "attacks" are in full swing my download speed drops to 1 or 2 mbps (should be around 16)
Your tiny DSL would be overwhelmed by even the smallest DoS attack imaginable. You would not be getting 1 or 2 Mbps - you would be getting absolutely nothing through at all.
It is more likely that your DSL is having trouble delivering the usual 16 Mbps due to electrical interference. Your ISP may be able to fix it by lowering your speed, which sucks, but it might be more stable. Or there might be nothing that can be done unless you can locate the source of the noise. Trouble is that the source might not anyw
Re: (Score:3)
The ISP's speed test should be fine for judging the connection between him and the ISP. If he's actually being DDOSed, then that should slow down the connection to his ISP (during the attack). OTOH, if it's the ISP that has the problem, then you're right, that might well not reveal it. So both tests are useful, for showing different information.
Re: (Score:2)
Windows 7 Ultimate and Home Premium
Vonage VOIP modem
DirecTV network hookup
NetGear D6200 DSL modem/router
NetGear WN2000RPTv2 wifi extender
We game on Steam but we've tried being logged off and getting a new IP address and still the "attacks" come. We're running bitdefender and malwarebytes. We've got PnP turned off and the firewall configured to allow only what we need for gaming a
Re: (Score:3)
You guys clearly are not even remotely familiar with the landscape of online gaming today.
DoS and DDoS attacks are so common in gaming today that it's nigh-unbelievable. Minecraft especially, there are groups of skids with booters, who purchase subscriptions to "stresser services" (EXTREMELY common), and even some I've seen who have their own botnets.
I'm talking about 12-16 year olds I might add.
In most online gaming my personal experience is 3-5% of them have a stresser service they've bought or booter. Ou
Re: (Score:3, Informative)
This intensity is NOT a DoS. You'd get a flood of messages every second, not singular attempts once an hour.
This is likely just usual - bots and script-kiddies scanning networks for vulnerabilities. I get a dozen or two of those scans every day as well.
Nothing to worry about, but reminds you how Internet is not a friendly place and how you'd better be updated and not showing out more ports than neccessary.
Shitty connection is probably just that - a shitty connection, and your DSL's tech support would be mor
Re:What evidence do you have that you're being DoS (Score:5, Interesting)
Ditto.
My next question is: is his machine compromised and part of a botnet. I.e. is he the one doing the DoSing, and his router is falling over as a result.
Re: (Score:2, Informative)
This would seem like an obvious case here.
If your IP changes, how would the attackers be able to guess the new ip so fast?
Unlikely (Score:5, Informative)
Unless they're pounding the entire subnet for some reason, only hitting machines whose ping responds.
Most folks that'd DDOS you aren't that sophisticated, and if they are there's really nothing you can do until someone decides to focus their malice elsewhere.
The best bet for the poster is mitigation. Talk to the ISP, let them know the situation, and start feeding them a list of IPs to block at their head-end. While you as a client only have X bandwidth before it overwhelms your DSL, they have X^n and are usually amenable to blocking malicious traffic before it screws-up all the clients in an area.
But, to repeat what's already been said. If the attack's following you to new IPs your only bet is:
- Factory reset the router, then plug it (and only it) in.
- Have it get a fresh IP
- Wait 30 minutes and see if an attack starts
- Plug-in a known safe device to check the router. Fixed devices like an iPhone or Android phone should work (unlikely that's what's compromised).
- Use the device to check the router and see what kind of traffic is happening
- Slowly start reconnecting your devices, one at a time, waiting a safe amount of time in between each.
If the router starts getting hammered without anything connected you could have a compromised router. Just last year thousands of routers were compromised that had too simple a password and remote access enabled.
If it starts after a certain device is plugged-in, time to track-down the culprit or (better) format the compromised machine. You're probably safe 90% of the time, but one a machine is rooted it's a good policy to never trust it.
If the router is getting traffic and you know it's safe, then you might be seeing an attack on your network segment. Only your ISP can help.
-Matt
Re: (Score:2, Informative)
This.
It is far more likely that he has a compromised internal network and his dsl is being overwhelmed by outbound spam, not an inbound DoS, especially since 'they' find him within minutes of an IP switch. Invest in a good virus scanner dude, and seriously consider a wipe and reload of every system.
Re: (Score:2)
This seems relevant (Score:3)
Can you spot any pattern in the IPs and times they appear?
Also, this is a long shot, but are you hosting any web pages? Big companies unleashing irresponsible crawlers can effectively DOS you without meaning to.
Further, and I know this isn't a comfortable question, but is it possible that someone in the house is logging on to certain gaming servers, and this is bringing about the attacks? If so, is there a way to get them to log
Comment removed (Score:4, Informative)
Re:What evidence do you have that you're being DoS (Score:5, Interesting)
Re: (Score:2)
Re: (Score:2)
It's also possible, though maybe less likely that if the game they are playing creates P2P connections between the players for say chat, then they could be revealing their IP that way. Like Freshly Exhumed said above though, it all just guesses without some evidence.
But what do I know, I'm a packet who got lost on his way to 127.0.0.1
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
1) your router is owned and/or sucks.
2) you are being port scanned constantly, and your router is not behaving well (
Re: (Score:2)
Re: (Score:2)
Do you have Steam auto starting at powerup, and do you know how many games are attempting to synchronise their cloud backup data at startup?
My router has fits and sometimes reboots after powering up my win7 PC. Trying to eliminate what could be flooding it, and so far Steam appears to be the only likely candidate.
Re: (Score:2)
More likely explanations:
1) Someone in the family downloaded something that installed an open BitTorrent client/tracker, and your network is being used to host pirate files, porn, and/or documents from a terrorist cell. Most likely just Miley Cyrus MP3s though.
2) You have uPnP open to the internet or one of your uPnP devices opened itself the internet.
3) Your kid publicized your minecraft server's IP address on YouTube.
4) You're being probed by random botnets.
The only way you'd be getting DDoS'ed is if some
Re: (Score:2)
Re: (Score:2)
[DoS attack: ACK Scan] from source: 2.39.202.191:80 Saturday, October 12,2013 12:06:04
[DoS attack: ACK Scan] from source: 54.208.162.210:80 Saturday, October 12,2013 12:05:13
[DoS attack: ACK Scan] from source: 54.246.147.204:80 Saturday, October 12,2013 12:04:52
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Saturday, October 12,2013 12:04:31
Re: (Score:2)
The trouble is that this might not be really a attack, just a scan. Also a lot of routers have some firewall settings that migitate DoS attacks, but without any real possiblity to tune this, or even a good description if the thing in the log is anything important.
The fact that some log says there is a DoS attack does not mean there really is a attack. It only says there is a log.....
SHowing the log is not enough, you have to add some explanation.
Re:What evidence do you have that you're being DoS (Score:5, Interesting)
This is not a DoS attack. Look at how infrequent the packets are...it's essentially background noise that every IP address will see.
This feels like 2002 all over again, when people had host-based firewalls and would freak out any time they got hit with a port scan, not really understanding what they were looking at.
Re:What evidence do you have that you're being DoS (Score:5, Informative)
Most of dynamic addresses there translate to "ep-reverse.nimbus.bitdefender.net", and you say you use BitDefender, this - 63.228.223.103 - is "steamcommunity.com", and one with different port "205.188.155.221:995" is indeed a mail server as specified by port.
It very well might be just your router bullshitting you. Try asking at dslreports.com, or better yet, try searching there for similar problems.
Re: (Score:2)
Wish I could mod you up - OP read the parent of this post!
Re: (Score:3)
If you have an old PC lying around or can borrow one, try putting up a real firewall, like pfsense. This will let you see more of what is entering and exiting your network. It doesn't have to be a permanent installation.
Re: What evidence do you have that you're being Do (Score:2, Interesting)
You may have a long log file with those messages, but look at the time stamps... Getting hit once every minute, sometimes every 5 or 10 minutes? That's not a DoS. You would need to see a lot of those per second for it to impact your connection. I would say that is likely just normal Internet chatter/scanning.
Re:What evidence do you have that you're being DoS (Score:4, Interesting)
Go to your ISP (Score:5, Informative)
Re: (Score:2)
Their ISP sent them to the Feds. So, no help forthcoming from them.
Re: (Score:3, Insightful)
The thing about DoS attacks is that the attacker doesn't need, or want, any return packets, so they're free to spoof whatever "from" IP address they like.
Bouncing packets "back where they came from" is a recipe for disrupting even more innocent parties.
Re: (Score:2)
Sounds like the DDoS version of "backscatter spam".
Re: (Score:2)
Re: Go to your ISP (Score:3)
Have you tried... (Score:2, Insightful)
changing your ISP?
Re:Have you tried... (Score:4, Funny)
changing your ISP?
They said it didn't matter if they changed the IP address or MAC of the router. This means the attacker can track them across domains. They should try NOT playing the online games after changing the IP address and see if the DoS persists. Also if they are being DoS'ed then a Distributed Reflective DoS DRDoS is probably what's causing up to 5 spoofed SYN-ACK packets to be sent per single attacker's packet (SYN Amazon, spoofed target return IP, Amazon tries to complete the TCP handshake with the target). They didn't sign them up for anything, that's the nature of a reflective attack.
Coincidentally, the surefire way to protect against DRDoS is to simply use DR-DOS, [wikipedia.org] to play games that have far less chance of exposing you to assholes.
Re: (Score:2)
Not on your end (Score:4, Informative)
If you're really being DOS'ed with more bytes per second than your little DSL can take, there isn't much you can do to mitigate it on your side. Either your ISP helps out, or you change your IP and they *don't* find your new one (how are they finding it?), or you make them stop (fat chance).
SubjectsInCommentsAreStupid (Score:3)
No idea of how the detection works but this sounds like a false positive to me.
And wouldn't your ISP notice first too?
Cloud providers... (Score:5, Interesting)
Hi,
>> I've noticed the IPs trace back to Microsoft or Amazon domains
This is probably stuff running on VMs in Amazon or Azure cloud services. Users can create VMs with insecure passwords and they are often the target of attacks.
Re: (Score:2)
Hi,
>> I've noticed the IPs trace back to Microsoft or Amazon domains
This is probably stuff running on VMs in Amazon or Azure cloud services. Users can create VMs with insecure passwords and they are often the target of attacks.
At least in Azure, you have to go out of your way to do so -- both the out-of-the-box Linux VMs and Windows VMs create your primary user account for you, and they do some reasonable password strength checks on it.
They know your IP address? (Score:2)
Zombie (Score:2)
Check your system *thoroughly* for malware - you might be a part of the zombie network i.e. your system is compromised and picking up orders from a master controller - then sending out spam, kiddie pr0n, and plans for 3d printed parts.
A good backdoor shouldn't overwhelm your network, but it's still worth checking.
Assuming That You Really Are Being DoSed (Score:2, Insightful)
My bet is that you are participating in some sort of P2P network, file sharing, Spotify... I don;t think you are being targeted due to gaming.
And how do they find us with a new MAC address and IP within minutes?
Assuming that this is indeed a malicious DoS attack, there is something inside your network that is tipping them off. P2P gaming software, chat software, malicious local software. There is no way for them to simply find you with a new external IP.
As others have already stated, the only way to mitigate a saturated pipe DoS is to filter upstream, your ISP or their ISP.
To answer part of your question (Score:5, Insightful)
We seem to have attracted the attention of some less than savory types in online gaming
Followed by:
And how do they find us with a new MAC address and IP within minutes?
This is pretty obvious. The game is telling them. Not much of a gamer myself; but I'm willing to wager you can see the IP address from which a particular user is logged on. Maybe the game will let you cloak that. If it won't they can always find you again...
Re: (Score:2)
That used to happen in Quake all the time -- to gain an advantage, people would pound competitors' machines to slow their "ping" as it was the equivalent to making their reaction times drunk.
Re: (Score:3)
If its not the game itself, it could be other software.
Skype in particular (on your PC, or on your smartphone on your wifi...)
Any number of other chat programs, p2p software, etc are suspect.
Rootkit/malware/backdoor is possible.
And that's all assuming its real, which, i don't know your level of sophistication. For all we know you just have an infected unit that's flooding your network, and you are mis-reading the overly "dangerous" sounding warnings crappy security constantly throws up to justify its existe
Re: (Score:2)
Re:To answer part of your question (Score:4, Interesting)
I'm not a gamer either, but i suspect most games are controlled by server connections with no p2p connectivity.
If I were building the kind of games you see depicted on Big Bang Theory, the gameplay would be through the server; but the chit-chat with the headphones would be p2p. There's no point routing all that chit-chat through the server. I guess you could play the game without the headphones; but it would be difficult to coordinate attacks with your partners.
When I thought about this a bit more, it occurred to me that the person being DoS'd should contact the game company. Now it gets interesting.
The game company has two aspects of its reputation to defend. 1. It doesn't want players being DoS'd. 2. It doesn't want to LART players based on spurious accusations.
That means it would have to make sure the suspect is guilty. They could have the user switch IP several times, and only display the new IP to the suspect. If displaying the new IP to the suspect resulted in the DoS being redirected, but displaying the new IP to other users didn't, then that seems like a smoking gun to me.
Now we get into the whole cost/benefit analysis for the game company to do something like that. It's probably easier just to log complaints against users, and pull the plug on people after N complaints. If say, 8 users from different walks of life have complained that X is DoS'ing them because he got pissed off, then there's a pretty good chance X is guilty. The best thing about this approach is that it works for all kinds of bad behavior, not just DoS'ing. You're going to have to handle complaints about users anyway, so there you have my answer for now:
Complain to the game company, but not until you've checked to make sure that something else isn't compromising your system..
easy way out (Score:2)
If you managed to piss someone off that is now DoS'ing you like this chances are you're screwed and the attacks are only going to stop when your ISP gets fed up with it and pulls the plug on you.
Smells of rootkit (Score:5, Informative)
Re: (Score:2)
This. Antivirus programs don't stop/fix rootkits. You likely have a compromised computer that is a zombie. TDSSKiller is a good start, Combofix if you need to. I'd go to bleepincomputer.com's forum and ask around there. If you're reluctant to do so, then at the very least run malwarebytes' Anti-Malware on all your PC's ASAP.
Re: (Score:2)
Re: (Score:2)
Some simple suggestions (Score:2)
If you are not actually _hosting_ the game (in which case you are f-ed, because you simply need to examine all the packets by yourself, but from the fact you were not talking about any server I somehow suppose that you are just connecting), carrier-grade or similar NAT perfectly solves this problem. Your ISP should be able to hide you in an inner network in no time this way.
a suggestion for you that might help (Score:2, Informative)
1 unplug your gateway device (dsl modem) and your router
2 on a know clean system download and create a Windows Defender Offline flashkey/dvd (you will need either or both of the 32 and 64 bit versions)
3 shut down ALL of your computers
4 make and have %meal% (don't forget the dishes)
5 run WDO on one computer (make sure it completes successfully)
6 plug in your dsl modem and wait for the blinky lights to settle
7 plugin your router and wait for its blinky lights to settle
8 plugin the computer that was scanned (a
Change order of step 1 and 2 (Score:2)
Go to the cops (Score:2)
Document what's happening as thoroughly as you can, and the whole history of the thing, and then go to the state police in your state. They may refer you to the FBI, and I'm guessing will not be all that eager to deal with the issue, but its a crime being committed against you and you should have the benefit of law enforcement to whatever degree they can feasibly help you. At the very least you will have documented what is happening and they'll know about it so that if the situation evolves they will have a
Practical Advice, step by step (Score:4, Informative)
SO, to track that down, do this in exactly this order:
1. Prepare to reconfigure your router for new IP / MAC, but do not reboot it, yet. Make sure the router is NOT registering with some dynamic DNS service, if it is, that's probably part of the problem. Your ISP may be doing that for you, if so, ask them to change your reverse lookup name.
2. Power down every other computing device on the network. I'm assuming you have a wireless router? If so, track down everything that it connected to it, and power those down too. Save your most trusted device (an iPad perhaps?) for monitoring / reconfiging your router. If necessary, borrow a device from someone you trust.
3. Press "go" to reconfig the router, and observe. Your DOS should go away. If it does not, either the reconfig was unsuccessful, your ISP is somehow part of the problem, the router is registering itself somehow, or the router itself is infested.
4. Assuming the DOS abated, one by one, power up the devices you previously disconnected and observe. If the DOS starts after powering up a particular device, that's the culprit. There may be more than one. Do this slowly, to make sure as you power up a device, it's not waiting some period of time before calling home.
It would not be a bad idea to get your ISP on the phone, explain what you think is going on, and ask them to observe your traffic as you go through the above steps. If something "phones home", and you miss it, they should be able to see the traffic on their segment of the wire.
If you are successful at tracking down a culprit system, enlist the help of the anti-malware vendor in isolating the offending bits. Do this BEFORE you re-image the system. They would probably appreciate a sample. Of course, this assumes you are running anti-malware software on your endpoints.....
Hope this helps.
-Red
Easily found back? (Score:3)
Unless you have some external name for your home connection (i.e. using dyndns or similar if your IP is dynamic), it is probably something you have in your network, like being part of a botnet node, having a misconfigured p2p client, or something that from inside announces itself to be accessed by others. Disable all the services that you know that access by itself outside (i.e. checking for software updates), and try to track all that you don't know that access outside by itself when the ip changes.
They could find you also because you have an easy to detect service that is exploitable. Knowing where they access and connect could be useful, even having a ip camera accessible from outside with a fixed admin password could be enough to cause that kind of behaviour. Considering that scanning the entire internet takes less than an hour [slashdot.org], a lot could be doing so all the time so anything exposed you have could be easily detected.
Having antivirus is no guarantee of safety, some malware could be active for years [arstechnica.com] before is even hinted that something could be there by AV companies (and probably US based security products will have hardcoded to not report anything that could look as NSA backdoor or malware). If well is not a guarantee of not catching malware, lower a lot the odds of it using Linux or even Mac OS X.
Are they on your segment? (Score:2)
What's your router's MAC address got to do with it?
Re: (Score:2)
He's likely on an Internet connection that uses a bridged modem and DHCP to assign IP addresses. He would have to change the MAC of the router to appear to be a new device connecting on his ISP's network if he wanted a new public IP address.
Re: (Score:2)
Okay. Sure. Hadn't thought of that. I also understand that buying a DDoS is easy these days: even schoolkids do it.
I'd try this... (Score:2)
Deal with trolls just like you deal with ghosts (Score:2)
1) Infestation
2) Oppression
3) Possession
...i think you're experiencing 1 and 2. Time to call in an expert.
The simple answer (Score:2)
It's you.
If you went out and got a new IP and within minutes they "found" you again, really? C'mon. If that's the case, you seemed to have pissed off the worlds greatest hacker. It's either that or there is a sustained attack on that block of IP's that your ISP is using for DHCP or static assignments, AND if THAT's the case, then your ISP is being DOS'ed.
But really, download a LiveCD and disconnect everything in your network except the box you use with the LiveCD and see if the issue dissapears. Then plug i
So.. I doubt you're actually,really getting DOS'd. (Score:2)
I can envision two scenarios. First, the less likely one.
First Scenario: Trojan Horse
One or more machines on your network have been infected/trojaned/compromised somehow. Every time you switch your external IP address, the infected machine dutifully contacts it's nefarious overloards with the news. There's a good chance that one of your compromised machines may actually be part of a botnet. One important question is, "what conditions, specifically, trigger my router's 'DOS attack from xxx' in it's logs." Th
Re: (Score:2)
So, I read your initial question a bit closer and realized you'd identified the IPs as microsoft and amazon services. In fact, I suspect they're IPs related to content distribution servers. I'm quite certain your router's DOS warnings are false positives.
Your problem is most certainly not the result of a DOS.
A few possible points (Score:2)
Rather than paying gigabucks for a hardware router/firewall, take an ancient machine, add a second ethernet card to it and install OpenBSD [openbsd.org] onto it.OpenBSD will do you as well as anything hardware based, in terms of protecting your network --
Not a DoS (Score:4, Interesting)
Given the log you posted, you are most definitely not being hit with a DoS attack. You are barely taking any traffic at all, with only a few hits / minute
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Saturday, October 12,2013 12:04:31
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 11:46:15
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 11:43:49
I mean look at that...there's 21 minutes worth of time passing in just 3 log entries, that's just plain old net noise.
It's more likely that your ISP is suffering backhaul congestion, or you are running a torrent client, or someone is DLing ultra pr0n at some insane rate or you left your wi-fi open and someone is hijacking it.
Go to http://www.speedtest.net/ [speedtest.net] and run a bandwidth check on your network.
You're probably not getting DDOS'd (Score:3)
You are probably either the victim of a malware infection, or you're torrenting too much. If a machine on your network has been properly pwned (and this is a lot more likely than you being the target of a DDOS) then running AV on top of the OS most likely won't find the malware...
Download and burn the Kaspersky Rescue CD, boot off that (a known-good OS) and scan your machines. Report back how much malware it found that everything else missed.
If you're participating in a DDOS (or otherwise maxing out your upstream bandwidth - eg torrents) then uploading at the maximum throughput will have the side effect of dropping your download speed to the same as your upload speed.
This is not a DOS attack. (Score:4, Informative)
Point 1: The fact that you mention mac addresses and dos in the same question shows that you do not know enough about networking to assess this situation properly.
Point 2: Home internet connections don't get DOSed. There is no profit in it to justify the the effort or risk. Anyone with the skill and capability to attack a network most certainly has better things to do.
Point 3: All of your symptoms fit perfectly with a local problem. None of them match a DOS very well.
You very likely have a compromised PC or a PC running something like torrents/other P2P software that isnt properly configured. Use up all your outbound bandwidth either way and you will have exactly the situation described.
obligatory: wtf is this doing on slashdot? Its a basic home user networking issue.
The modem (Score:2)
If I had to guess, the modem is holding onto the same IP address regardless of what you do with your router. Take a weekend trip and unplug your modem in hopes that it will pull a new address when you return. You could go upstream to your ISP with the issue and suggest the tech release your IP and assign you a new one.
If the attack continues, then you have something inside your network leaking information to the attacker. And you will have to clean that up before you can resolve the problem.
So what? (Score:4, Informative)
Discussion: We have a cable modem for internet service. I run a SSH honeypot (Kippo) to collect information on folks knocking on our door.
Friday morning, my Kippo honeypot recorded a dictionary attack run of 291 SSH login attempts (against root) in 12 minutes (from 178.141.148.236, look it up if you want). I don't even bother to record to record the crap coming against port 80.
This isn't unusual, not even for an IP address in a residential cable block! And the more you look for this kind of activity, like running a honeypot, or even reviewing your router logs, the more bewildered you'll become, particularly about how "normal" people's computers survive under these continuous attacks.
The answer, of course, is that so many do not, their home computers rooted within minutes of being connected to the net, or when a child in the household (using a Windows account with admin privileges) clicks on some enticing link in IE... Their computer gets added to one or more botnets, an eventually they toss it out because it's too slow.
Suggestions: Make sure your network is as secure as you can make it, then ask for help to make it better. Help those you care about do the same. Friends don't let friends use IE (or windows) is a good start.
Re: (Score:2)
A few blinks every few seconds is not a DoS. Being DoSed = continuous blinking like a fast continuous data transfer.
Re: (Score:2)
Re:Are you really being DoSed? (Score:4)
The logs you posted are not evidence of DoS, they show a random packet here and there.
A DoS would be characterized by, at a minimum, thousands of packets per second.
Re: (Score:2)
Re: (Score:2)
Also SmoothWall but of the three I'm happiest with pfSense.
http://www.pfsense.org/ [pfsense.org] (BSD)
http://www.smoothwall.org/ [smoothwall.org] (Linux)
http://m0n0.ch/wall/ [m0n0.ch] (BSD)
Re: (Score:2)
Because that's a good way to 'force' your ISP to re-allocate you a new IP immediately. Not that I agree with the practice as it's clearly not working in this case.
-Jar
Re: (Score:2)
Re: (Score:2)
Apparently the only thing that was required is for a bunch of idiots to decide the only way my husband could be beating them at the game is by cheating. Or possibly they don't even care that he doesn't cheat and just want to win by breaking competitors connections.
Anyway, I'm more concerned with how we're being found even when we're not gaming, and so far the best suggestions seem to be to reinstall everything and keep good virus/anti malw