Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Mitigating DoS Attacks On Home Network?

Posted by timothy on from the send-them-to-your-dial-up-line-instead dept.

First time accepted submitter Gavrielkay writes "We seem to have attracted the attention of some less than savory types in online gaming and now find our home network relentlessly DoSed. We bought a new router that doesn't fall over quite so easily, but it still overwhelms our poor little DSL connection and prevents us web browsing and watching Netflix occasionally. What's worse is that it seems to find us even if we change the MAC address and IP address of the router. Often the router logs IPs from Russia or Korea in these attacks (no packet logging, just a blanket 'DoS attack from...' in the log. But more often lately I've noticed the IPs trace back to Microsoft or Amazon domains. Are they spoofing those IPs? Did they sign us up for something weird there? And how do they find us with a new MAC address and IP within minutes? We're looking for a way to hide from these idiots that doesn't involve going to the Feds, although that is what our ISP suggested. Piles of money for a commercial grade router is out of the question. We are running antivirus and anti-malware programs and haven't seen any evidence of hacked computers so far."

6 of 319 comments (clear)

  1. Go to your ISP by ERJ · · Score: 4, Informative

    The nature of a DOS attack (overwhelming your bandwidth / router with traffic) means it pretty much has to be handled upstream. Your ISP should be able to filter the traffic at their routers where they have the bandwidth / processing power to do so. Even if you get a super router it doesn't change the fact that they are using up your bandwidth with dud requests.

  2. Re:What evidence do you have that you're being DoS by Freshly+Exhumed · · Score: 4, Informative

    Also please post some speed tests from these sites:

    http://www.speakeasy.net/speedtest/

    http://www.speedtest.net/

    Don't forget to run more than one test on each to get a better sample.

    --
    I deny that I have not avoided attaining the opposite of that which I do not want.
  3. Smells of rootkit by SpaceLifeForm · · Score: 4, Informative

    Something is calling home to give away your ip quickly. What computers and OSes are you using? What antivir? A lot of anitvirus programs suck. Shutdown everything. Force new WAN ip on router. See if problem occurs with no devices on behind the router. If it does, maybe it is the router that is running malware. If still quiet, bring up one machine at a time behind the router and wait a while before doing next machine. Any wireless devices? Is your wifi *really* secured?

    --
    You are being MICROattacked, from various angles, in a SOFT manner.
  4. Re:What evidence do you have that you're being DoS by benjfowler · · Score: 4, Informative

    Agreed. OP should check the traffic on his own network before jumping to conclusions. As far as congestion goes, if there's a bot on his network pumping out huge amounts of outbound traffic, then that'll stuff his connection just as surely as if some script kiddie was DDoSing him.

  5. Re:What evidence do you have that you're being DoS by Anonymous Coward · · Score: 5, Informative

    Most of dynamic addresses there translate to "ep-reverse.nimbus.bitdefender.net", and you say you use BitDefender, this - 63.228.223.103 - is "steamcommunity.com", and one with different port "205.188.155.221:995" is indeed a mail server as specified by port.

    It very well might be just your router bullshitting you. Try asking at dslreports.com, or better yet, try searching there for similar problems.

  6. Unlikely by Wrexs0ul · · Score: 4, Informative

    Unless they're pounding the entire subnet for some reason, only hitting machines whose ping responds.

    Most folks that'd DDOS you aren't that sophisticated, and if they are there's really nothing you can do until someone decides to focus their malice elsewhere.

    The best bet for the poster is mitigation. Talk to the ISP, let them know the situation, and start feeding them a list of IPs to block at their head-end. While you as a client only have X bandwidth before it overwhelms your DSL, they have X^n and are usually amenable to blocking malicious traffic before it screws-up all the clients in an area.

    But, to repeat what's already been said. If the attack's following you to new IPs your only bet is:
    - Factory reset the router, then plug it (and only it) in.
    - Have it get a fresh IP
    - Wait 30 minutes and see if an attack starts
    - Plug-in a known safe device to check the router. Fixed devices like an iPhone or Android phone should work (unlikely that's what's compromised).
    - Use the device to check the router and see what kind of traffic is happening
    - Slowly start reconnecting your devices, one at a time, waiting a safe amount of time in between each.

    If the router starts getting hammered without anything connected you could have a compromised router. Just last year thousands of routers were compromised that had too simple a password and remote access enabled.

    If it starts after a certain device is plugged-in, time to track-down the culprit or (better) format the compromised machine. You're probably safe 90% of the time, but one a machine is rooted it's a good policy to never trust it.

    If the router is getting traffic and you know it's safe, then you might be seeing an attack on your network segment. Only your ISP can help.

    -Matt

    --
    --- Need web hosting?