Slashdot Mirror
Ask Slashdot: Mitigating DoS Attacks On Home Network?
First time accepted submitter Gavrielkay writes "We seem to have attracted the attention of some less than savory types in online gaming and now find our home network relentlessly DoSed. We bought a new router that doesn't fall over quite so easily, but it still overwhelms our poor little DSL connection and prevents us web browsing and watching Netflix occasionally. What's worse is that it seems to find us even if we change the MAC address and IP address of the router. Often the router logs IPs from Russia or Korea in these attacks (no packet logging, just a blanket 'DoS attack from...' in the log. But more often lately I've noticed the IPs trace back to Microsoft or Amazon domains. Are they spoofing those IPs? Did they sign us up for something weird there? And how do they find us with a new MAC address and IP within minutes? We're looking for a way to hide from these idiots that doesn't involve going to the Feds, although that is what our ISP suggested. Piles of money for a commercial grade router is out of the question. We are running antivirus and anti-malware programs and haven't seen any evidence of hacked computers so far."
Everyone is being scanned at every second by bots, do you have any real evidence you're being DoSed? It could be a crappy connection. Seeing a modem light flashing a lot does not mean you're being packeted.
Exactly. Let's see some logs, please, and let's have some detailed descriptions of your gear so that we can make more than just guesses.
I deny that I have not avoided attaining the opposite of that which I do not want.
The nature of a DOS attack (overwhelming your bandwidth / router with traffic) means it pretty much has to be handled upstream. Your ISP should be able to filter the traffic at their routers where they have the bandwidth / processing power to do so. Even if you get a super router it doesn't change the fact that they are using up your bandwidth with dud requests.
changing your ISP?
I'm no expert. Could it be coming from your ISP? I suppose the method being used could give you an idea of whether the attacker is outside of your service provider (ie udp)
If you're really being DOS'ed with more bytes per second than your little DSL can take, there isn't much you can do to mitigate it on your side. Either your ISP helps out, or you change your IP and they *don't* find your new one (how are they finding it?), or you make them stop (fat chance).
Ditto.
My next question is: is his machine compromised and part of a botnet. I.e. is he the one doing the DoSing, and his router is falling over as a result.
RTFA!
I've seen some SOHO router's firmware sporting this alleged "DoS protection". I think it's just a marketing point.
No idea of how the detection works but this sounds like a false positive to me.
And wouldn't your ISP notice first too?
If they can find you even after you change your IP address, it's possible you have malware in at least one of your computers. Either that, or the game servers you connect to are controlled by the botnet masters.
If they're finding you so quickly, I'd guess there's something compromised inside your network.
Also please post some speed tests from these sites:
http://www.speakeasy.net/speedtest/
http://www.speedtest.net/
Don't forget to run more than one test on each to get a better sample.
I deny that I have not avoided attaining the opposite of that which I do not want.
A device on your home network may be compromised (PC, network printer, Tivo, DVR, ...) or your email account or some other service that you log into may be compromised (For example, you can determine what IP address an email was sent from if you have access to the mail account).
But are you really being DoSed?
1) Check to see if other devices that aren't yours are using your router. Maybe your neighbour is using your WiFi.
2) If nobody else is using your WiFi, turn off/disconnect all your devices except the router. Does the network activity light still flash a lot?
If the network activity still flashes a lot then yes you might be being DoSed. If it doesn't then you are not being DoSed, at least not from the outside.
If you now figure you are not being DoSed try connecting directly to your router via a network cable (assuming it has a network port), if the connection is very stable then what you are experiencing is problems with your WiFi connection and not DoS.
If you are being DoSed from outside, turn off any dynamic DNS stuff and then try getting your router to reconnect to change your IP. You should no longer be DoSed at this point unless something strange is going on.
pfSense + snort.
From experience not every second - doesn't sound like the normal background radiation of scans - scanners will be looking for /wp-admin/ /phpmyadmin and popular packages to exploit.
Hi,
>> I've noticed the IPs trace back to Microsoft or Amazon domains
This is probably stuff running on VMs in Amazon or Azure cloud services. Users can create VMs with insecure passwords and they are often the target of attacks.
Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated up.
This would seem like an obvious case here.
If your IP changes, how would the attackers be able to guess the new ip so fast?
> But more often lately I've noticed the IPs trace back to Microsoft or Amazon domains
Obviously they're using Azure and AWS machines to launch attacks...
I was thinking of being obnoxious in an online game, but now that I know there are consequences, I don't think I will.
Most gaming services don't show other users your IP address as things like a DoS could happen. Unless they are the admins of the game or you are using a third party service that they have access to such as a Teamspeak/Ventrillo server, guild/forum web server, etc. Be careful of what you visit. Also, even the best router is not going to stop your internet pipe from getting flooded with incoming packets.
Check your system *thoroughly* for malware - you might be a part of the zombie network i.e. your system is compromised and picking up orders from a master controller - then sending out spam, kiddie pr0n, and plans for 3d printed parts.
A good backdoor shouldn't overwhelm your network, but it's still worth checking.
All those moments will be lost in time, like tears in rain.
My bet is that you are participating in some sort of P2P network, file sharing, Spotify... I don;t think you are being targeted due to gaming.
And how do they find us with a new MAC address and IP within minutes?
Assuming that this is indeed a malicious DoS attack, there is something inside your network that is tipping them off. P2P gaming software, chat software, malicious local software. There is no way for them to simply find you with a new external IP.
As others have already stated, the only way to mitigate a saturated pipe DoS is to filter upstream, your ISP or their ISP.
We seem to have attracted the attention of some less than savory types in online gaming
Followed by:
And how do they find us with a new MAC address and IP within minutes?
This is pretty obvious. The game is telling them. Not much of a gamer myself; but I'm willing to wager you can see the IP address from which a particular user is logged on. Maybe the game will let you cloak that. If it won't they can always find you again...
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
If I were an online gamer, I'd be more inclined to blame the platform/service than someone Dos'ing little 'ole me.
This.
It is far more likely that he has a compromised internal network and his dsl is being overwhelmed by outbound spam, not an inbound DoS, especially since 'they' find him within minutes of an IP switch. Invest in a good virus scanner dude, and seriously consider a wipe and reload of every system.
Assuming that it is a DoS and not just a terrible connection;
Are you sure that they don't have a virus on your home machine or your router firmware. Possible they're using that to track your MAC and IP.
If I were in your position I would start by:
1) Low level formatting on all of your boxes
2) Either replace, or factory reset the router
3) Change your ISP, technically speaking they should be able to detect and block such an attack from their core routers. So why can't they help you? Clearly they're either technically incompetent or just don't care. Either way I'd switch.
If those three steps don't work, you might have no choice but to enlist help from the Government (whenever it comes back online itself :) )
Good luck with it, hopefully you can sort this out.
and ET is phoning home. You should get some EFFECTIVE firewall and antivirus and get a pro to clean your system properly first.
If you managed to piss someone off that is now DoS'ing you like this chances are you're screwed and the attacks are only going to stop when your ISP gets fed up with it and pulls the plug on you.
I personally know a lot of guys using azure and aws to seed torrents, It may just be normal torrent bahavior(i.e. Peer exchange, port punching) having connections being initiated from outside and making your router think they're attacks.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
Unless you have very special relations with your ISP, DoS mitigation for home network is not possible. Try to make sure that you do not attract the attack to your own IP address by using VPN to an external provider that will handle it for you. It may present some issues for games sensitive to connection latency, but is still better than dealing with DoS. If you are technically savvy, bringing up micro instance in the closest Amazon datacenter and tunneling to it from DD-WRT router via OpenVPN is cheap and good ( though not necessarily easy to configure ) .
And how do they find us with a new MAC address and IP within minutes?
You're changing your MAC address? wut? and why? But anyway...
Assuming it's really a DOS attack (as above,) and assuming you're really being targeted somehow (dubious, but OK,) and assuming that it's actually *you* and not your ISP's IP ranges being targeted, and assuming you're actually getting a different IP address and they're still finding you....
Then QED, you've got either some connection running that your adversary is reading (can't think of what that would be - but something like cloud storage and they're able to read the access logs???), or far more likely you have one or more compromised computers or devices which is broadcasting your location to whatever botnet is on you. Have you looked at your hosts files on your machines, and have you checked to see what DNS services you're using?
But I'm really with others above: Why haven't you talked to your ISP about this?
Something is calling home to give away your ip quickly. What computers and OSes are you using? What antivir? A lot of anitvirus programs suck. Shutdown everything. Force new WAN ip on router. See if problem occurs with no devices on behind the router. If it does, maybe it is the router that is running malware. If still quiet, bring up one machine at a time behind the router and wait a while before doing next machine. Any wireless devices? Is your wifi *really* secured?
You are being MICROattacked, from various angles, in a SOFT manner.
Right now I am using Zentyal(IDS module) and CSF(ConfigServer Security and Firewall) I really like CSF especially the ability to easily block whole country's. In the past I have used Untangle and PFsense.
Small game server operator here. I used to get DDOSed and DOSed regularly (once a month) on my 50/5 megabit cable line.
What I did was deploy pfsense with snort (with all the emerging threats rules enabled). It will log attacks and it will be plain as day when you are ddosed or dosed.
The next step is to provide those logs along with a plea to the abuse addresses for the hosts from which the attacks originate. I have had responses ranging from complete empathy to complete ridicule.
What would be cool is detection and reputation ranking for compromised nodes, so each router on the internet can decide whether or not they want to route traffic from the assholes who are part of the botnet.
Since this will never happen, I resorted to learning the basics of amassing a simple botnet and pointing it at the origin of the compromised hosts which were attacking me. This is done either in whole or in part and is very simple with some simple IRC tricks.
I should mention that the game I host is an open source indie game that is totally free to play.
The key is going to be determining how they are locating your new address, and then resolving that issue. Both Amazon and Microsoft have free hosting offers that could be used to generate attacks on a low bandwidth site such as that on the average DSL circuit.
If you are not actually _hosting_ the game (in which case you are f-ed, because you simply need to examine all the packets by yourself, but from the fact you were not talking about any server I somehow suppose that you are just connecting), carrier-grade or similar NAT perfectly solves this problem. Your ISP should be able to hide you in an inner network in no time this way.
1 unplug your gateway device (dsl modem) and your router
2 on a know clean system download and create a Windows Defender Offline flashkey/dvd (you will need either or both of the 32 and 64 bit versions)
3 shut down ALL of your computers
4 make and have %meal% (don't forget the dishes)
5 run WDO on one computer (make sure it completes successfully)
6 plug in your dsl modem and wait for the blinky lights to settle
7 plugin your router and wait for its blinky lights to settle
8 plugin the computer that was scanned (and only that one)
9 see if the problem shows back up
10A IF NO: then FOR EACH IN ListOfComputers do 5 ,8 and 9 with the next computer IF RemainingComputers = 0 then GOTO 11
10B THEN dial tel:8002255324 and explain the situation
11 Spend some of your Profit! on a better AV solution
Any person using FTFY or editing my postings agrees to a US$50.00 charge
Since you haven't shared any logs it's hard to say if it is you doing this to yourself with an infected box or if you are actually being DOS'd. A simple test would be to download Knoppix, or some other LiveCD, and boot into it and see if your problems dissappear. For this to work you obviously need everything else on your network offline while you try this, that includes cell phones, refrigerators or whatever. If you are being DOS'd you will need your ISP's help, if they can't do it, or are unwilling, change ISP's.
The ways I can think that they are finding your IP so quickly are 1) You have your own domain or 2) You have a program calling home.
HTH
Agreed. OP should check the traffic on his own network before jumping to conclusions. As far as congestion goes, if there's a bot on his network pumping out huge amounts of outbound traffic, then that'll stuff his connection just as surely as if some script kiddie was DDoSing him.
The DSL router itself could be compromised as well. I'd start by booting up a Linux live CD, disconnecting everything else from the network and changing the external IP address again. Then I'd wait to see if they find you again. If they don't, start plugging everything back one device at a time, again checking if they find you after plugging the last device in.
It depends on what you're playing, MMOs you can easily keep your IP a secret since you're all playing together through the game server, but if it's a FPS where one player hosts the game then you'd need to play through a proxy. It will cause some additional latency going through the proxy however so it may not be a viable option. I know most of the streamers on Twitch use Skype through a proxy and that's good enough for them.
It seems strange that, a) people could be that bothered to DoS you b) that they find you IP address over and over. Have you considered that may be something inside your network is the cause? Like people have mentioned, you need to quantify whether this is an actual DoS attack, simple port scanning or Botnet connection attempts or a malware/virus infection.
If you have a reasonable packet filtering firewall on the router this should be sufficient to prevent most attacks, check the internal machines for any strange connections, the netstat command is available on all OSs afaik.
If everything is ok on your side and this is a genuine attack (god knows how you pissed someone off that much) then contact your IP for some help.
Good luck, hope you get some resolution.
Document what's happening as thoroughly as you can, and the whole history of the thing, and then go to the state police in your state. They may refer you to the FBI, and I'm guessing will not be all that eager to deal with the issue, but its a crime being committed against you and you should have the benefit of law enforcement to whatever degree they can feasibly help you. At the very least you will have documented what is happening and they'll know about it so that if the situation evolves they will have a clear understanding of what's going on. DOS by itself probably isn't really too alarming to them, but I've seen these things evolve into threats, vandalism, etc, and they'll take that sort of thing more seriously.
I also have to concur with other posters. SOMETHING has to be allowing them to discover your IP/MAC addresses even when they change. I'd assume you have some sort of malware on some system on your network that is the culprit. Its possible they could have compromised your ISP or in theory there could be other ways to obtain that information, but the simple explanation is your PC is telling them where it is. Burn it down to a bare drive and reinstall from scratch, then run some good AV/IPS software, and consider packet logging all outgoing traffic to see if you can spot something.
"Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
SO, to track that down, do this in exactly this order:
1. Prepare to reconfigure your router for new IP / MAC, but do not reboot it, yet. Make sure the router is NOT registering with some dynamic DNS service, if it is, that's probably part of the problem. Your ISP may be doing that for you, if so, ask them to change your reverse lookup name.
2. Power down every other computing device on the network. I'm assuming you have a wireless router? If so, track down everything that it connected to it, and power those down too. Save your most trusted device (an iPad perhaps?) for monitoring / reconfiging your router. If necessary, borrow a device from someone you trust.
3. Press "go" to reconfig the router, and observe. Your DOS should go away. If it does not, either the reconfig was unsuccessful, your ISP is somehow part of the problem, the router is registering itself somehow, or the router itself is infested.
4. Assuming the DOS abated, one by one, power up the devices you previously disconnected and observe. If the DOS starts after powering up a particular device, that's the culprit. There may be more than one. Do this slowly, to make sure as you power up a device, it's not waiting some period of time before calling home.
It would not be a bad idea to get your ISP on the phone, explain what you think is going on, and ask them to observe your traffic as you go through the above steps. If something "phones home", and you miss it, they should be able to see the traffic on their segment of the wire.
If you are successful at tracking down a culprit system, enlist the help of the anti-malware vendor in isolating the offending bits. Do this BEFORE you re-image the system. They would probably appreciate a sample. Of course, this assumes you are running anti-malware software on your endpoints.....
Hope this helps.
-Red
Actually, he probably needs to go to some other location to be able to download tools in a timely manner.
You are being MICROattacked, from various angles, in a SOFT manner.
Unless you have some external name for your home connection (i.e. using dyndns or similar if your IP is dynamic), it is probably something you have in your network, like being part of a botnet node, having a misconfigured p2p client, or something that from inside announces itself to be accessed by others. Disable all the services that you know that access by itself outside (i.e. checking for software updates), and try to track all that you don't know that access outside by itself when the ip changes.
They could find you also because you have an easy to detect service that is exploitable. Knowing where they access and connect could be useful, even having a ip camera accessible from outside with a fixed admin password could be enough to cause that kind of behaviour. Considering that scanning the entire internet takes less than an hour, a lot could be doing so all the time so anything exposed you have could be easily detected.
Having antivirus is no guarantee of safety, some malware could be active for years before is even hinted that something could be there by AV companies (and probably US based security products will have hardcoded to not report anything that could look as NSA backdoor or malware). If well is not a guarantee of not catching malware, lower a lot the odds of it using Linux or even Mac OS X.
What's your router's MAC address got to do with it?
Religion is what happens when nature strikes and groupthink goes wrong.
The OP doesn't have the slightest idea of what he is talking about. WTF with MAC and spoofing.
Also you don't mitigate a DoS, you either absorb it and wait till it stops, or you disappear and use another IP address thus effectively null routing your old connection.
In any case if the attacker has a bigger pipe then you then you're doomed.
BAM!
First, look around your house, can you find something to make a rudimentary lathe?
Sounds very much like you have the Pando Media Booster problem. This is a P2P client that gets installed automatically with certain games, and basically whores your internet connection for other gamers to download the game client from. It is not commerically defined as malware, but its stealthy nature and bandwidth saturation certainly makes it seem like it. It is basically a bit torrent client you don't control, so that could easily explain why you see connections coming in from random places and low bandwidth. You do not need this software to play your games, and I believe it can be uninstalled quite easily and separately from your game clients. http://www.lo-ping.org/2011/07/29/the-pando-pandemic-why-you-might-already-be-infected/ I had bandwidth issues and this turned out to be the cause. In my case my wife had it on her machine after downloading some random MMO (Star Trek or Aion or something).
Sounds More like an internal compromised machine. Use a live Linux CD, shutdown all other devices on your network except one PC. This includes phones tablets PCs etc. Reboot that remaining PC with the Linux CD. Reset the Mac address on your router to get a new IP. At that point you can be 100% sure that you don't have a compromised machine. If the flooding stops a machine is compromised, dimes to donuts that's the cause.
If those three stages of demonic possession are true:
1) Infestation
2) Oppression
3) Possession
...i think you're experiencing 1 and 2. Time to call in an expert.
It's you.
If you went out and got a new IP and within minutes they "found" you again, really? C'mon. If that's the case, you seemed to have pissed off the worlds greatest hacker. It's either that or there is a sustained attack on that block of IP's that your ISP is using for DHCP or static assignments, AND if THAT's the case, then your ISP is being DOS'ed.
But really, download a LiveCD and disconnect everything in your network except the box you use with the LiveCD and see if the issue dissapears. Then plug in each device one at a time and see when you are "found" again. But wait, there's more! Say you plug it all back in and everything is working as it should, then you remove said LiveCD and reboot the test box back into zombie fest, er, the original OS and you are "found" again. So you know, that would be the infected box. Backup important files and reinstall the whole system.
Good Luck Space Ranger!
I can envision two scenarios. First, the less likely one.
First Scenario: Trojan Horse
One or more machines on your network have been infected/trojaned/compromised somehow. Every time you switch your external IP address, the infected machine dutifully contacts it's nefarious overloards with the news. There's a good chance that one of your compromised machines may actually be part of a botnet. One important question is, "what conditions, specifically, trigger my router's 'DOS attack from xxx' in it's logs." These warnings could well be simply legitimate traffic.
Second Scenario: Operator Error.
Does anyone in your house use BitTorrent? If so, you're probably overflowing your upstream channel and, lo and behold, TCP acks start dropping like flies in a pool of DDT. Netflix doesn't really require a lot of bandwidth to stream it's content and it can manage with even moderate tcp congestion control. If your internet suddenly stops working, I'd suggest checking if your DSL modem has an internal diagnostic webpage. There's a convention, especially common to cablemodems, where the cable/dsl modem will accept traffic to 192.168.100.1 as itself. So, simply browse to http://192.168.100.1 and check if you have any signal quality issues. Basically, the situation needs to be more closely analyzed. Check your bandwidth usage on your router, if you find that your upload traffic is at or near the limit of your bandwidth - if so, get the roommate torrenting to cap his upload to something reasonable - like half of your upload limit.
Your router is fine. No greater, bigger, or fancier of a router will improve your situation if you really, truly are getting DOS'd. If the amount of packets being spewed at your IP address consumes the entirety of your subscribed bandwidth, then that's that. A fancier car won't get you through a traffic jam any faster than my honda, though, I imagine the fancier car's AC might actually work... which would be novel.
Bear in mind that there are different types of DOS attacks. Ping floods or UDP floods/smurf attacks. Making as many concurrent TCP connections to a server as possible to consume the server's kernel connection bookkeeping structures as well as to monopolize file descriptors in the actual server application. Botnet's may even DOS by making as many concurrent requests (you try to go for the cpu intensive ones, like, doing a directory lookup for *.) to consume the server's resources and, effectively, deny service to legitimate users. Oh, and if they get really fancy, they'll use a reverse tarpit wherein the client intentionally drags it's feet receiving the reply (a few bytes here, a few bytes 20 seconds later.) requiring the server's outbound buffers and application contexts bloated.
The above is why I genuinely doubt the veracity of your router's "DOS ATTACK FROM XXY" log message. Also because designing a computer program for identifying what traffic constitutes a DOS and what is legitimate are really quite non trivial.
Oh, hey, my backups are done and it's time to take these tapes to the vault; therefore, I shall conclude my post.
Do some more diagnosis and good luck!
fnord.
Some players playing FFXIV are having their router "fall over" by merely trying to play the game. I wouldn't put it past the game the OP is playing doing the same. This is because the firewall, or TOE/LSO is broken in either the router or the network card of the device connected to it, and for whatever goddamn reason the router think's it's being attacked and reboots.
(Specificly the router's in question were Linux routers, eg ASUS models)
So, I read your initial question a bit closer and realized you'd identified the IPs as microsoft and amazon services. In fact, I suspect they're IPs related to content distribution servers. I'm quite certain your router's DOS warnings are false positives.
Your problem is most certainly not the result of a DOS.
fnord.
Unless they're pounding the entire subnet for some reason, only hitting machines whose ping responds.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
It's also possible, though maybe less likely that if the game they are playing creates P2P connections between the players for say chat, then they could be revealing their IP that way. Like Freshly Exhumed said above though, it all just guesses without some evidence.
But what do I know, I'm a packet who got lost on his way to 127.0.0.1
PocketPermissions Android Permission Guide
I don't think you can call dictionary attacks on phpmyadmin and its possible installation paths a "scan". Well, you can if you want but in what I would call a scan one is scanning available ports for interesting services to attack. ydmv and fairly pointless comment on my part anyway so have a good day.
Next, can you send us your IP address?
I have endless lists like this in the logs: [DoS attack: ACK Scan] from source: 216.39.55.12:80 Saturday, October 12,2013 12:08:28
[DoS attack: ACK Scan] from source: 2.39.202.191:80 Saturday, October 12,2013 12:06:04
[DoS attack: ACK Scan] from source: 54.208.162.210:80 Saturday, October 12,2013 12:05:13
[DoS attack: ACK Scan] from source: 54.246.147.204:80 Saturday, October 12,2013 12:04:52
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Saturday, October 12,2013 12:04:31
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 11:46:15
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 11:43:49
[DoS attack: ACK Scan] from source: 54.246.143.169:80 Saturday, October 12,2013 11:38:43
[DoS attack: ACK Scan] from source: 54.249.10.88:80 Saturday, October 12,2013 11:38:14
[DoS attack: ACK Scan] from source: 54.246.143.169:80 Saturday, October 12,2013 11:37:54
[DoS attack: ACK Scan] from source: 95.64.37.10:80 Saturday, October 12,2013 11:31:17
[DoS attack: ACK Scan] from source: 54.236.215.239:80 Saturday, October 12,2013 11:03:12
[DoS attack: ACK Scan] from source: 54.246.147.204:80 Saturday, October 12,2013 11:01:33
[DoS attack: ACK Scan] from source: 54.236.215.239:80 Saturday, October 12,2013 11:01:12
[DoS attack: ACK Scan] from source: 54.246.145.162:80 Saturday, October 12,2013 11:00:25
[DoS attack: ACK Scan] from source: 54.244.30.140:80 Saturday, October 12,2013 11:00:01
[DoS attack: ACK Scan] from source: 176.221.80.2:80 Saturday, October 12,2013 10:59:05
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 10:45:17
[DoS attack: ACK Scan] from source: 95.64.37.10:80 Saturday, October 12,2013 10:25:43
[DoS attack: ACK Scan] from source: 173.208.222.206:80 Saturday, October 12,2013 08:43:58
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 08:21:40
[DoS attack: ACK Scan] from source: 95.64.37.10:80 Saturday, October 12,2013 07:47:41
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 07:37:42
[DoS attack: ACK Scan] from source: 173.208.222.206:80 Saturday, October 12,2013 07:13:09
[DoS attack: ACK Scan] from source: 46.4.126.76:80 Saturday, October 12,2013 06:14:39
[DoS attack: ACK Scan] from source: 173.208.222.206:80 Saturday, October 12,2013 06:13:26
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 04:18:08
[DoS attack: ACK Scan] from source: 58.64.205.166:80 Saturday, October 12,2013 03:23:24
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 02:18:01
[DoS attack: ACK Scan] from source: 54.236.215.239:80 Saturday, October 12,2013 01:56:16
[DoS attack: ACK Scan] from source: 81.161.59.31:80 Saturday, October 12,2013 01:55:55
[DoS attack: ACK Scan] from source: 54.249.10.88:80 Saturday, October 12,2013 01:55:33
[DoS attack: ACK Scan] from source: 54.227.236.10:443 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 01:46:54
[DoS attack: ACK Scan] from source: 173.208.222.206:80 Saturday, October 12,2013 01:45:59
[DoS attack: ACK Scan] from source: 54.208.162.210:80 Saturday, October 12,2013 01:45:26
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Saturday, October 12,2013 01:45:05
[DoS attack: ACK Scan] from source: 81.161.59.32:80 Saturday, October 12,2013 01:30:23
[DoS attack: ACK Scan] from source: 46.51.207.184:80 Saturday, October 12,2013 01:30:02
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 01:24:44
[DoS attack: ACK Scan] from source: 54.244.30.147:80 Saturday, October 12,2013 01:22:53
I have a speed test site provided by my ISP, which usually runs fine, but when the "attacks" are in full swing my download speed drops to 1 or 2 mbps (should be around 16) and I can't browse the web or watch anything on Netflix. I'm not saying I'm absolutely certain that my Netgear router isn't over-reporting, but there is something going on. And now, rather than being only when we're gaming online and getting threatened by folks, it's constant. I can't figure out what we're being tracked by though. What is there besides MAC address and IP address to latch on to? Something maybe that windows does that we've been "signed up" for? I just don't know. I'm a software geek, not a network guru sadly.
Saw this a while back. Use the script, Luke.
http://www.linuxjournal.com/content/back-dead-simple-bash-complex-ddos
I posted one of the logs in another post, my router doesn't provide proper packet logging, or I can't find it. My setup:
Windows 7 Ultimate and Home Premium
Vonage VOIP modem
DirecTV network hookup
NetGear D6200 DSL modem/router
NetGear WN2000RPTv2 wifi extender
We game on Steam but we've tried being logged off and getting a new IP address and still the "attacks" come. We're running bitdefender and malwarebytes. We've got PnP turned off and the firewall configured to allow only what we need for gaming and browsing etc.
It happens even when our computers are turned off. I recently reinstalled Windows which had no effect. We both run BitDefender and malwarebytes software. I've got the firewalls rules in the router turned up to only allow certain ports. What else can I check to see if it's us as opposed to outside traffic?
Rather than paying gigabucks for a hardware router/firewall, take an ancient machine, add a second ethernet card to it and install OpenBSD onto it.OpenBSD will do you as well as anything hardware based, in terms of protecting your network -- even if it is bit more work to get properly configured. You can also then install stuff like Snort and wireshark to REALLY watch what your system is doing.
It won't take much in terms of hardware -- even a sub 1Gz machine will be more than sufficient for a 20 megabit feed.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
It happens all through the night when neither of us in online too though.
Software geek?
Put ONE machine on your router.
Load up Wireshark.
Put DMZ options on the router to send all unsolicited traffic to that one PC's IP.
Watch what's being used and where it's coming from and where it's going.
To be honest, out of all the people who've ever come to me with a similar problem it's either a) a crap router, b) a crap ISP, c) Something on the machine/network talking OUT that's killing the connection (nothing external at all, e.g. P2P apps etc.), d) wireless connections being affected.
If you are genuinely changing your EXTERNAL IP (your internals mean nothing, your MAC means nothing), and it follows you that quickly, then YOU are broadcasting your location (or it's something internal to the network and nothing to do with packets from the Internet at all).
I know if I refresh my TF2 server list too often, my router can sometimes crap out.
Do some proper diagnosis. That means rather than guessing at something and trying things that have NO correlation (MAC addresses), that you follow Sherlock Holmes - when you have eliminated the possible, whatever remains must be the truth. Go through things and eliminate one at a time.
Put ONE device on the router. Change the router. Change the way you connect to the router. Look what's going out and coming in rather than guessing that you're being DDOS'd (I have yet to witness an actual DDOS in 15 years of network management). Or just talk to your damn ISP (who, almost certainly, will tell you there's nothing DDOS'ing you at all).
If you're getting a flood of recorded packets, you can see what they are, where they come from, and what prompts them and even how they have "found" you again. If you're just stabbing at solutions in the dark, then you're no better off at all.
And when you find out that this almost certainly is nothing to do with a deliberate external DDOS, come back here and apologise for wasting our time.
I can try that. We have tried rebooting with everything turned off and still seen entries in the logs, but I'm also not sure what criteria my router uses to determine what's an attack and whether normal sniffing by the ISP to see who's actually connected might also trigger it.
We use BitDefender and I did recently reinstall windows. I can ask my husband to do the same, but we've scanned our computers and found nothing. More telling, we see the "attacks" in the logs even when the computers are off. Unless there's a way to infect a Vonage VOIP modem or DirecTV internet thingy (it uses it for on-demand stuff) then I don't think it's us.
Most likely you don't know what you are staying is true. Without monitoring the number of packets simply seeing a log entry is worthless. I would bet more than anything that 'your poor little router' is a 'poor little piece of garbage' and/or it is not set up correctly, and/or needs a firmeware update, and/or your ISP SUCKS before DOS on your home network.
The trouble is that this might not be really a attack, just a scan. Also a lot of routers have some firewall settings that migitate DoS attacks, but without any real possiblity to tune this, or even a good description if the thing in the log is anything important.
The fact that some log says there is a DoS attack does not mean there really is a attack. It only says there is a log.....
SHowing the log is not enough, you have to add some explanation.
Uh Huh. People often go out of their way to be assholes online.
Apparently the only thing that was required is for a bunch of idiots to decide the only way my husband could be beating them at the game is by cheating. Or possibly they don't even care that he doesn't cheat and just want to win by breaking competitors connections.
Anyway, I'm more concerned with how we're being found even when we're not gaming, and so far the best suggestions seem to be to reinstall everything and keep good virus/anti malware software running.
Exactly, it doesn't even have to be sophisticated, setup Dynamic DNS on router/internal PC and it'll play follow the leader for years. "looks like http://imaspawncamper.noobstoddos.dynamicdns.moc/ is back up on nother MAC and IP lulz"
Horror & SciFi Erotic Nudes
Right... because someone can't buy/hack a AWS/Azure server and send a few hundred KB/s UDP packets down the line.
It would be worthwhile to check the packets flowing down the line with Wireshark and then see if the packets are HTTP/streaming media based. Chances are it would require the temporary removal of the router
Are you sure that it isn't a malware on any of your computers that causes the whole problem?
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
This is not a DoS attack. Look at how infrequent the packets are...it's essentially background noise that every IP address will see.
This feels like 2002 all over again, when people had host-based firewalls and would freak out any time they got hit with a port scan, not really understanding what they were looking at.
Most of dynamic addresses there translate to "ep-reverse.nimbus.bitdefender.net", and you say you use BitDefender, this - 63.228.223.103 - is "steamcommunity.com", and one with different port "205.188.155.221:995" is indeed a mail server as specified by port.
It very well might be just your router bullshitting you. Try asking at dslreports.com, or better yet, try searching there for similar problems.
Yeah, seems more likely to me he's got a zombie machine on his network participating in DDoS of another target that actually is worth targeting.
1) your router is owned and/or sucks.
2) you are being port scanned constantly, and your router is not behaving well (responding with ICMP unreachable for example), exposing the fact that you are there.
Have you tried to reset your router to factory defaults and start over? If you reset router, and do not open *ANY* ports, and reject ident requests, etc, that is, only allow NAT, does the problem still occur?
It may be your VOIP box, it may be your DirecTV box. You need to turn *everything* off in order to find the box that is leading to the problem.
If everything is off, and you restart the router, with no ports open, get a new WAN ip, and leave everything off behind the router, and the problem starts up again, then router is suspect, or your ISP has issues.
I see you have a combo DSL modem/router. I prefer separate modem from router, but it should work. That does not mean that it has not been hacked.
One final thing. Find someone else that is local to you on the same ISP, and see if they notice the same problems.
(P.S. Appologies for assuming your sex incorrectly)
You are being MICROattacked, from various angles, in a SOFT manner.
You may have a long log file with those messages, but look at the time stamps... Getting hit once every minute, sometimes every 5 or 10 minutes? That's not a DoS. You would need to see a lot of those per second for it to impact your connection. I would say that is likely just normal Internet chatter/scanning.
Not everyone is as smart as you are. Rather than being a snarky fuck, can you either provide more detailed advice for OP or just not post at all? I never understand why people like yourself insist on letting the world know how fucking brilliant you are, and how everything else is beneath you and a waste of your time. Fucking narcissist.
I have a speed test site provided by my ISP, which usually runs fine, but when the "attacks" are in full swing my download speed drops to 1 or 2 mbps (should be around 16)
Your tiny DSL would be overwhelmed by even the smallest DoS attack imaginable. You would not be getting 1 or 2 Mbps - you would be getting absolutely nothing through at all.
It is more likely that your DSL is having trouble delivering the usual 16 Mbps due to electrical interference. Your ISP may be able to fix it by lowering your speed, which sucks, but it might be more stable. Or there might be nothing that can be done unless you can locate the source of the noise. Trouble is that the source might not anywhere near your home.
Everyone here would expect to be DOS'ed as well if they did what you did. I would be ashamed of myself. You are a real jerk. Get off the internet, and don't come back!
We did try turning everything off and then rebooting the router, but I'm going to do that test again. I reinstalled windows last weekend, but my husband hasn't yet. We'll do that too. I've never been certain that the router isn't over-reporting, but it does often coincide with noticeable network slowdowns, so something is going on. We have actually been threatened with DoS and virus and such by idiots on Steam, so when you add it all up, it does seem like something is happening. I'll do more internal checks to be sure we're not our own worst enemies in this. However, I will say, neither BitDefender nor malwarebytes has found anything so far. I'm going to try TDSSKiller and Windows Defender Offline too, just to see. The router is new and seems to handle this mess a lot better than our old one, which would never recover and require rebooting.
Oh sure. plenty of people are assholes online. But it's usually in ways that require near zero effort.
People are LAZY.
Starting up a dos attack isn't in the zero effort catagory. They took the time to get ahold of your IP and then start it up...
Consuming botnet resources usually used for something that makes money.
That requires some greater motivation than just to be an asshole.
Don't rely on your own ISP's speed test. Use one of the ones above and select an endpoint that is more like the Internet at large.
I am sure to a reasonable degree and working on getting more sure. We've got anti-virus (BitDefender) and anti malware (malwarebytes) running. I'm going to re-test turning all machines off and rebooting the router to see what happens. Do you know if there is some kind of windows phone home or amazon cloud account nonsense (we don't actually have an amazon cloud acct) that would keep identifying us to those services and attract attention, but not be scan-able by malware detection?
You are fine. That is normal background noise. Not really a DoS, just normal probes, which are not frequent enough to be considered a DoS. Ignore the terminolgy that netgear is using. The slowness you encounter at times likely is upstream from you. You should expect it in the evening.
You are being MICROattacked, from various angles, in a SOFT manner.
turn off all devices
turn on one pc and modem
insert your "AM I BEING DoS'ed LINUX BOOT DISC"
Read the results.
disc doesn't exist? wtf linux is useless then.
Is your windows 7 ultimate legitimate? Because I work on over 500 machines a year and have yet to find a PC with a legit copy of 7 ultimate installed. If it doesn't have a coa it probably isn't, which means that copy that is installed probably is compromised. YMMV, I am not your tech, etc.
And when you find out that this almost certainly is nothing to do with a deliberate external DDOS, come back here and apologise for wasting our time.
Not wasting my time. As a result of the question, I'm reading some very interesting and useful comments here, including yours. Thanks.
You never know what is enough unless you know what is more than enough. - Blake
The advice about recording transmissions sounds like good advice, and I've heard WireShark praised before for that kind of diagnosis.
If you do that, then you can identify what signals are coming from where. If it's a DDOS, of course, there will be a wide variety of different TCP addresses, but THAT is informative, too. Not directly helpful, but good evidence as to what is going on.
Don't be too sure that your anti-virus and anti-malware tools actually catch all viruses/malware. They are generally obsolete at the time they are released. They catch the ones known about at the time.
If the attacks are quite frequent, try booting off a live CD/DVD, say a recent KNOPPIX. (I think that has diagnostic tools. They don't all, so you may need a specialized distro.) That way you can be sure that nothing in the local software is causing the problem. And THEN record the results onto a USB stick.
P.S.: This is from theory. I've never actually experienced your problem.
P.P.S.: Did you release your TCP connection? I don't know how to do that under MSWind, which I'm guessing you are using, because you talk about being a gamer. But replacing your router won't automatically do that. It's probably done somewhere in network configuration.
I think we've pushed this "anyone can grow up to be president" thing too far.
More likely explanations:
1) Someone in the family downloaded something that installed an open BitTorrent client/tracker, and your network is being used to host pirate files, porn, and/or documents from a terrorist cell. Most likely just Miley Cyrus MP3s though.
2) You have uPnP open to the internet or one of your uPnP devices opened itself the internet.
3) Your kid publicized your minecraft server's IP address on YouTube.
4) You're being probed by random botnets.
The only way you'd be getting DDoS'ed is if someone paid a botnet. If you haven't pissed anyone that shady off lately, that's not it. Meanwhile, run WIreshark as described above.
We are the 198 proof..
I recently discovered that all my networking woes were not a result of crappy hardware or bad bandwidth or even unreliable coders. For over a year, my independent game company would be taken offline several times a day for a few minutes at a time. I tried Optimum online Ultra 100/30 and FIOS 300/65. I tried static and non static IPs. I tried DD-WRT on many flavors of Samsung, Dlink, Netgear, Asus, Linksys and more. I finally replaced everything from scratch and separated out processes to separate servers and bulletproofed my network as much as I could. I had figured out a way to measure the attacks and even solicited the #ddos channel in IRC so I could verify it was indeed DDOS attacks taking me out. I found it very interesting that I could go into a channel on IRC and request that someone send an attack to my IP. They were friendly for the most part. Some accused me of being FBI. Others said "here comes one for 30 seconds" They were happen to do it. I even told them how much I could measure. So then I did my research and found that there is NO DDOS mitigation on Cablevisions Network(optimum online) and Verizon doesn't care much either. Verizon simply doesn't allow any customer interaction with their network group.
So I moved my servers to www.staminus.net and I didn't think they could do it. I was real skeptical but I am really satisfied with them. They give you real time DDOS mitigation and show you it in real time. My servers are 100% up and no issues now. Its expensive but well worth it.
Here are some stats on what they were able to do.
Server ID Destination Start End Size Rate
5357 72.20.56.151 Historical Graph Oct 12 10:20:54 PDT 2013 Oct 12 10:41:25 PDT 2013 2.51 Gbps 277,291 pps
5357 72.20.56.151 Historical Graph Oct 10 16:12:58 PDT 2013 Oct 10 16:28:03 PDT 2013 3.70 Gbps 361,590 pps
5357 72.20.56.151 Historical Graph Oct 10 15:24:14 PDT 2013 Oct 10 15:57:42 PDT 2013 5.90 Gbps 688,358 pps
5357 72.20.56.151 Historical Graph Oct 10 14:42:04 PDT 2013 Oct 10 15:23:19 PDT 2013 6.42 Gbps 907,457 pps
5357 72.20.56.151 Historical Graph Oct 10 11:51:50 PDT 2013 Oct 10 12:16:52 PDT 2013 2.21 Gbps 570,604 pps
5357 72.20.56.151 Historical Graph Oct 10 09:39:04 PDT 2013 Oct 10 09:59:23 PDT 2013 419.48 Mbps 459,619 pps
5357 72.20.56.151 Historical Graph Oct 9 16:14:04 PDT 2013 Oct 9 16:34:26 PDT 2013 368.30 Mbps 429,826 pps
5357 72.20.56.151 Historical Graph Oct 9 15:42:00 PDT 2013 Oct 9 16:05:31 PDT 2013 1.49 Gbps 562,022 pps
5357 72.20.56.151 Historical Graph Oct 8 07:48:53 PDT 2013 Oct 8 08:08:50 PDT 2013 4.27 Gbps 408,713 pps
5357 72.20.56.151 Historical Graph Oct 8 06:26:41 PDT 2013 Oct 8 07:02:15 PDT 2013 3.79 Gbps 927,643 pps
5357 72.20.56.151 Historical Graph Oct 7 21:37:04 PDT 2013 Oct 7 22:00:26 PDT 2013 9.54 Gbps 1,264,929 pps
Now im sure that I can still be taken offline but so far up to 10gbps has been shrugged off. That is just crazy!
For those of you who are curious, the gaming company is very cottage. www.t4c.com
Maybe he's got an insecure wireless access point? WEP can be broken rather quickly. Maybe someone's jumping on and using up all his bandwidth.
Swamping the upload will kill an Internet connection. Someone on my home network would run BitTorrent without any throttles. The 5 Mbps upload was hosed and making HTTP requests nigh-impossible. Fortunately, the router had some QoS features and they were limited to 100 KB/s up from then on.
My router also gives warnings like this all the time. It doesnt mean that someone is trying to attack you.
Physically disconnect all computer and my suspicion is that the messages will disappear. If that's the case just keep reconnecting computers and starting services until they come back again.
The ISP's speed test should be fine for judging the connection between him and the ISP. If he's actually being DDOSed, then that should slow down the connection to his ISP (during the attack). OTOH, if it's the ISP that has the problem, then you're right, that might well not reveal it. So both tests are useful, for showing different information.
I think we've pushed this "anyone can grow up to be president" thing too far.
Unless they're pounding the entire subnet for some reason, only hitting machines whose ping responds.
Most folks that'd DDOS you aren't that sophisticated, and if they are there's really nothing you can do until someone decides to focus their malice elsewhere.
The best bet for the poster is mitigation. Talk to the ISP, let them know the situation, and start feeding them a list of IPs to block at their head-end. While you as a client only have X bandwidth before it overwhelms your DSL, they have X^n and are usually amenable to blocking malicious traffic before it screws-up all the clients in an area.
But, to repeat what's already been said. If the attack's following you to new IPs your only bet is:
- Factory reset the router, then plug it (and only it) in.
- Have it get a fresh IP
- Wait 30 minutes and see if an attack starts
- Plug-in a known safe device to check the router. Fixed devices like an iPhone or Android phone should work (unlikely that's what's compromised).
- Use the device to check the router and see what kind of traffic is happening
- Slowly start reconnecting your devices, one at a time, waiting a safe amount of time in between each.
If the router starts getting hammered without anything connected you could have a compromised router. Just last year thousands of routers were compromised that had too simple a password and remote access enabled.
If it starts after a certain device is plugged-in, time to track-down the culprit or (better) format the compromised machine. You're probably safe 90% of the time, but one a machine is rooted it's a good policy to never trust it.
If the router is getting traffic and you know it's safe, then you might be seeing an attack on your network segment. Only your ISP can help.
-Matt
--- Need web hosting?
No way they can trace you back in minutes after changing IP, you might have a trojan and the antivirus software is not picking it up, they are not 100% fullproof. Format and reinstall every computer, put your mobile wifi at off, don't let them connect to your home network and see how it goes
And when you find out that this almost certainly is nothing to do with a deliberate external DDOS, come back here and apologise for wasting our time.
Pray tell, good sir. If your time is so precious, what are you doing on Slashdot?
If a machine on your network has been properly pwned (and this is a lot more likely than you being the target of a DDOS) then running AV on top of the OS most likely won't find the malware...
Download and burn the Kaspersky Rescue CD, boot off that (a known-good OS) and scan your machines. Report back how much malware it found that everything else missed.
If you're participating in a DDOS (or otherwise maxing out your upstream bandwidth - torrents?) then uploading at the maximum throughput will have the side effect of dropping your download speed to the same as your upload speed.
Given the log you posted, you are most definitely not being hit with a DoS attack. You are barely taking any traffic at all, with only a few hits / minute
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Saturday, October 12,2013 12:04:31
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 11:46:15
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 11:43:49
I mean look at that...there's 21 minutes worth of time passing in just 3 log entries, that's just plain old net noise.
It's more likely that your ISP is suffering backhaul congestion, or you are running a torrent client, or someone is DLing ultra pr0n at some insane rate or you left your wi-fi open and someone is hijacking it.
Go to http://www.speedtest.net/ and run a bandwidth check on your network.
All those moments will be lost in time, like tears in rain.
You are probably either the victim of a malware infection, or you're torrenting too much. If a machine on your network has been properly pwned (and this is a lot more likely than you being the target of a DDOS) then running AV on top of the OS most likely won't find the malware...
Download and burn the Kaspersky Rescue CD, boot off that (a known-good OS) and scan your machines. Report back how much malware it found that everything else missed.
If you're participating in a DDOS (or otherwise maxing out your upstream bandwidth - eg torrents) then uploading at the maximum throughput will have the side effect of dropping your download speed to the same as your upload speed.
Specialist Mac support for creative pros, Melbourne
So how does it feel to be a Sob of a Bitch?
Wish I could mod you up - OP read the parent of this post!
And when you find out that this almost certainly is nothing to do with a deliberate external DDOS, come back here and apologise for wasting our time.
This is haughty and harsh. A lot of us are going to learn a lot from this. Yes, people with special expertise have to protect themselves, but we also have to raise the next generation -- a job that is failing us, as our chances for survival as a technically advanced civilization fade into the west.
Many are destined 2reason wrongly; others, not 2reason at all; and others, to persecute those who do reason. Voltaire
Do you have Steam auto starting at powerup, and do you know how many games are attempting to synchronise their cloud backup data at startup?
My router has fits and sometimes reboots after powering up my win7 PC. Trying to eliminate what could be flooding it, and so far Steam appears to be the only likely candidate.
If I had a DeLorean... I would probably only drive it from time to time.
Point 1: The fact that you mention mac addresses and dos in the same question shows that you do not know enough about networking to assess this situation properly.
Point 2: Home internet connections don't get DOSed. There is no profit in it to justify the the effort or risk. Anyone with the skill and capability to attack a network most certainly has better things to do.
Point 3: All of your symptoms fit perfectly with a local problem. None of them match a DOS very well.
You very likely have a compromised PC or a PC running something like torrents/other P2P software that isnt properly configured. Use up all your outbound bandwidth either way and you will have exactly the situation described.
obligatory: wtf is this doing on slashdot? Its a basic home user networking issue.
-Lod
If I had to guess, the modem is holding onto the same IP address regardless of what you do with your router. Take a weekend trip and unplug your modem in hopes that it will pull a new address when you return. You could go upstream to your ISP with the issue and suggest the tech release your IP and assign you a new one.
If the attack continues, then you have something inside your network leaking information to the attacker. And you will have to clean that up before you can resolve the problem.
Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
Unless the problem is internal, (The source is something on your network), there's not much you can do short of contacting your ISP and having them null route the IPs, When you are being flooded with packets, even if you tell your router to drop all these garbage packets, they will still have to travelling along the wires to your router, before your router knows to drop them, the problem is your lines and saturated with this garbage data, you need to route these packets somewhere else that not your network, which is how DDOS protection services work, but your can only do this with help from your ISP
You are perfectly right.
That guy has no clue what he was asking, he has no idea what an MAC address actually is and for what it is used, likely the same for IP addresses.
If that guy was under a DOS or DDOS attack on a DSL line he would likely not get a single bit downloaded (yeah exagerating).
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Can you spot any pattern in the IPs and times they appear?
Also, this is a long shot, but are you hosting any web pages? Big companies unleashing irresponsible crawlers can effectively DOS you without meaning to.
Further, and I know this isn't a comfortable question, but is it possible that someone in the house is logging on to certain gaming servers, and this is bringing about the attacks? If so, is there a way to get them to log in from other places?
Finally, where the hell is the NSA? Surely they're reading this thread. ;)
Futurist Traditionalism
The problem with nerd-dom is that it's about mastery of the machine. The dirty secret is that the machine masters you. You judge yourself by how well you use it. That's a problem in itself.
However, that attitude results in an underlying nastiness in geek culture. Someone asks a question, and the first response most of you have is to attack the person for (basically) not being elite enough.
That's the attitude of a slave strapped to his machine, not someone who has mastered both machine and environment.
You alienate users this way, many of whom are smarter than you, and have transcended the need to be fascinated by flashing lights and silicon.
Futurist Traditionalism
And more importantly, the so called "ddos mitigation" and other complicated firewall rules the router is doing will actually just be increasing the cpu load on the router and thus degrading the speed of your connection.
These routers are generally not very powerful, they might be fast enough to route traffic at line speed but once you force them to do extra processing on all the traffic they start to choke.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
For the record: logs from a consumer router imitation mean jack shit.
They stuff all these sophisticated "attack detections" into these crappy devices that constantly bark at pure background noise so the customer feels he bought a good product because it's "constantly fending off the bad guys".
It's all fucking bullshit. You can't defend from a DoS at the edge device that's being hit because the packets already saturated your line when they hit it and there's nothing you can do about it.
My guess about the "article": Clueless armchair admin sees his suckass router barking at him and is making up some elaborate attack scenario because he knows shit.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
Bit defender is probably half your problem. Having worked support and QA for a company that white labels it under another name at retail I'd say format the box and never install it again.
Try something other than bit defender. I've seen it cause all sorts of networking issues ranging from completely blocking all traffic internal and external to just slowing things down really badly. Extremely common issue with it and the other renamed versions of it on the market.
Bingo. Just as well try ditching bit defender and at least getting rid of the extra white noise from their shifty software communicating back home. Considering it tends to miss a lot of infections, fail to remove said infections and bring computers to an absolute crawl all the more reason to try something else. Honestly I'd just say use Microsoft Security Essentials â" at least I've never seen it cause issues of its own yet.
If your IP changes, how would the attackers be able to guess the new ip so fast?
That's easy. Join my peer to peer game (say BattleNet) and I have your IP address.
DynDNS
Not trolling here, but how can you read the logs with everything turned off?
Are you using wireless or wired? Wireless congestion in your area can saturate the frequency such that you start getting huge packet loss. You might even start connecting a single computer via wire at a time and see if you see the issue with each machine or not.
OP should turn off his Bittorrent client and the problem will go away.
The real "Libtards" are the Libertarians!
I am not sure about DSL networks but there is another possibility I have seen on other types of networks. Is it possible there is a broken/infected computer/hardware on the same subnet at the ISP?
The user changes the mac address and gets a new DHCP assignment from the ISP. which changes the IP address each time but is in the same subnet because it is in the same local geographical area . Whenever the router wakes up it finds out that everything on the subnet is getting slammed. The ISP should be able to figure this out.
Wireshark also should help but I would be tempted to do a live boot from CD to a machine that is only connected to the DSL modem then run it from there. Get everything else know off the system.
lots of DSL modems now have wireless access built in. if that is being abused by a neighbor that could also be the problem. Check that out and clamp it down if there is wireless there.
it could also just be a bad modem,
It happens even when our computers are turned off. I recently reinstalled Windows which had no effect. We both run BitDefender and malwarebytes software. I've got the firewalls rules in the router turned up to only allow certain ports. What else can I check to see if it's us as opposed to outside traffic?
The router. Bypass it.
Executive summary: Welcome to the real world. Everybody with an "always on" connection is getting this kind of crap, it's just that most people don't realize it.
Discussion: We have a cable modem for internet service. I run a SSH honeypot (Kippo) to collect information on folks knocking on our door.
Friday morning, my Kippo honeypot recorded a dictionary attack run of 291 SSH login attempts (against root) in 12 minutes (from 178.141.148.236, look it up if you want). I don't even bother to record to record the crap coming against port 80.
This isn't unusual, not even for an IP address in a residential cable block! And the more you look for this kind of activity, like running a honeypot, or even reviewing your router logs, the more bewildered you'll become, particularly about how "normal" people's computers survive under these continuous attacks.
The answer, of course, is that so many do not, their home computers rooted within minutes of being connected to the net, or when a child in the household (using a Windows account with admin privileges) clicks on some enticing link in IE... Their computer gets added to one or more botnets, an eventually they toss it out because it's too slow.
Suggestions: Make sure your network is as secure as you can make it, then ask for help to make it better. Help those you care about do the same. Friends don't let friends use IE (or windows) is a good start.
Seriously how did they find you?
Your computer has been compromised.
"If any question why we died, Tell them because our fathers lied."
Right, but have you gone into the game after changing IPs? Do you have a static/semi-static IP? Or dynamic?
Doesn't much matter *when* you are online --I'm saying as soon as you do go online it could be possible that if some component of the game, or even game/store client (I don't know if Steam or Origin do this) creates P2P connections. After changing IPs, as soon as that game/game client creates a new P2P connection, it's possible the attacker then knows your new IP.
Again, all depends on the game/client and I dont know which ones use P2P style networking to connect users.
PocketPermissions Android Permission Guide
Many ISPs will give you the same DHCP address if it sees the same MAC address. Often times the only way to get a different IP is to change your MAC.
However, if you are going through a home router, you have to change the MAC that the router advertises on the Internet side. Hopefully that's what he's doing. Some routers will also have the option of cloning your PC's MAC address for the Internet side.
Vonage VOIP Modem - Possible cause of problem. May be trying to phone home and overloading (check its IP on the local network). If it's the cause, you need to adjust the router to improve priority (QoS) for that device.
DirectTV - Another possible cause. Poor programming can cause the unit to send multiple attempts and not honor time-out/wait states
WiFi Extender - compromised/hacked/PoS unit
Last - to completely change your IP address, you need to shutdown the modem for 5-10 mins. A simple reboot doesn't work. Also do you have a static IP?
Finally, get rid of Bit Defender and install MS Security Esentials. If that wont install, you either have an invalid license unless you homebuilt and bought Ultimate - Check here Links to MS DigitalRiver Win7 ISO images
http://forums.mydigitallife.info/threads/14709-Windows-7-Digital-River-direct-links-Multiple-Languages-X86-amp-X64/page72
Mod me up/Mod me down: I wont frown as I've no crown
Clueless armchair admin sees his suckass router barking at him and is making up some elaborate attack scenario because he knows shit.
How is it that someone who knows shit is dumb, but someone that knows his shit is smart? How does the ownership of the shit make one smart or dumb?
Learn to love Alaska
If the Windows computer is behind the NAT and no DMZ or port redirection configured (which is a case for a freshly reset modem router in router mode, not in a bridge mode) no [expletive] SYN should ever reach it without some program that opens the NAT for itself. And I strongly believe that it's the router that should protect your computer. So your post is basically irrelevant, you shall be assimilated.
you don't know how to use netsh /?
get the fuck out.
Your shit can give you a great insight into your general health, knowing it well would allow you to be more familiar with changes that could signal health issues. On the other hand, who wants to look at other people's shit?
plenty of people are as smart as he are.
the issue is that there are plenty of stupid fucks,, and we don't like them
OK, I repeated the test of having everything turned off and rebooting the modem/router. This is what I got before any computer or other device was hooked in:
[DoS attack: ACK Scan] from source: 37.59.29.220:80 Saturday, October 12,2013 18:11:26
[DoS attack: ACK Scan] from source: 200.201.161.106:80 Saturday, October 12,2013 17:47:40
[DoS attack: ACK Scan] from source: 173.208.222.206:80 Saturday, October 12,2013 16:55:40
[DoS attack: ACK Scan] from source: 95.64.37.10:80 Saturday, October 12,2013 16:49:13
[DoS attack: ACK Scan] from source: 108.162.198.170:80 Saturday, October 12,2013 16:32:00
[DoS attack: ACK Scan] from source: 123.30.139.68:80 Saturday, October 12,2013 16:23:01
[DoS attack: ACK Scan] from source: 95.64.37.10:80 Saturday, October 12,2013 16:21:04
[Time synchronized with NTP server time-g.netgear.com] Saturday, October 12,2013 16:13:42
[Internet connected] IP address: Saturday, October 12,2013 16:10:17
[DSL: Up] Saturday, October 12,2013 16:10:13
[Initialized, firmware version: V1.1.00.07_1.00.07NA ] Saturday, October 12,2013 16:09:02
(P.S. Appologies for assuming your sex incorrectly)
This is Slashdot. In the future it's quick and safe to assume "None".
Wow, you figured that out fast. Need a tissue?
I had to dig a bit below level 5; but it looks like some other people are really on to your problem. It looks like maybe the router is just telling you something wrong, and slowing things down. A KISS router config might be all you need.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
And while something on your network being owned is a likely problem, that is not the only possible problem. You could have a bad nic that is spitting out bad packets. This is why we use managed switches on big networks.
If you have an old PC lying around or can borrow one, try putting up a real firewall, like pfsense. This will let you see more of what is entering and exiting your network. It doesn't have to be a permanent installation.
Cheap storage VM.
This intensity is NOT a DoS. You'd get a flood of messages every second, not singular attempts once an hour.
This is likely just usual - bots and script-kiddies scanning networks for vulnerabilities. I get a dozen or two of those scans every day as well.
Nothing to worry about, but reminds you how Internet is not a friendly place and how you'd better be updated and not showing out more ports than neccessary.
Shitty connection is probably just that - a shitty connection, and your DSL's tech support would be more useful here. Call them when you're experiencing those slowdowns and try to troubleshoot it.
Go to Gibson Research Corporation ShieldsUP! website ( https://www.grc.com/x/ne.dll?bh0bkyd2 ) and scan your connection. Plug all the holes so that you have a full stealth on all ports.
And when you find out that this almost certainly is nothing to do with a deliberate external DDOS, come back here and apologise for wasting our time.
I'll apologize for him. It is truly sad that there are people in this world who were not born knowing everything.
The really sad part is that you have to put up with the mortals.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
You have a lot of stuff on your DSL. Using Wireshark, you'll be getting a lot of local info. I'm just about certain your problem is local, and one of your devices is causing it.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
There are so many source ips here, that this is almost certainly an attack.
I agree.
/. The medium just does not lend itself to that.
The problem is NOT that someone is DDOSing you.
The problem is that you have "diagnosed" an occasionally slow internet connection as a DDOS attack without any expertise in the area to make such a determination.
This is akin to so many of my clients telling me that they have a virus because their computer is running slow (when it almost inevitably turns out to be something else).
At any rate what you need to know is that you will NEVER be able to properly diagnose the issue on a venue like
What you need to do is hire a good consultant with networking experience to go over your system and correctly diagnose what the problem is. Yes it will cost you a couple hundred dollars to do that. Or you could live with the problem if it isn't worth that much money to you. Those are really your only sensible choices.
----- In Your Cubicle No One Can Hear You Scream...
Right now there are some large DNS amplification attacks going on. Set up a PC as a DMZ and run ethereal as others suggested, and see if it is excessive UDP traffic on port 53. If it is, it is probably botnets attempting to leverage a DNS server or forwarder on your network to flood their target. Of course, the botnets do not care whether or not you are actually running a public DNS; since it costs the operators nothing to fuck with your connection they are indiscriminate, and ISPs seem to not care about the issue.
DNS amplification: https://www.us-cert.gov/ncas/alerts/TA13-088A
The problem is while you can mitigate it somewhat by not serving up root DNS requests, DNS servers will still send a 16-byte NXDOMAIN response, not completely ignore the requests. To add to the problem you can't really block the requests (short of capturing the packets and reading them yourself) since the packets are spoofed; what appears to be the source is the client IP, which is actually their target. You can use either iptables or DNS rate limiting to limit the traffic you are sending out to their clients, but the incoming requests will still be coming in and there is no real way to stop that (they'll still be hitting either your router or DNS server). Here is a list of the iptables rules to drop the packets for these attacks:
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt
The list is updated regularly but again the packets will keep hitting your IP; the best you can do is implement those rules to not compound the problem.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
I was so guilty of that. Freaked out every time a single packet from anywhere would hit my home machine. Even had email alerts sent to my cell phone. That lasted about 48 hours when I decided I wanted to sleep. Wish I could send email back in time to myself. Eh, I probably wouldn't believe it anyways.
The modem side won't have an IP or MAC, it's a layer 1 device, but since it's a DSL router (layer 3 is for routers, you know, IP layer?) it will have both. You know, so the computer can chat with the router at x.x.x.1 or be routed to the other devices in the network by IP? If you have a combined device, and don't have enough access to it's controls to change it's MAC, then get it into a simple Modem mode (sometimes called bridge mode) and hook up a single router that you do control as the first step in the network and feed all traffic through that router. This will, as a consequence of being a simple modem now, make only one of the ethernet ports active and probably/hopefully turn off it's wifi if it has a radio. Then, you really can change your MAC on your router and just hit refresh to get a brand new IP from the ISP.
Now, one thing that hasn't been covered is whether all the traffic is at one port, or across a range or at random. That I noticed, I showed up late to the thread. If your ISP is giving you a NAT address (192.168.x.x or 10.x.x.x or a few others), and you have gotten one port at their outside linked to a certain port inside your network (steaming, gaming, etc) then a DDOS against your ISP could spill over to you every time someone outside tosses packets at the port you are attempting to use.
Lastly, a simple traceroute is still a useful tool. If you get to your ISP's network boarder without very large latency or packet loss, then the problem might be completely external to your network and just leaking in as described above. If you can't even get a ping to the first router beyond your modem, then the OP is being targeted. How? See the other posts.
You are being ratted out by some software inside your machine already. Could be anything and masquerade as anything, or nothing...simply be a hidden routine on a physical sector of your disk with pointers hidden inside the FAT in order to protect it from being over written. Every time it 'detects' an internet connection, it calls 'mommy', just like micro$$ does every time it is booted.
The problem with one device running wireshark and other devices all connected to a router is that, by virtue of IP, the wireshark running box won't see the traffic sent to the other PCs. You need to either set up a good Knoppix or Kali Linux boot disc device to act as a pass through, or get a cheap hub, or learn about ARP poisoning to get the traffic to first go to the monitoring box, then get passed along to the target device.
Ideally, Your network would be a very simple DSL modem, not a modem+router. Just a modem or your router reconfigured to bridge mode. Then a hub, yeah, the dumb collision prone boxes are very useful still. Uplink of the hub goes to the modem, and your sniffing box and a good NAT+firewall router get connected to it. Then, behind that NAT and firewall goes your computer. Against, ideally, the sniffing computer will not have requested an IP address, will not even have put it's ethernet port into anything but a passive state. Then you can start up wireshark. After that, start up your machine you think is attracting the attacks. You can sort wireshark traffic by incoming and outbound. And if changing the externally visible IP hasn't helped, you want to look at outbound to see what you are sending to who to get yourself noticed.
I have done exactly this, and it isn't fun or easy, but it did help pass a few Cisco network tests later. Once you get into packet sniffing, and ARP poisoning switches, and packet manipulation of those ARP poisoned packets, you can do all kinds of interesting things. Upsidedownternet doesn't have to be a proxy, it can be done with any switched network if done right. And then, after you graduate from wired networks to sniffing on wireless (and collecting large logs to break keys, or doing deauth attacks on your own gear to see how your modem+router and PC stand up) then you can start in on a whole world of fun and crazy bit-level cleverness.
disclaimer: I've cracked WEP back in the PCMCIA days of having a high speed 802.11b card (custom firmware to go into monitor mode) but it was on my own network or with permission (parents wanted to know how long it would take for a neighbor to borrow their wifi, I remember leaving the linux box running about an hour and a half, but sibling had lots of traffic going). WPA deauth attacks are the same way, don't screw with other people without permission. But once you have permission, go wild; showing my younger sibling their AIM chats when they thought 'the network is encrypted, you can't see me' was a hilarious way to spend my first summer home from college.
you can wait a few hours, then read the logs and look for stuff during the 'off' time.
Next, can you send us your IP address?
127.0.0.1
Does that help?
Jesus was all right but his disciples were thick and ordinary. -John Lennon
Just because the router's log says 'DoS' doesn't mean it is a DoS. The timestamps are the giveaway. A real DoS would look like:
[DoS attack: ACK Scan] from source: 54.227.236.10:443 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 173.208.222.206:80 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 54.208.162.210:80 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 54.227.236.10:443 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 173.208.222.206:80 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 54.208.162.210:80 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 54.227.236.10:443 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 173.208.222.206:80 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 54.208.162.210:80 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 54.227.236.10:443 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 173.208.222.206:80 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 54.208.162.210:80 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 54.227.236.10:443 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 173.208.222.206:80 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 54.208.162.210:80 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 54.227.236.10:443 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 173.208.222.206:80 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 54.208.162.210:80 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 54.227.236.10:443 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 173.208.222.206:80 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 54.208.162.210:80 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 54.227.236.10:443 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 173.208.222.206:80 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 54.208.162.210:80 Saturday, October 12,2013 01:55:05
Notice how all of the time stamps are the same (i got lazy and copy/pasted. they would also be different ports and hosts in a DDoS but still the same second)? You'd have the log on any home router filled each second if you were being hit with 16 Mbps of ACK scans. Every time you loaded the next page, it would be a different, newer time stamp because the log overflowed. An ACK scan is just another computer punching your IP address into the browser window and asking 'hey, is anyone at this address and port?" (effectively) And yeah, lots of those bots do check common ports like 80 to see if you report back that you have a webserver that they might be able to hijack. And amazon cloud services have made spawning lots of bots pretty easy. But those are scans that are few and far between, and your router spent less than 1ms deciding to chuck each of those packets. And, and ACK packet is generally tiny, next to no bandwidth usage. So think how many other packets could breeze through in the other 999ms of a given second (something like 15.9 Mbps, I think) that a single ACK came at you.
Have you recently installed iTunes on a Windows box on your network? If so, you're DoSing yourself.
Your link seems to be bad, but I have messed with DynamicDNS before and it can be quite useful for those of us on dynamic IP addresses. Unfortunately, that which is useful can also burn us.
Once the traffic hits your router, it is too late - the pipe is full.
Contact your upstream provider.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Hello,
Since you mentioned the problem seems to have started due to issues arisen from dealing with people in online games, it seems likely that these people are attacking you after they see you log into those games. Even if the game is client/server based, there may be some mechanism for them to obtain your IP address (direct messaging requests, lookups to see if you are online, etc.).
So, my suggestion would be to stop playing the games (or even joining the networks hosting them, if possible) for a while and let the unsavory characters find under people to harass. You can then go play some different games on some different gaming networks. Eventually, they'll probably think they've scared you off permanently and drop you from their DDoS list, and you can go back to gaming on that network.
Alternatively, you could look into using a VPN to tunnel your game traffic to a box outside your network, but you run the risk of annoying the VPN provider if their network gets DDoSed. Still, that at least transfers the problem off your home network, and it could be the VPN provider is in a better position to mitigate the DDoS than your home ISP.
Regards,
Aryeh Goretsky
Dexter is a good dog.
Better yet, put a managed switch which allows port mirroring (or a hub if you are old school) in front of your router and run wireshark on the mirrored port going into the router. That way you will capture any package going to and from the router. Even packages stopped by and sent from the router.
reinstalling scumware OS' and half-assed "security" products are not good answers. either learn to love your servitude or put up a real firewall (linux/bsd based) in front of your router and use linux/bsd on your desktop machines. no offense but fyi, hooking up some freakin' windows boxes behind a consumer router and expecting to be good to go is ridiculous.
I have to ask what the living fuck is wrong with you people?
Who cares if he's actually being attacked or not? You're missing the entire point which is to discuss mitigation techniques.
Here is one:
Look into sysctl hardening if you're on linux, and you can configure SYN cookies, and other mitigation goodies.
The slowness likely is because using DNS relayed from routers is a crappy business. Setup your preferred DNS server as 8.8.8.8 and presto!
More often than not, slowness can be due to the DNS relayed by the house routers being *really* slow. Try to setup 8.8.8.8 as your DNS server.
You guys clearly are not even remotely familiar with the landscape of online gaming today.
DoS and DDoS attacks are so common in gaming today that it's nigh-unbelievable. Minecraft especially, there are groups of skids with booters, who purchase subscriptions to "stresser services" (EXTREMELY common), and even some I've seen who have their own botnets.
I'm talking about 12-16 year olds I might add. .01% have a no-bullshit botnet made with skid tools and tutorials online.
In most online gaming my personal experience is 3-5% of them have a stresser service they've bought or booter. Out of those about
On minecraft I would peg it more at 5-10% with stresser services or booters, and about 1-2% of them have botnets. It's something I've encountered fairly frequently (I use a VPN for that exact reason in my teamspeak which has MC players.)
In our teamspeak which has nearly a thousand people from several games at least 5-6 DoS/DDoS attacks will take place. Most if not all will be minecraft-related.
So if you're into online gaming, especially PC, and ESPECIALLY minecraft, it just might be a DDoS.
Note: I am NOT saying it's a DDoS. But I am saying that you guys who dismiss it outright and don't discuss mitigation don't realize these attacks are not "serious" anymore. It's not just done by people with know-how, and a few script-kiddies who are slightly more advanced.
Literally any random kid with $2.99 a month can run an attack on you. If they managed to steal or buy a better account to a stresser? They can launch an attack for literally 45 minutes to an hour at a go, unlimited times, from a server. If you think I'm exaggerating as to how popular it's become google "buy stresser" or something. Look at how many of those services are around...and notice the way the advertise..nuff said.
If you are actually being DDoSd or DoSd if it's from one IP (such as from a server in the above case) or a few, then you can make a few changes to your ip tables. You can set it to drop all packets from a specific IP.
You're not being attacked, your ports are being scanned. Computers are checking if your network has any metaphorical doors left unlocked, and your router is pretending it's dealing with something dramatic by using the words "DoS attack" to describe it. Sorry, but did you not think of asking your ISP or hitting Google before asking a major tech news site?
"This is akin to so many of my clients telling me that they have a virus because their computer is running slow (when it almost inevitably turns out to be something else)."
Where are you finding these clients? It's always some sort of malware. And if you're faulting them for distinctions between malware you're just a dick.
[DoS attack: ACK Scan] from source: 37.59.29.220:80 Saturday, October 12,2013 18:11:26
[DoS attack: ACK Scan] from source: 200.201.161.106:80 Saturday, October 12,2013 17:47:40
So did any of you think that perhaps his firewall log is actually fairly intelligent? Perhaps he is being hit by a single IP at a time. Perhaps it doesn't spam every request made (since inevitably a DDoS would flood your log) and simply logs the attack entry, with basic info (IE ACK scan.) Also why does the router say DoS attack?
Just saying...weird stuff no on has explored.
That being said this isn't a DoS... obvious (to a non-lay-person as (no offense) the asker is) for a few reasons.
One IP makes it unlikely even from a stresser service.
No one would use ACK packets for a DoS. You use a syn flood to create a bunch of half-open connections or sockstress if you use TCP
Most skiddies use straight UDP flood DoS.
It is truly sad that there are people in this world who were not born knowing everything.
Lady Bracknell: I have always been of the opinion that a man who desires to get married should know either everything or nothing. Which do you know?
Jack: I know nothing, Lady Bracknell.
Lady Bracknell: I am pleased to hear it. I do not approve of anything that tampers with natural ignorance. Ignorance is like a very delicate exotic fruit. Touch it and the bloom is gone.
[Oscar Wilde: The Importance of Being Earnest]
Sorry, but did you not think of asking your ISP or hitting Google before asking a major tech news site?
If people knew how to Google, 1st level tech support wouldn't exist.
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
Well, we know the Dutch don't do anything but work 2 hours a day...which explains why YOU are on /.
you don't know how to use netsh /?
get the fuck out.
If you have nothing informative to contribute, why don't you do likewise? Since (as I just found out) that utility is exclusively the domain of MS environments, you can't reasonably expect everyone here to know about it.
Your LAN loses TIA/EIA specification compliance, what with Cat 5e superseding Cat 5 about a decade ago. Also, should you be forcing 1000+ Mbps over Cat 5, expect to see the unexpected.
If the OP's machine is at the end of any kind of DSL connection, the slowest part of the link is between him and his ISP, so this kind of bottleneck won't apply.
Good security covers everything: Even servers + endpoint nodes - my post helps insure MORE of it.
* You sound like "PHB's" I've encountered who've never done the job hands-on... since IF you had? You'd have KNOWN that's good practice.
APK
P.S.=> Nothing irrelevant about good security - but there is about PHB trolls... apk
Does the issue start happening when you're on the phone? Vonage...
I fail to understand why the ISP should change the my IP if I change my MAC.
The MAC address only affects the ethernet port going to my own network, in other words the ISP should never know or see it.
So does that happen? PErhaps we are talking about different things :D
Well, my network is simple, DLS Modem, Router, comps.
The DSL modem has the external IP address, my router is the endpoint of my 192.168.x.x network.
DSL modem and router talk to each other via PPoE, the MAC of the router I probably could change, never checked that. The MAC of the DSL modem, which connects via PPoE to my router, I can't change.
I don't know on what layer the DSL modem is operating, but certainly the modem is the one with the external IP address, or do I get that wrong?
Does my router somehow get its IP from the DSL during connection establishing? I think I remember that that was happening with SLIP.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Better yet, put a managed switch which allows port mirroring (or a hub if you are old school) in front of your router and run wireshark on the mirrored port going into the router. That way you will capture any package going to and from the router. Even packages stopped by and sent from the router.
This is so right, I wish I had mod points. If it really is a DoS attack, and you need to find out how they get your IP, then this is the only way. It could be a trojan checking in on IRC, or it could just be some dodgy "cloud service" from a bogus company. If someone has your gmail password they could even look at the IP log of where it was accessed from (this works the other way too)
I keep a hub around for exactly this purpose. If you don't have a hub or a managed switch, there is the option of a PC with two NICs. These are quite common on desctop motherboards. Boot a Linux live-CD and turn off NetworkManager, then look up how to bridge the two NICs (hint: brctl). It is best if you run some live distro which includes wireshark, and which doesn't set up the NICs at boot. Look at the pen testing distros for this
There are so many source ips here, that this is almost certainly an attack.
These log entries indicate a scan of some kind. Since the logged intervals are generally less than 20s, I would be disinclined to attribute this to a dDOS of any kind, as this amount of traffic is not unusual, and should slip under the radar of any (even barely) adequate DSL connection.
My impression is that her internet connection just sucks. I realise this isn't very informative, so I'll add that her best approach might be to try ping tests to close servers (by IP address, then by name) to establish whether or not her DNS is working properly (maybe trying different packet sizes, in case her ISP is playing games). Then try an alternative DNS (either 8.8.8.8 or one of the FreeDNS servers) and see if that makes a difference.
The above will give an approximate indication of network responsiveness. To get an idea of actual speed, I would suggest using wget to download any portion of a large-ish file from her ISP's mirror site (assuming it has one) - I usually use an ISO image of any available Linux distribution, but anything over (say) 50MB will do.
If that speed looks close enough to advertised spec, then she should try the same procedure from a more distant server. If there's a significant discrepancy between this speed and that from the earlier test, then this could indicate that her ISP just doesn't have enough bandwidth available to the outside world.
HTH...
Setup your preferred DNS server as 8.8.8.8 and presto!
Just for the record, Google's public DNS can be useful as a diagnostic tool for comparison, but in general you would optimally use the DNS closest to your router (assuming that DNS actually works OK - if not, then whine to your ISP and use one of the OpenDNS servers). Anyone who cares even slightly about Google logging and passing on data about your traffic should NOT be using 8.8.8.8 as their DNS.
Because the ISP uses DHCP. Please go learn how DHCP works - it leases an IP address to the MAC address, otherwise how else can it communicate with a device that doesn't have an IP address? That MAC address will then be stored on the DHCP server until the lease expires. So if you change the MAC address of your router, suddenly you'll get a new IP address because the previous IP was leased to a different MAC. Change the MAC back and you'll have the previous IP address, if it hasn't expired yet.
Source: I used to work for a large ISP.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Seriously, educate yourself. Why is this on the Slashdot homepage.
But that only could be the MAC address of my routers port that is connected to the DSL modem. Not the MAC address used inside on my network. ...
I wonder if it is even possible to change the MAC address of the PPoE side of a consumer grade router.
However you are right regarding DHCP and the link to MAC addresses, I just did not assume that the DSL modem would be involved in any DHCP protocoll
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
You are quite correct, it's the MAC address of the router and it's for this exact reason that most home routers let you change the MAC address (As some ISP's are particularly fussy about a MAC address changing).
I'll be honest, I'm not 100% certain how it works in a PPoE environment because in the UK at least, very few ISP's actually use PPoE and it's generally possible to change your equipment whenever you want. Our big Cable ISP is the exception to this and you HAVE to use their equipment, but you can just treat it as a dumb modem and the router just connects via Ethernet and the DHCP requests are forwarded on.
In any case, while I agree that the OP is lacking in some basic networking knowledge, I do think they're likely correct in what they're saying about MAC changing causing an IP change.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
dont be an asshole
Hehe, when I'm at home again, I try it. In my opinion in my case the router behind the modem should be invisible to my ISP, but perhaps it is not. Sorry I only know the very basics about TCP/IP and not how this 'bridging' from the DSL side into the ethernet world actually works.
Thanx for the infos!!
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
indeed, the MAC address and the ip-address are the two things that can identify you uniquely on the internetz. ... ...
also, to be denial-of-servic-ed, your ip address doesn't have to be the target.
if you're on DSL, the deniers can just mob your DSLAM. like a tree, the branches extend from a single trunk, the DSLAM, to each DSL costumer and if
the deniers have enough bandwidth they can just mob the trunk to the DSLAM. in this case everybody serviced by the mobed DSLAM should have
a problem
also, i'm not sure you can just ARP ping the internet and ask what the ip-address of a MAC address is.
furthermore, even though wireshark shows me the ip-address source of a incoming connection, the corresponding MAC address is always my
DSLAMs MAC address...
the feature of "to be easily found in the vast internet" is not easily implemented. mostly it is implemented via a fixed ip-address -or- by applying for so called
domain name. other more obscure possibilities exist.
one of these is a program that "phones-home". like every mobile phone "phones home" to report to a central "switch" its location so another mobile phone call is routed to the correct tower tip and out thru the air
my guess is that it's a infected computer on the local network that keeps telling the mobsters where it is located.
to test this, one would need access to an alternative ISPs network and hookup ones own LAN to that (via dsl-modem-gateway or to a willing neighbours wifi) and see if the mobbing commences again.
I think others who have suggested outbound traffic are likely on the right track. I had an issue that plagued me for weeks and it turned out to be a program called "Cubby" which is similar to dropbox but made by the same people who make logmein. For whatever reason it was indefinitely syncing a file or folder and completely maxing out and crashing my connection. My ping would spike up past 2-3k ms, browsing was difficult, games were unbearable.
I would really recommend checking for outbound traffic that you may not even consider malicious. I thought I had checked everything, and then I started closing all my programs one by one, even the ones I was sure were fine. Even looking at the program it didn't look like it was syncing, but it had to have been doing something because the second I closed it the problem stopped and never came back.
Have you checked your wireless network or changed your (I presume) WPA key? You may have been compromised. And don't use WEP. Never use WEP. Use the highest level of WPA that your router supports.
I tend to agree with everyone here; it's more likely you have a zombie or rogue machine on your network. Best way to find it is either Wireshark as mentioned before, or simply take a known good machine... a friend's computer and attach ONLY that to the newly renamed/repassworded wireless access point. Test for a while and see how that goes, then start connecting other devices one at a time. Test for 30 minutes or so on each machine and when the problem reoccurs then you have your zombie.
Have you considered that you might be paranoid? You might go to the doctor and get checked out.
First to the AC above: That link was intentionally mangled just to give an example of what a bunch of pissed off gamer hackers might say. And yes, a wider example is the Internet itself! ;)
To your comment: The entire point is to have a discussion on this topic and related topics. My comment was towards the ease of setting up something simple like an automatic DynDNS updater and the simple stuff should never be ignored. This is extremely relevant to the discussion and falls in line with other suggestions and testing devices singly. Setting up your OS to mitigate attacks is all to the good but if they can find you because you're giving your IP away on each change they can still overwhelm you.
Horror & SciFi Erotic Nudes
When a slow home connection gets DDoSed, the expected result is that you can't even reach speedtest. We ran an irc network, so I have experience with this. If you can consistently get 1 - 2 Mbit/s, you are not getting DDoSed. I agree with other posters that it's more likely you're participating in a DDoS, or bittorrenting. This is also a really easy explanation for how they "find" you: either "they" don't exist and are claiming responsibility for what someone else is doing, or "they" run the malware on your computer.
A "commercial grade" router would not help if you were actually getting DDoSed. Only filtering upstream of the DSL could help, were that the case.
Bummer I'm late. I see you have a wireless network and extender. If you are still around can you answer some questions for me? 1. Have you shared your wireless password with anyone? 2. Do you have a minor in the house that may have shared your wireless password with anyone? 3. Do you even use wireless security? If so, wep, wpa, or wpa2? 4. Did you change the password when you installed the new router? 5. Have you noticed by chance that your wireless connection occasionally connects to the main router rather than the extender? 6. Although not wifi related, I'm curious. When you re-installed Windows did you immediately search for and install updates or did you let it do it on its own?
All of the linksys routers I've ever used support MAC Address spoofing in the default firmware. I think it's labeleb "MAC Address Cloning". The reason for including such a feature is probably to facilitate swapping out routers without having issues with the ISP seeing a new MAC address.
For example, my ISP allows 2 IP's per home connection. This means if I connect 3 machines to the modem (through a switch), only the first 2 successfully get an IP via DHCP, the third never gets a response. The funny part is upstream tracks the MAC->IP relation while the *MODEM* tracks how many it has given out, so if you have routers Alpha and Bravo connected, then disconnect Bravo and replace it with Charlie, Charlie won't get an IP address unless I powecycle the modem (trust me, I've done that a FEW times).
Allowing customers to clone the MAC of their previous router just avoids a whole bunch of issues.
Look for old or frayed cable in your living space. The same problem happened to me but it turned out to be poor/old/frayed cabling though-out my apartment. Once replace my speeds jumped back to, and sometimes exceeded the minimums 30mbps (I pay for a boost product offered from our ISP).
If you want to know what a normal log looks like for your ISP, ask one of your neighbours who has the same ISP if you can download their logs (preferably with the same model of router) and compare them. It's hard to find a possible attack in a log file if you don't know what a clean one looks like first!
LOL
I just have to say 'thank you' for typing what I was going to type.
Actually, I did both. Condescension won't keep this site popular. My ISP said it seemed like a problem but they would only help if I went to the FBI and then they'd work with them on investigating it. Google turned up a zillion things completely unrelated to home networks. Oddly, a solution that would work for IBM wouldn't work for me.
I'm not getting 4 or 5 of these a day, those were simply the few that I got before any computers were even turned on in the network. I get hundreds of those each day, and posted a chunk of that earlier on.
No, we don't have Steam configured to start with Windows. I'll check if anything else might be configured to silently start up.
Or it could be that his kids are running bittorrent. ;-)
Wow...that's my address, too; maybe that explains why I'm getting all of these emails about "Make her happy by growing your...".
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
I see you have a combo DSL modem/router. I prefer separate modem from router, but it should work. That does not mean that it has not been hacked.
Same here, but it is not always an option. (It wasn't in my case, at least. I even had a unused DSL model lying around.)
It's not the years, honey, it's the mileage. - Colonel Henry Walton Jones, Jr., Ph.D.
Or Smoothwall. Easy setup, easy interface. Although, please note that first you will need that PC to have TWO network cards, not just the usual builtin one (although one card and builtin should work).
It's not the years, honey, it's the mileage. - Colonel Henry Walton Jones, Jr., Ph.D.
What dows ack scan mean? An half open connection that is never connected? One very 20 seconds will not hurt your connection. Without details what "ack scan"means this log message is only wasting your time.
I guess the short answer to all this is: Use a VPN next time :)
Wow...that's my address, too; maybe that explains why I'm getting all of these emails about "Make her happy by growing your...".
Yeah, that was supposed to be for me. Sorry. Should I forward these "are you looking for translove?" emails to you?
Jesus was all right but his disciples were thick and ordinary. -John Lennon
Crap...now I have to look up "translove".
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
Huh...Encyclo says:
... (05 Mar 2000) ...
Look up: Trans Love
transference love
Love expressed by the patient for the psychoanalyst as a manifestation of transference.
Found op http://www.mondofacto.com/facts/dictionary?transference+love
transference love
Type: Term
Definitions: 1. love expressed by the patient for the psychoanalyst as a manifestation of transference (3).
Found op http://www.medilexicon.com/medicaldictionary.php?t=93242
Guessing that isn't the meaning you meant...so - using the meaning implied by the conversation thus far - nah, don't think those were any more my emails than the ones on "Make her happy..." were yours.
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
Thanks for confirming my suspicions... The new generation of script kiddies think little of being major pains. They've grown up in a world with no real feedback -- they don't have to see your face, nor be afraid of reprisals...
Gaming DOS's? Witnesses first hand a site down for 2 weeks over some 16'y/o being told to read the rules (which he'd violated in multiple ways) -- not that he was told in anything remotely, what I would call, a polite manner (i.e. the site "asked" for the treatment they got...). It was trivial though for him to just fly off the handle over a slight magnified by adolescent hormones and lack of experience. He was only stopped because the site had international members and one finally drove to the city where the kid lived and talked to his parents...
The BIG problem is that you (original poster) CANNOT stop or deal with the DOS on your end. It doesn't matter what you do with your router -- by the time it hits your router, the connection from you ISP to you has already been saturated. Do the wireshark thing(s) and gather evidence, but enlist your ISP's help -- technically, it is your ISP that is relaying the packets to your computer -- and if the traffic can be characterized, they could put in a filter at their end to disallow incoming traffic that fits some abusive pattern (with the idea that the filter would be a temporary solution)....
Good luck!
I'm not getting 4 or 5 of these a day, those were simply the few that I got before any computers were even turned on in the network. I get hundreds of those each day, and posted a chunk of that earlier on.
We all get hundreds of those scans every day. My router doesn't even keep track of them. I get lots more other attacks. I see 10-100 attempts to log onto my ssh port, every single day. What you showed shouldn't cause you the slightest performance problems. It's possible your DSL connection sucks and these "attacks" have nothing to do with it.
I'm betting someone has set max connections on their torrent software too high myself ;)
That would match up with everything on the list of symptoms just fine.
What is there besides MAC address and IP address to latch on to?
When you are assigned a different IP address by your ISP, does a reverse DNS lookup for your IP show the same or a different FQDN? I'm pretty sure I've seen at least one ISP update rDNS entries so a customer specific domain name always points to them, regardless of assigned IP. If that's the case, you can change your IP as often as you like but you'll always be reachable by the same FQDN.
Bittorrent activity can cause what look like DoS attacks if you aren't running your client. You get a lot of former peers attempting to access a torrent, but since your client isn't listening it looks like an attack. That's happened to me quite a bit, and I have a feeling that some of the offending peers may not have been entirely honest.
I had a similar issue while gaming. Never thought it was a ddos though. Remember you share your connection to some extent with your neighbors. Ask around and see if others are having an issue as well. Once you have that ammo, make one last call to your isp, if you get no love there, head to the better business bureau, that's what finally "fixed" it for me. Ended up being one of my neighbors infected pc's slowing the whole neighborhood down. Been great ever since.
It seems that a lot of /.ers are writing this off very quickly as something other than a DDoS. For those of you who are unaware, DDoSing in gaming is becoming very big very quickly. If you game at a high level of competition at all, you have most likely seen it quite a bit in recent years.
My knowledge of DDoS in gaming is fairly limited, but what I can tell you is that nearly every single isntance I have seen has been related to skype. Somebody most likely has your skype username and is using it to obtain your IP address.
Log off skype, and close any other applications while your at it (other than your game). Turn the modem off for a few minutes then turn it back on. Your IP should be changed now and you should be safe (unless your routher is doing DDNS updates or something along those lines).
Point your DNS back at the attacker's IP - then they can attack themselves.
A DSL modem is actually a layer 2 device. Anything with a MAC address operates at layer 2. Layer 1 is just what it sounds like - physical stuff like cabling, etc.
+1 to this.
Put your modem/router in bridge mode if at all possible so it is not doing anything other than acting as a modem (i.e. no NAT, no IP services running on it, no nothing). Then connect a single machine directly to it and boot that machine from a LiveCD so you can be certain you aren't running any type of malware, etc. Does the problem go away? If yes then you've demonstrated that the problem is on your side. If not, fire up wireshark and look at what you see for things that shouldn't be there.
If his PUBLIC ip address is set on the PC and he isn't NATTED, he will see all of the "DDOS" traffic.
No need for any redirection tricks.
You aren't the only one. Back in college, IT recommended a certain free firewall program (I don't remember what it was anymore), that popped up alerts every time it detected something: being a resident computer geek I got to hear of all sorts of reports of blocked 'pings' 'network-share requests' and other normal non-hacker related activity that commonly goes on in any network. Students weren't frightened since they had their firewalls up, but they wanted to find and stop these hackers trying to break into their machines.
Later the computer lab was shut down when a 'hacker' sent 14 packets (the number became legend) that a jumpy teacher flagged as an attack, but was actually a student doing routine maintenance on his own server.
#1 of 2 - You overlook the fact that routers have backdoors http://it.slashdot.org/story/13/10/14/0120221/d-link-router-backdoor-vulnerability-allows-full-access-to-settings (PRIME EXAMPLE THEREOF, is in that link, & VERY currently) or get hacked sometimes.
#2 of 2 - You can't "bridge" all modems either (since many aren't TRUE routers & bind by MAC address in their config) - I've done it on VERIZON DSL for example (in bridge to a LinkSys true firewalling NAT stateful packet inspecting ROUTER/firewall) but it can't be done on TimeWarner RoadRunner cablemodems.
* Your BIGGEST MISTAKE though, is overlooking the best thing we have going in security: "layered-security"/"defense-in-depth"!
( & THAT means covering ANYTHING & EVERYTHING possible (down to servers & endpoints nodes in printers, desktop clients, etc.)).
APK
P.S.=> So, downmodding my post for YOUR negligent methods is the best you've got? Please... you have NO idea how long I've been doing computer security (or programming around it) - I'd wager it's longer than you've been ALIVE... apk
Actually, the modern higher end router is plenty powerful - they generally have lots of RAM (128+MB isn't unusual, way more than Linux needs for NAT), lots of CPU and fast networking ports.
Heck, the latest generation are nearly pushing 1Gbps in software. (The generation before was pushing 700-odd Mbps full bore), and we're at 930Mbps or so. This is just pure NAT, mind you.
There's plenty of headroom to do some firewall processing even if it cuts down your speed by half - other than a few select places, you're not getting anywhere close over 100Mbps bi-directional.
I was told that anyone on Teamspeak can see your IP address.
The MoDem (modulate/demodulate) is a layer 1 device. Most DSL "Modems" are also routers or switches, and then have a MAC and maybe an IP address. A rather old, dumb, DSL modem will not have those and will require a USB (or serial or jtag) connection to access it's internals.
Okay, I went offline for a while so this is late. You say your router speaks PPPoE to the modem; not technically true. The PPPoE is being sent to your ISP (i hope, or your connection is really hare-brained) to verify that you have an account. The signal goes through the modem, over the phone lines, and to the ISP servers.
Now, the important thing to think about is "what is the first device in from the wall that you can access via an IP address?" If you can bring up the modem's configuration by an IP (10.x.x.x or something) than the modem is not a simple modem, but a modem+router device. It may only present that internally, but if it allows you to change it's MAC on the external side, then that's the only MAC that needs changing. If the modem is dumb, then you change the MAC on the external side of the router. If your DHCP requests are going from your computer, through the router and being answered by the ISP (not likely with a 192.168.x.x internal address, but hey, it's possible) then changing the computers MAC should get a new IP from the DHCP server; but this is a highly unlikely configuration.
Lastly, in all likelihood since you mention the router being 192.168.x.1 and I guess having a externally accessible non-NAT IP, then yes, you router is getting it's IP from your ISP when the router comes online and refreshing that every . . . it depends on your ISP how often that is. The IP is not being given by the modem UNLESS the modem is also a router with dhcp service built in; in which case it's the device you need to focus on. Vaguely similar to old SLIP lines, but they used IPCP instead of DHCP; if memory serves.
Unless the modem isn't a dumb modem and is a modem+router, like most ISPs provide now days. OP seemed to know the words of networking, but the info presented was so off the wall that I had to simplify things a little bit. So I guessed that, possibly, the device that was being called 'the modem' might have been a more complex device, which would handle DHCP to the ISP externally (and have a MAC) and also do DHCP internally for other device. Or the modem might be 'just a modem' and, yeah, the physically separate 'router' would have it's DHCP requests passed to the ISP.
I've never worked for an ISP, but I used to phone up my small town ISP and fix their DHCP configs when things broke. When the gateway is 192.4.x.1 and the DNS is listed as 19.24.x.2, it's an easy problem to fix but sometimes hard to track down at 3 am. IP address changed to protect the guilty. Anon because I'm getting tired of necro posting, I was on a short vacation.
Like I said, anything with a MAC address is running at layer 2 at the very minimum. Almost everything with an Ethernet port has a MAC address. A DSL modem certainly does (it could not participate in an Ethernet network otherwise). Further, DSL itself is defined at layer 2 protocol and a DSL modem is most definitely making use of the DSL standard. A standard DSL modem won't get to layer 3 but anything that does any type of routing and/or NAT will. So your standard DSL modem that's acting as nothing more than a network bridge is a layer 2 device, but I imagine you rarely see those anymore, probably everyone's pushing dsl routers nowadays.
I don't doubt that needing a MAC makes it a layer 2 device. I was arguing that if it had a MAC, that is probably capable of being connected to and is more than likely a layer 3 device. A modem can act just fine as a portal between Ethernet and SomethingElse without existing at layer 2. The Ethernet device only sees the MAC and IP of the router/other device beyond the modem, and sends a packet out the Uplink port. You even mention a network bridge which were, in Ethernet cases anyways, invisible layer 1 devices with no MAC, that were just signal amplifiers. As for DSL spec'ed as being a layer 2 protocol, that's outside my personal realm of specialized knowledge. The behavior of a modem does not require such, since it just converts from one physical layer to another. See http://www.linfo.org/physical_layer.html and http://en.wikipedia.org/wiki/Physical_layer for where I pulled opinions to back my knowledge from old cisco classes. Now, in searching, it seems that the ADSL spec does lay out layer 2. Since ADSL has basically replaced DSL, maybe that's where our confusion lay.
Sorry, I likely was unclear. :)
My modem is a dumb DSL modem.
My router talks to it via PPoE, what I don't know is: does that go straight through to the ISP.
The IP address of my router 192.168... is ofc my own interal IP address, which I have configured myself.
The external one is a 188.x.y.z, what I don't checked yet is if I actually can change my external MAC address.
Thanx for the infos nevertheless, always nice to get some insights of an expert
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Well, ADSL is a form of DSL like SDSL and HDSL, are, it's just probably the most common form. So DSL in and of itself doesn't really represent a specific standard.
If you take the dumbest DSL modem and plug it into a computer and then look at the entry in the arp table for the computer's default gateway (which is probably the DSLAM or another piece of equipment in the CO), you'll see an entry for the gateway's IP, but it'll correspond to the modem's MAC address.
There is layer 2 equipment you can buy that will truly act invisible at layer 2, but it's not what you'd get from the phone company. One reason for needing true transparency at layer 2 would be if you wanted to trunk across a WAN link (i.e. you have a switch on each side and you want to maintain VLAN awareness on both sides of the WAN). You can't do that without special proprietary protocols if each switch doesn't see the other switch's MAC address as directly connected.
As far as your comment about a network bridge, you're not quite correct there. A bridge does indeed operate at layer 2 because the primary function of a bridge is to segment networks based on layer 2 addressing. Think of a bridge as a two port switch, because that's exactly what it is. If you replaced the word "bridge" with "hub" then your statement would be dead on.
In the old days when networks were built around hubs instead of switches people used bridges to segment networks. If you had 1000 ports on a LAN and the LAN was based on hubs, that meant that every frame from every computer would go to every other computer on the LAN. You can see how this would quickly become unmanageable. Bridges would be placed between hubs and keep track of the MAC addresses they saw on each of their two ports and only forward frames if the destination was on the other port, or the destination was unknown.