Forgot your password?
typodupeerror
Security Games

Ask Slashdot: Mitigating DoS Attacks On Home Network? 319

Posted by timothy
from the send-them-to-your-dial-up-line-instead dept.
First time accepted submitter Gavrielkay writes "We seem to have attracted the attention of some less than savory types in online gaming and now find our home network relentlessly DoSed. We bought a new router that doesn't fall over quite so easily, but it still overwhelms our poor little DSL connection and prevents us web browsing and watching Netflix occasionally. What's worse is that it seems to find us even if we change the MAC address and IP address of the router. Often the router logs IPs from Russia or Korea in these attacks (no packet logging, just a blanket 'DoS attack from...' in the log. But more often lately I've noticed the IPs trace back to Microsoft or Amazon domains. Are they spoofing those IPs? Did they sign us up for something weird there? And how do they find us with a new MAC address and IP within minutes? We're looking for a way to hide from these idiots that doesn't involve going to the Feds, although that is what our ISP suggested. Piles of money for a commercial grade router is out of the question. We are running antivirus and anti-malware programs and haven't seen any evidence of hacked computers so far."
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Mitigating DoS Attacks On Home Network?

Comments Filter:
  • by Anonymous Coward on Saturday October 12, 2013 @01:16PM (#45109217)

    Everyone is being scanned at every second by bots, do you have any real evidence you're being DoSed? It could be a crappy connection. Seeing a modem light flashing a lot does not mean you're being packeted.

    • Re: (Score:2, Insightful)

      Exactly. Let's see some logs, please, and let's have some detailed descriptions of your gear so that we can make more than just guesses.

      • by Freshly Exhumed (105597) on Saturday October 12, 2013 @01:29PM (#45109305) Homepage

        Also please post some speed tests from these sites:

        http://www.speakeasy.net/speedtest/ [speakeasy.net]

        http://www.speedtest.net/ [speedtest.net]

        Don't forget to run more than one test on each to get a better sample.

        • by Gavrielkay (1819320) on Saturday October 12, 2013 @03:16PM (#45109905)
          I have a speed test site provided by my ISP, which usually runs fine, but when the "attacks" are in full swing my download speed drops to 1 or 2 mbps (should be around 16) and I can't browse the web or watch anything on Netflix. I'm not saying I'm absolutely certain that my Netgear router isn't over-reporting, but there is something going on. And now, rather than being only when we're gaming online and getting threatened by folks, it's constant. I can't figure out what we're being tracked by though. What is there besides MAC address and IP address to latch on to? Something maybe that windows does that we've been "signed up" for? I just don't know. I'm a software geek, not a network guru sadly.
          • by ledow (319597) on Saturday October 12, 2013 @03:28PM (#45109983) Homepage

            Software geek?

            Put ONE machine on your router.

            Load up Wireshark.

            Put DMZ options on the router to send all unsolicited traffic to that one PC's IP.

            Watch what's being used and where it's coming from and where it's going.

            To be honest, out of all the people who've ever come to me with a similar problem it's either a) a crap router, b) a crap ISP, c) Something on the machine/network talking OUT that's killing the connection (nothing external at all, e.g. P2P apps etc.), d) wireless connections being affected.

            If you are genuinely changing your EXTERNAL IP (your internals mean nothing, your MAC means nothing), and it follows you that quickly, then YOU are broadcasting your location (or it's something internal to the network and nothing to do with packets from the Internet at all).

            I know if I refresh my TF2 server list too often, my router can sometimes crap out.

            Do some proper diagnosis. That means rather than guessing at something and trying things that have NO correlation (MAC addresses), that you follow Sherlock Holmes - when you have eliminated the possible, whatever remains must be the truth. Go through things and eliminate one at a time.

            Put ONE device on the router. Change the router. Change the way you connect to the router. Look what's going out and coming in rather than guessing that you're being DDOS'd (I have yet to witness an actual DDOS in 15 years of network management). Or just talk to your damn ISP (who, almost certainly, will tell you there's nothing DDOS'ing you at all).

            If you're getting a flood of recorded packets, you can see what they are, where they come from, and what prompts them and even how they have "found" you again. If you're just stabbing at solutions in the dark, then you're no better off at all.

            And when you find out that this almost certainly is nothing to do with a deliberate external DDOS, come back here and apologise for wasting our time.

            • and it follows you that quickly, then YOU are broadcasting your location

              Exactly, it doesn't even have to be sophisticated, setup Dynamic DNS on router/internal PC and it'll play follow the leader for years. "looks like http://imaspawncamper.noobstoddos.dynamicdns.moc/ [dynamicdns.moc] is back up on nother MAC and IP lulz"

            • And when you find out that this almost certainly is nothing to do with a deliberate external DDOS, come back here and apologise for wasting our time.

              Not wasting my time. As a result of the question, I'm reading some very interesting and useful comments here, including yours. Thanks.

            • by dutchd00d (823703) on Saturday October 12, 2013 @05:14PM (#45110499) Homepage

              And when you find out that this almost certainly is nothing to do with a deliberate external DDOS, come back here and apologise for wasting our time.

              Pray tell, good sir. If your time is so precious, what are you doing on Slashdot?

            • You are perfectly right.
              That guy has no clue what he was asking, he has no idea what an MAC address actually is and for what it is used, likely the same for IP addresses.
              If that guy was under a DOS or DDOS attack on a DSL line he would likely not get a single bit downloaded (yeah exagerating).

          • by Z00L00K (682162)

            Are you sure that it isn't a malware on any of your computers that causes the whole problem?

            • by killkillkill (884238) on Saturday October 12, 2013 @03:58PM (#45110117)
              Yeah, seems more likely to me he's got a zombie machine on his network participating in DDoS of another target that actually is worth targeting.
            • I am sure to a reasonable degree and working on getting more sure. We've got anti-virus (BitDefender) and anti malware (malwarebytes) running. I'm going to re-test turning all machines off and rebooting the router to see what happens. Do you know if there is some kind of windows phone home or amazon cloud account nonsense (we don't actually have an amazon cloud acct) that would keep identifying us to those services and attract attention, but not be scan-able by malware detection?
              • by HiThere (15173) <charleshixsn@earthlin k . n et> on Saturday October 12, 2013 @04:36PM (#45110305)

                The advice about recording transmissions sounds like good advice, and I've heard WireShark praised before for that kind of diagnosis.

                If you do that, then you can identify what signals are coming from where. If it's a DDOS, of course, there will be a wide variety of different TCP addresses, but THAT is informative, too. Not directly helpful, but good evidence as to what is going on.

                Don't be too sure that your anti-virus and anti-malware tools actually catch all viruses/malware. They are generally obsolete at the time they are released. They catch the ones known about at the time.

                If the attacks are quite frequent, try booting off a live CD/DVD, say a recent KNOPPIX. (I think that has diagnostic tools. They don't all, so you may need a specialized distro.) That way you can be sure that nothing in the local software is causing the problem. And THEN record the results onto a USB stick.

                P.S.: This is from theory. I've never actually experienced your problem.

                P.P.S.: Did you release your TCP connection? I don't know how to do that under MSWind, which I'm guessing you are using, because you talk about being a gamer. But replacing your router won't automatically do that. It's probably done somewhere in network configuration.

                • by muridae (966931) on Sunday October 13, 2013 @02:37AM (#45112659)

                  The problem with one device running wireshark and other devices all connected to a router is that, by virtue of IP, the wireshark running box won't see the traffic sent to the other PCs. You need to either set up a good Knoppix or Kali Linux boot disc device to act as a pass through, or get a cheap hub, or learn about ARP poisoning to get the traffic to first go to the monitoring box, then get passed along to the target device.

                  Ideally, Your network would be a very simple DSL modem, not a modem+router. Just a modem or your router reconfigured to bridge mode. Then a hub, yeah, the dumb collision prone boxes are very useful still. Uplink of the hub goes to the modem, and your sniffing box and a good NAT+firewall router get connected to it. Then, behind that NAT and firewall goes your computer. Against, ideally, the sniffing computer will not have requested an IP address, will not even have put it's ethernet port into anything but a passive state. Then you can start up wireshark. After that, start up your machine you think is attracting the attacks. You can sort wireshark traffic by incoming and outbound. And if changing the externally visible IP hasn't helped, you want to look at outbound to see what you are sending to who to get yourself noticed.

                  I have done exactly this, and it isn't fun or easy, but it did help pass a few Cisco network tests later. Once you get into packet sniffing, and ARP poisoning switches, and packet manipulation of those ARP poisoned packets, you can do all kinds of interesting things. Upsidedownternet doesn't have to be a proxy, it can be done with any switched network if done right. And then, after you graduate from wired networks to sniffing on wireless (and collecting large logs to break keys, or doing deauth attacks on your own gear to see how your modem+router and PC stand up) then you can start in on a whole world of fun and crazy bit-level cleverness.

                  disclaimer: I've cracked WEP back in the PCMCIA days of having a high speed 802.11b card (custom firmware to go into monitor mode) but it was on my own network or with permission (parents wanted to know how long it would take for a neighbor to borrow their wifi, I remember leaving the linux box running about an hour and a half, but sibling had lots of traffic going). WPA deauth attacks are the same way, don't screw with other people without permission. But once you have permission, go wild; showing my younger sibling their AIM chats when they thought 'the network is encrypted, you can't see me' was a hilarious way to spend my first summer home from college.

          • by bbn (172659)

            I have a speed test site provided by my ISP, which usually runs fine, but when the "attacks" are in full swing my download speed drops to 1 or 2 mbps (should be around 16)

            Your tiny DSL would be overwhelmed by even the smallest DoS attack imaginable. You would not be getting 1 or 2 Mbps - you would be getting absolutely nothing through at all.

            It is more likely that your DSL is having trouble delivering the usual 16 Mbps due to electrical interference. Your ISP may be able to fix it by lowering your speed, which sucks, but it might be more stable. Or there might be nothing that can be done unless you can locate the source of the noise. Trouble is that the source might not anyw

      • I posted one of the logs in another post, my router doesn't provide proper packet logging, or I can't find it. My setup:
        Windows 7 Ultimate and Home Premium
        Vonage VOIP modem
        DirecTV network hookup
        NetGear D6200 DSL modem/router
        NetGear WN2000RPTv2 wifi extender

        We game on Steam but we've tried being logged off and getting a new IP address and still the "attacks" come. We're running bitdefender and malwarebytes. We've got PnP turned off and the firewall configured to allow only what we need for gaming a
    • by Leroy Brown (71070) <leroy@yoyoyo.net> on Saturday October 12, 2013 @01:26PM (#45109273) Homepage

      Ditto.

      My next question is: is his machine compromised and part of a botnet. I.e. is he the one doing the DoSing, and his router is falling over as a result.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        This would seem like an obvious case here.

        If your IP changes, how would the attackers be able to guess the new ip so fast?

      • Re: (Score:2, Informative)

        by Anonymous Coward

        This.

        It is far more likely that he has a compromised internal network and his dsl is being overwhelmed by outbound spam, not an inbound DoS, especially since 'they' find him within minutes of an IP switch. Invest in a good virus scanner dude, and seriously consider a wipe and reload of every system.

        • We use BitDefender and I did recently reinstall windows. I can ask my husband to do the same, but we've scanned our computers and found nothing. More telling, we see the "attacks" in the logs even when the computers are off. Unless there's a way to infect a Vonage VOIP modem or DirecTV internet thingy (it uses it for on-demand stuff) then I don't think it's us.
          • More telling, we see the "attacks" in the logs even when the computers are off.

            Can you spot any pattern in the IPs and times they appear?

            Also, this is a long shot, but are you hosting any web pages? Big companies unleashing irresponsible crawlers can effectively DOS you without meaning to.

            Further, and I know this isn't a comfortable question, but is it possible that someone in the house is logging on to certain gaming servers, and this is bringing about the attacks? If so, is there a way to get them to log

      • by benjfowler (239527) on Saturday October 12, 2013 @02:00PM (#45109507)

        Agreed. OP should check the traffic on his own network before jumping to conclusions. As far as congestion goes, if there's a bot on his network pumping out huge amounts of outbound traffic, then that'll stuff his connection just as surely as if some script kiddie was DDoSing him.

      • by next_ghost (1868792) on Saturday October 12, 2013 @02:01PM (#45109509)
        The DSL router itself could be compromised as well. I'd start by booting up a Linux live CD, disconnecting everything else from the network and changing the external IP address again. Then I'd wait to see if they find you again. If they don't, start plugging everything back one device at a time, again checking if they find you after plugging the last device in.
        • I can try that. We have tried rebooting with everything turned off and still seen entries in the logs, but I'm also not sure what criteria my router uses to determine what's an attack and whether normal sniffing by the ISP to see who's actually connected might also trigger it.
      • It's also possible, though maybe less likely that if the game they are playing creates P2P connections between the players for say chat, then they could be revealing their IP that way. Like Freshly Exhumed said above though, it all just guesses without some evidence.

        But what do I know, I'm a packet who got lost on his way to 127.0.0.1

      • It happens even when our computers are turned off. I recently reinstalled Windows which had no effect. We both run BitDefender and malwarebytes software. I've got the firewalls rules in the router turned up to only allow certain ports. What else can I check to see if it's us as opposed to outside traffic?
        • You have make sure everything is off, and *then* get a new WAN ip. Once any of the machines behind the router are up, your WAN ip will likely be exposed immediately, and turning off the computers *after* that is like closing the barn door after the horses have left. If it still occurs with everything off, and keeping them off after restarting the router with a new WAN ip, then two things:

          1) your router is owned and/or sucks.
          2) you are being port scanned constantly, and your router is not behaving well (

          • We did try turning everything off and then rebooting the router, but I'm going to do that test again. I reinstalled windows last weekend, but my husband hasn't yet. We'll do that too. I've never been certain that the router isn't over-reporting, but it does often coincide with noticeable network slowdowns, so something is going on. We have actually been threatened with DoS and virus and such by idiots on Steam, so when you add it all up, it does seem like something is happening. I'll do more internal c
            • by LesFerg (452838)

              Do you have Steam auto starting at powerup, and do you know how many games are attempting to synchronise their cloud backup data at startup?
              My router has fits and sometimes reboots after powering up my win7 PC. Trying to eliminate what could be flooding it, and so far Steam appears to be the only likely candidate.

      • by bwcbwc (601780)

        More likely explanations:
        1) Someone in the family downloaded something that installed an open BitTorrent client/tracker, and your network is being used to host pirate files, porn, and/or documents from a terrorist cell. Most likely just Miley Cyrus MP3s though.
        2) You have uPnP open to the internet or one of your uPnP devices opened itself the internet.
        3) Your kid publicized your minecraft server's IP address on YouTube.
        4) You're being probed by random botnets.

        The only way you'd be getting DDoS'ed is if some

    • by mjwalshe (1680392)
      From experience not every second - doesn't sound like the normal background radiation of scans - scanners will be looking for /wp-admin/ /phpmyadmin and popular packages to exploit.
    • I have endless lists like this in the logs: [DoS attack: ACK Scan] from source: 216.39.55.12:80 Saturday, October 12,2013 12:08:28
      [DoS attack: ACK Scan] from source: 2.39.202.191:80 Saturday, October 12,2013 12:06:04
      [DoS attack: ACK Scan] from source: 54.208.162.210:80 Saturday, October 12,2013 12:05:13
      [DoS attack: ACK Scan] from source: 54.246.147.204:80 Saturday, October 12,2013 12:04:52
      [DoS attack: ACK Scan] from source: 54.249.0.5:80 Saturday, October 12,2013 12:04:31
      • by leuk_he (194174)

        The trouble is that this might not be really a attack, just a scan. Also a lot of routers have some firewall settings that migitate DoS attacks, but without any real possiblity to tune this, or even a good description if the thing in the log is anything important.

        The fact that some log says there is a DoS attack does not mean there really is a attack. It only says there is a log.....

        SHowing the log is not enough, you have to add some explanation.

      • by dills (102733) on Saturday October 12, 2013 @03:52PM (#45110091) Homepage

        This is not a DoS attack. Look at how infrequent the packets are...it's essentially background noise that every IP address will see.

        This feels like 2002 all over again, when people had host-based firewalls and would freak out any time they got hit with a port scan, not really understanding what they were looking at.

      • by Anonymous Coward on Saturday October 12, 2013 @03:54PM (#45110099)

        Most of dynamic addresses there translate to "ep-reverse.nimbus.bitdefender.net", and you say you use BitDefender, this - 63.228.223.103 - is "steamcommunity.com", and one with different port "205.188.155.221:995" is indeed a mail server as specified by port.

        It very well might be just your router bullshitting you. Try asking at dslreports.com, or better yet, try searching there for similar problems.

        • by tdelaney (458893)

          Wish I could mod you up - OP read the parent of this post!

      • by Anonymous Coward

        You may have a long log file with those messages, but look at the time stamps... Getting hit once every minute, sometimes every 5 or 10 minutes? That's not a DoS. You would need to see a lot of those per second for it to impact your connection. I would say that is likely just normal Internet chatter/scanning.

      • by SpaceLifeForm (228190) on Saturday October 12, 2013 @04:23PM (#45110245)
        You are fine. That is normal background noise. Not really a DoS, just normal probes, which are not frequent enough to be considered a DoS. Ignore the terminolgy that netgear is using. The slowness you encounter at times likely is upstream from you. You should expect it in the evening.
  • Go to your ISP (Score:5, Informative)

    by ERJ (600451) on Saturday October 12, 2013 @01:21PM (#45109241)
    The nature of a DOS attack (overwhelming your bandwidth / router with traffic) means it pretty much has to be handled upstream. Your ISP should be able to filter the traffic at their routers where they have the bandwidth / processing power to do so. Even if you get a super router it doesn't change the fact that they are using up your bandwidth with dud requests.
    • Their ISP sent them to the Feds. So, no help forthcoming from them.

  • Have you tried... (Score:2, Insightful)

    by Endloser (1170279)

    changing your ISP?

    • by VortexCortex (1117377) <VortexCortexNO@S ... t-retrograde.com> on Saturday October 12, 2013 @03:31PM (#45109993) Homepage

      changing your ISP?

      They said it didn't matter if they changed the IP address or MAC of the router. This means the attacker can track them across domains. They should try NOT playing the online games after changing the IP address and see if the DoS persists. Also if they are being DoS'ed then a Distributed Reflective DoS DRDoS is probably what's causing up to 5 spoofed SYN-ACK packets to be sent per single attacker's packet (SYN Amazon, spoofed target return IP, Amazon tries to complete the TCP handshake with the target). They didn't sign them up for anything, that's the nature of a reflective attack.

      Coincidentally, the surefire way to protect against DRDoS is to simply use DR-DOS, [wikipedia.org] to play games that have far less chance of exposing you to assholes.

    • Not many options in the rural area we live. It's DSL, Satellite or cell data. Blech. Sometimes I do miss big city conveniences.
  • Not on your end (Score:4, Informative)

    by Lorens (597774) on Saturday October 12, 2013 @01:25PM (#45109269) Journal

    If you're really being DOS'ed with more bytes per second than your little DSL can take, there isn't much you can do to mitigate it on your side. Either your ISP helps out, or you change your IP and they *don't* find your new one (how are they finding it?), or you make them stop (fat chance).

  • by lesincompetent (2836253) on Saturday October 12, 2013 @01:27PM (#45109293)
    I've seen some SOHO router's firmware sporting this alleged "DoS protection". I think it's just a marketing point.
    No idea of how the detection works but this sounds like a false positive to me.
    And wouldn't your ISP notice first too?
  • Cloud providers... (Score:5, Interesting)

    by ayjay29 (144994) on Saturday October 12, 2013 @01:31PM (#45109323)

    Hi,

    >> I've noticed the IPs trace back to Microsoft or Amazon domains

    This is probably stuff running on VMs in Amazon or Azure cloud services. Users can create VMs with insecure passwords and they are often the target of attacks.

    • by tgd (2822)

      Hi,

      >> I've noticed the IPs trace back to Microsoft or Amazon domains

      This is probably stuff running on VMs in Amazon or Azure cloud services. Users can create VMs with insecure passwords and they are often the target of attacks.

      At least in Azure, you have to go out of your way to do so -- both the out-of-the-box Linux VMs and Windows VMs create your primary user account for you, and they do some reasonable password strength checks on it.

  • Most gaming services don't show other users your IP address as things like a DoS could happen. Unless they are the admins of the game or you are using a third party service that they have access to such as a Teamspeak/Ventrillo server, guild/forum web server, etc. Be careful of what you visit. Also, even the best router is not going to stop your internet pipe from getting flooded with incoming packets.
  • Check your system *thoroughly* for malware - you might be a part of the zombie network i.e. your system is compromised and picking up orders from a master controller - then sending out spam, kiddie pr0n, and plans for 3d printed parts.

    A good backdoor shouldn't overwhelm your network, but it's still worth checking.

  • by Anonymous Coward

    My bet is that you are participating in some sort of P2P network, file sharing, Spotify... I don;t think you are being targeted due to gaming.

    And how do they find us with a new MAC address and IP within minutes?

    Assuming that this is indeed a malicious DoS attack, there is something inside your network that is tipping them off. P2P gaming software, chat software, malicious local software. There is no way for them to simply find you with a new external IP.

    As others have already stated, the only way to mitigate a saturated pipe DoS is to filter upstream, your ISP or their ISP.

  • by istartedi (132515) on Saturday October 12, 2013 @01:34PM (#45109353) Journal

    We seem to have attracted the attention of some less than savory types in online gaming

    Followed by:

    And how do they find us with a new MAC address and IP within minutes?

    This is pretty obvious. The game is telling them. Not much of a gamer myself; but I'm willing to wager you can see the IP address from which a particular user is logged on. Maybe the game will let you cloak that. If it won't they can always find you again...

    • That used to happen in Quake all the time -- to gain an advantage, people would pound competitors' machines to slow their "ping" as it was the equivalent to making their reaction times drunk.

    • by vux984 (928602)

      If its not the game itself, it could be other software.
      Skype in particular (on your PC, or on your smartphone on your wifi...)

      Any number of other chat programs, p2p software, etc are suspect.

      Rootkit/malware/backdoor is possible.

      And that's all assuming its real, which, i don't know your level of sophistication. For all we know you just have an infected unit that's flooding your network, and you are mis-reading the overly "dangerous" sounding warnings crappy security constantly throws up to justify its existe

    • It happens even when we're not logged in to the game and reboot the router to get a new IP address.
  • If you managed to piss someone off that is now DoS'ing you like this chances are you're screwed and the attacks are only going to stop when your ISP gets fed up with it and pulls the plug on you.

  • Smells of rootkit (Score:5, Informative)

    by SpaceLifeForm (228190) on Saturday October 12, 2013 @01:43PM (#45109409)
    Something is calling home to give away your ip quickly. What computers and OSes are you using? What antivir? A lot of anitvirus programs suck. Shutdown everything. Force new WAN ip on router. See if problem occurs with no devices on behind the router. If it does, maybe it is the router that is running malware. If still quiet, bring up one machine at a time behind the router and wait a while before doing next machine. Any wireless devices? Is your wifi *really* secured?
    • by toygeek (473120)

      This. Antivirus programs don't stop/fix rootkits. You likely have a compromised computer that is a zombie. TDSSKiller is a good start, Combofix if you need to. I'd go to bleepincomputer.com's forum and ask around there. If you're reluctant to do so, then at the very least run malwarebytes' Anti-Malware on all your PC's ASAP.

      • I'll try TDSSKiller. We use BitDefender and malwarebytes already. Nothing found by either. I reinstalled Windows, but my husband hasn't yet.
        • What exactly do you use your PC's for that you need "BitDefender" and "malwarebytes" to be installed on them? What kind of users are there on your network?
  • If you are not actually _hosting_ the game (in which case you are f-ed, because you simply need to examine all the packets by yourself, but from the fact you were not talking about any server I somehow suppose that you are just connecting), carrier-grade or similar NAT perfectly solves this problem. Your ISP should be able to hide you in an inner network in no time this way.

  • 1 unplug your gateway device (dsl modem) and your router
    2 on a know clean system download and create a Windows Defender Offline flashkey/dvd (you will need either or both of the 32 and 64 bit versions)
    3 shut down ALL of your computers
    4 make and have %meal% (don't forget the dishes)
    5 run WDO on one computer (make sure it completes successfully)
    6 plug in your dsl modem and wait for the blinky lights to settle
    7 plugin your router and wait for its blinky lights to settle
    8 plugin the computer that was scanned (a

  • Document what's happening as thoroughly as you can, and the whole history of the thing, and then go to the state police in your state. They may refer you to the FBI, and I'm guessing will not be all that eager to deal with the issue, but its a crime being committed against you and you should have the benefit of law enforcement to whatever degree they can feasibly help you. At the very least you will have documented what is happening and they'll know about it so that if the situation evolves they will have a

  • by RedLeg (22564) on Saturday October 12, 2013 @02:06PM (#45109549) Journal
    You more than likely have something "phoning home" that the bad guys are tracing back to you.

    SO, to track that down, do this in exactly this order:

    1. Prepare to reconfigure your router for new IP / MAC, but do not reboot it, yet. Make sure the router is NOT registering with some dynamic DNS service, if it is, that's probably part of the problem. Your ISP may be doing that for you, if so, ask them to change your reverse lookup name.

    2. Power down every other computing device on the network. I'm assuming you have a wireless router? If so, track down everything that it connected to it, and power those down too. Save your most trusted device (an iPad perhaps?) for monitoring / reconfiging your router. If necessary, borrow a device from someone you trust.

    3. Press "go" to reconfig the router, and observe. Your DOS should go away. If it does not, either the reconfig was unsuccessful, your ISP is somehow part of the problem, the router is registering itself somehow, or the router itself is infested.

    4. Assuming the DOS abated, one by one, power up the devices you previously disconnected and observe. If the DOS starts after powering up a particular device, that's the culprit. There may be more than one. Do this slowly, to make sure as you power up a device, it's not waiting some period of time before calling home.

    It would not be a bad idea to get your ISP on the phone, explain what you think is going on, and ask them to observe your traffic as you go through the above steps. If something "phones home", and you miss it, they should be able to see the traffic on their segment of the wire.

    If you are successful at tracking down a culprit system, enlist the help of the anti-malware vendor in isolating the offending bits. Do this BEFORE you re-image the system. They would probably appreciate a sample. Of course, this assumes you are running anti-malware software on your endpoints.....

    Hope this helps.

    -Red

  • by gmuslera (3436) on Saturday October 12, 2013 @02:11PM (#45109575) Homepage Journal

    Unless you have some external name for your home connection (i.e. using dyndns or similar if your IP is dynamic), it is probably something you have in your network, like being part of a botnet node, having a misconfigured p2p client, or something that from inside announces itself to be accessed by others. Disable all the services that you know that access by itself outside (i.e. checking for software updates), and try to track all that you don't know that access outside by itself when the ip changes.

    They could find you also because you have an easy to detect service that is exploitable. Knowing where they access and connect could be useful, even having a ip camera accessible from outside with a fixed admin password could be enough to cause that kind of behaviour. Considering that scanning the entire internet takes less than an hour [slashdot.org], a lot could be doing so all the time so anything exposed you have could be easily detected.

    Having antivirus is no guarantee of safety, some malware could be active for years [arstechnica.com] before is even hinted that something could be there by AV companies (and probably US based security products will have hardcoded to not report anything that could look as NSA backdoor or malware). If well is not a guarantee of not catching malware, lower a lot the odds of it using Linux or even Mac OS X.

  • What's your router's MAC address got to do with it?

    • by SeaFox (739806)

      He's likely on an Internet connection that uses a bridged modem and DHCP to assign IP addresses. He would have to change the MAC of the router to appear to be a new device connecting on his ISP's network if he wanted a new public IP address.

      • by bytesex (112972)

        Okay. Sure. Hadn't thought of that. I also understand that buying a DDoS is easy these days: even schoolkids do it.

  • Sounds More like an internal compromised machine. Use a live Linux CD, shutdown all other devices on your network except one PC. This includes phones tablets PCs etc. Reboot that remaining PC with the Linux CD. Reset the Mac address on your router to get a new IP. At that point you can be 100% sure that you don't have a compromised machine. If the flooding stops a machine is compromised, dimes to donuts that's the cause.
  • If those three stages of demonic possession are true:
    1) Infestation
    2) Oppression
    3) Possession
    ...i think you're experiencing 1 and 2. Time to call in an expert.
  • by Anonymous Coward

    It's you.

    If you went out and got a new IP and within minutes they "found" you again, really? C'mon. If that's the case, you seemed to have pissed off the worlds greatest hacker. It's either that or there is a sustained attack on that block of IP's that your ISP is using for DHCP or static assignments, AND if THAT's the case, then your ISP is being DOS'ed.

    But really, download a LiveCD and disconnect everything in your network except the box you use with the LiveCD and see if the issue dissapears. Then plug i

  • I can envision two scenarios. First, the less likely one.

    First Scenario: Trojan Horse
    One or more machines on your network have been infected/trojaned/compromised somehow. Every time you switch your external IP address, the infected machine dutifully contacts it's nefarious overloards with the news. There's a good chance that one of your compromised machines may actually be part of a botnet. One important question is, "what conditions, specifically, trigger my router's 'DOS attack from xxx' in it's logs." Th

    • by megabeck42 (45659)

      So, I read your initial question a bit closer and realized you'd identified the IPs as microsoft and amazon services. In fact, I suspect they're IPs related to content distribution servers. I'm quite certain your router's DOS warnings are false positives.

      Your problem is most certainly not the result of a DOS.

  • If they're getting to you within minutes, then they're getting help from inside. It may be as simple as your router being configured for Dynamic DNS, or one or more of your machines is compromised... or -- as others said, they may be getting info from your game server.

    Rather than paying gigabucks for a hardware router/firewall, take an ancient machine, add a second ethernet card to it and install OpenBSD [openbsd.org] onto it.OpenBSD will do you as well as anything hardware based, in terms of protecting your network --

  • Not a DoS (Score:4, Interesting)

    by BlackHawk-666 (560896) <ivan.hawkes@gmail.com> on Saturday October 12, 2013 @05:17PM (#45110509) Homepage

    Given the log you posted, you are most definitely not being hit with a DoS attack. You are barely taking any traffic at all, with only a few hits / minute

    [DoS attack: ACK Scan] from source: 54.249.0.5:80 Saturday, October 12,2013 12:04:31
    [DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 11:46:15
    [DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 11:43:49

    I mean look at that...there's 21 minutes worth of time passing in just 3 log entries, that's just plain old net noise.

    It's more likely that your ISP is suffering backhaul congestion, or you are running a torrent client, or someone is DLing ultra pr0n at some insane rate or you left your wi-fi open and someone is hijacking it.

    Go to http://www.speedtest.net/ [speedtest.net] and run a bandwidth check on your network.

  • You are probably either the victim of a malware infection, or you're torrenting too much. If a machine on your network has been properly pwned (and this is a lot more likely than you being the target of a DDOS) then running AV on top of the OS most likely won't find the malware...
    Download and burn the Kaspersky Rescue CD, boot off that (a known-good OS) and scan your machines. Report back how much malware it found that everything else missed.
    If you're participating in a DDOS (or otherwise maxing out your upstream bandwidth - eg torrents) then uploading at the maximum throughput will have the side effect of dropping your download speed to the same as your upload speed.

  • by LodCrappo (705968) on Saturday October 12, 2013 @05:49PM (#45110663) Homepage

    Point 1: The fact that you mention mac addresses and dos in the same question shows that you do not know enough about networking to assess this situation properly.

    Point 2: Home internet connections don't get DOSed. There is no profit in it to justify the the effort or risk. Anyone with the skill and capability to attack a network most certainly has better things to do.

    Point 3: All of your symptoms fit perfectly with a local problem. None of them match a DOS very well.

    You very likely have a compromised PC or a PC running something like torrents/other P2P software that isnt properly configured. Use up all your outbound bandwidth either way and you will have exactly the situation described.

    obligatory: wtf is this doing on slashdot? Its a basic home user networking issue.

  • If I had to guess, the modem is holding onto the same IP address regardless of what you do with your router. Take a weekend trip and unplug your modem in hopes that it will pull a new address when you return. You could go upstream to your ISP with the issue and suggest the tech release your IP and assign you a new one.

    If the attack continues, then you have something inside your network leaking information to the attacker. And you will have to clean that up before you can resolve the problem.

  • So what? (Score:4, Informative)

    by sillivalley (411349) <[ten.tsacmoc] [ta] [yellavillis]> on Saturday October 12, 2013 @08:54PM (#45111477)
    Executive summary: Welcome to the real world. Everybody with an "always on" connection is getting this kind of crap, it's just that most people don't realize it.

    Discussion: We have a cable modem for internet service. I run a SSH honeypot (Kippo) to collect information on folks knocking on our door.

    Friday morning, my Kippo honeypot recorded a dictionary attack run of 291 SSH login attempts (against root) in 12 minutes (from 178.141.148.236, look it up if you want). I don't even bother to record to record the crap coming against port 80.

    This isn't unusual, not even for an IP address in a residential cable block! And the more you look for this kind of activity, like running a honeypot, or even reviewing your router logs, the more bewildered you'll become, particularly about how "normal" people's computers survive under these continuous attacks.

    The answer, of course, is that so many do not, their home computers rooted within minutes of being connected to the net, or when a child in the household (using a Windows account with admin privileges) clicks on some enticing link in IE... Their computer gets added to one or more botnets, an eventually they toss it out because it's too slow.

    Suggestions: Make sure your network is as secure as you can make it, then ask for help to make it better. Help those you care about do the same. Friends don't let friends use IE (or windows) is a good start.

The universe does not have laws -- it has habits, and habits can be broken.

Working...