Slashdot Mirror
Ask Slashdot: Mitigating DoS Attacks On Home Network?
First time accepted submitter Gavrielkay writes "We seem to have attracted the attention of some less than savory types in online gaming and now find our home network relentlessly DoSed. We bought a new router that doesn't fall over quite so easily, but it still overwhelms our poor little DSL connection and prevents us web browsing and watching Netflix occasionally. What's worse is that it seems to find us even if we change the MAC address and IP address of the router. Often the router logs IPs from Russia or Korea in these attacks (no packet logging, just a blanket 'DoS attack from...' in the log. But more often lately I've noticed the IPs trace back to Microsoft or Amazon domains. Are they spoofing those IPs? Did they sign us up for something weird there? And how do they find us with a new MAC address and IP within minutes? We're looking for a way to hide from these idiots that doesn't involve going to the Feds, although that is what our ISP suggested. Piles of money for a commercial grade router is out of the question. We are running antivirus and anti-malware programs and haven't seen any evidence of hacked computers so far."
Everyone is being scanned at every second by bots, do you have any real evidence you're being DoSed? It could be a crappy connection. Seeing a modem light flashing a lot does not mean you're being packeted.
The nature of a DOS attack (overwhelming your bandwidth / router with traffic) means it pretty much has to be handled upstream. Your ISP should be able to filter the traffic at their routers where they have the bandwidth / processing power to do so. Even if you get a super router it doesn't change the fact that they are using up your bandwidth with dud requests.
changing your ISP?
If you're really being DOS'ed with more bytes per second than your little DSL can take, there isn't much you can do to mitigate it on your side. Either your ISP helps out, or you change your IP and they *don't* find your new one (how are they finding it?), or you make them stop (fat chance).
Ditto.
My next question is: is his machine compromised and part of a botnet. I.e. is he the one doing the DoSing, and his router is falling over as a result.
I've seen some SOHO router's firmware sporting this alleged "DoS protection". I think it's just a marketing point.
No idea of how the detection works but this sounds like a false positive to me.
And wouldn't your ISP notice first too?
Also please post some speed tests from these sites:
http://www.speakeasy.net/speedtest/
http://www.speedtest.net/
Don't forget to run more than one test on each to get a better sample.
I deny that I have not avoided attaining the opposite of that which I do not want.
Hi,
>> I've noticed the IPs trace back to Microsoft or Amazon domains
This is probably stuff running on VMs in Amazon or Azure cloud services. Users can create VMs with insecure passwords and they are often the target of attacks.
Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated up.
This would seem like an obvious case here.
If your IP changes, how would the attackers be able to guess the new ip so fast?
My bet is that you are participating in some sort of P2P network, file sharing, Spotify... I don;t think you are being targeted due to gaming.
And how do they find us with a new MAC address and IP within minutes?
Assuming that this is indeed a malicious DoS attack, there is something inside your network that is tipping them off. P2P gaming software, chat software, malicious local software. There is no way for them to simply find you with a new external IP.
As others have already stated, the only way to mitigate a saturated pipe DoS is to filter upstream, your ISP or their ISP.
We seem to have attracted the attention of some less than savory types in online gaming
Followed by:
And how do they find us with a new MAC address and IP within minutes?
This is pretty obvious. The game is telling them. Not much of a gamer myself; but I'm willing to wager you can see the IP address from which a particular user is logged on. Maybe the game will let you cloak that. If it won't they can always find you again...
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
This.
It is far more likely that he has a compromised internal network and his dsl is being overwhelmed by outbound spam, not an inbound DoS, especially since 'they' find him within minutes of an IP switch. Invest in a good virus scanner dude, and seriously consider a wipe and reload of every system.
Note: if someone on your network has been using P2P you may have to wait for a while when doing 2) since peers may still be trying to connect/respond to your router's IP. If it's still flashing like crazy after more than 30 minutes then you're probably being DoSed.
A few blinks every few seconds is not a DoS. Being DoSed = continuous blinking like a fast continuous data transfer.
Something is calling home to give away your ip quickly. What computers and OSes are you using? What antivir? A lot of anitvirus programs suck. Shutdown everything. Force new WAN ip on router. See if problem occurs with no devices on behind the router. If it does, maybe it is the router that is running malware. If still quiet, bring up one machine at a time behind the router and wait a while before doing next machine. Any wireless devices? Is your wifi *really* secured?
You are being MICROattacked, from various angles, in a SOFT manner.
Agreed. OP should check the traffic on his own network before jumping to conclusions. As far as congestion goes, if there's a bot on his network pumping out huge amounts of outbound traffic, then that'll stuff his connection just as surely as if some script kiddie was DDoSing him.
The DSL router itself could be compromised as well. I'd start by booting up a Linux live CD, disconnecting everything else from the network and changing the external IP address again. Then I'd wait to see if they find you again. If they don't, start plugging everything back one device at a time, again checking if they find you after plugging the last device in.
SO, to track that down, do this in exactly this order:
1. Prepare to reconfigure your router for new IP / MAC, but do not reboot it, yet. Make sure the router is NOT registering with some dynamic DNS service, if it is, that's probably part of the problem. Your ISP may be doing that for you, if so, ask them to change your reverse lookup name.
2. Power down every other computing device on the network. I'm assuming you have a wireless router? If so, track down everything that it connected to it, and power those down too. Save your most trusted device (an iPad perhaps?) for monitoring / reconfiging your router. If necessary, borrow a device from someone you trust.
3. Press "go" to reconfig the router, and observe. Your DOS should go away. If it does not, either the reconfig was unsuccessful, your ISP is somehow part of the problem, the router is registering itself somehow, or the router itself is infested.
4. Assuming the DOS abated, one by one, power up the devices you previously disconnected and observe. If the DOS starts after powering up a particular device, that's the culprit. There may be more than one. Do this slowly, to make sure as you power up a device, it's not waiting some period of time before calling home.
It would not be a bad idea to get your ISP on the phone, explain what you think is going on, and ask them to observe your traffic as you go through the above steps. If something "phones home", and you miss it, they should be able to see the traffic on their segment of the wire.
If you are successful at tracking down a culprit system, enlist the help of the anti-malware vendor in isolating the offending bits. Do this BEFORE you re-image the system. They would probably appreciate a sample. Of course, this assumes you are running anti-malware software on your endpoints.....
Hope this helps.
-Red
Unless you have some external name for your home connection (i.e. using dyndns or similar if your IP is dynamic), it is probably something you have in your network, like being part of a botnet node, having a misconfigured p2p client, or something that from inside announces itself to be accessed by others. Disable all the services that you know that access by itself outside (i.e. checking for software updates), and try to track all that you don't know that access outside by itself when the ip changes.
They could find you also because you have an easy to detect service that is exploitable. Knowing where they access and connect could be useful, even having a ip camera accessible from outside with a fixed admin password could be enough to cause that kind of behaviour. Considering that scanning the entire internet takes less than an hour, a lot could be doing so all the time so anything exposed you have could be easily detected.
Having antivirus is no guarantee of safety, some malware could be active for years before is even hinted that something could be there by AV companies (and probably US based security products will have hardcoded to not report anything that could look as NSA backdoor or malware). If well is not a guarantee of not catching malware, lower a lot the odds of it using Linux or even Mac OS X.
It's you.
If you went out and got a new IP and within minutes they "found" you again, really? C'mon. If that's the case, you seemed to have pissed off the worlds greatest hacker. It's either that or there is a sustained attack on that block of IP's that your ISP is using for DHCP or static assignments, AND if THAT's the case, then your ISP is being DOS'ed.
But really, download a LiveCD and disconnect everything in your network except the box you use with the LiveCD and see if the issue dissapears. Then plug in each device one at a time and see when you are "found" again. But wait, there's more! Say you plug it all back in and everything is working as it should, then you remove said LiveCD and reboot the test box back into zombie fest, er, the original OS and you are "found" again. So you know, that would be the infected box. Backup important files and reinstall the whole system.
Good Luck Space Ranger!
I have a speed test site provided by my ISP, which usually runs fine, but when the "attacks" are in full swing my download speed drops to 1 or 2 mbps (should be around 16) and I can't browse the web or watch anything on Netflix. I'm not saying I'm absolutely certain that my Netgear router isn't over-reporting, but there is something going on. And now, rather than being only when we're gaming online and getting threatened by folks, it's constant. I can't figure out what we're being tracked by though. What is there besides MAC address and IP address to latch on to? Something maybe that windows does that we've been "signed up" for? I just don't know. I'm a software geek, not a network guru sadly.
Software geek?
Put ONE machine on your router.
Load up Wireshark.
Put DMZ options on the router to send all unsolicited traffic to that one PC's IP.
Watch what's being used and where it's coming from and where it's going.
To be honest, out of all the people who've ever come to me with a similar problem it's either a) a crap router, b) a crap ISP, c) Something on the machine/network talking OUT that's killing the connection (nothing external at all, e.g. P2P apps etc.), d) wireless connections being affected.
If you are genuinely changing your EXTERNAL IP (your internals mean nothing, your MAC means nothing), and it follows you that quickly, then YOU are broadcasting your location (or it's something internal to the network and nothing to do with packets from the Internet at all).
I know if I refresh my TF2 server list too often, my router can sometimes crap out.
Do some proper diagnosis. That means rather than guessing at something and trying things that have NO correlation (MAC addresses), that you follow Sherlock Holmes - when you have eliminated the possible, whatever remains must be the truth. Go through things and eliminate one at a time.
Put ONE device on the router. Change the router. Change the way you connect to the router. Look what's going out and coming in rather than guessing that you're being DDOS'd (I have yet to witness an actual DDOS in 15 years of network management). Or just talk to your damn ISP (who, almost certainly, will tell you there's nothing DDOS'ing you at all).
If you're getting a flood of recorded packets, you can see what they are, where they come from, and what prompts them and even how they have "found" you again. If you're just stabbing at solutions in the dark, then you're no better off at all.
And when you find out that this almost certainly is nothing to do with a deliberate external DDOS, come back here and apologise for wasting our time.
The trouble is that this might not be really a attack, just a scan. Also a lot of routers have some firewall settings that migitate DoS attacks, but without any real possiblity to tune this, or even a good description if the thing in the log is anything important.
The fact that some log says there is a DoS attack does not mean there really is a attack. It only says there is a log.....
SHowing the log is not enough, you have to add some explanation.
Exactly, it doesn't even have to be sophisticated, setup Dynamic DNS on router/internal PC and it'll play follow the leader for years. "looks like http://imaspawncamper.noobstoddos.dynamicdns.moc/ is back up on nother MAC and IP lulz"
Horror & SciFi Erotic Nudes
This is not a DoS attack. Look at how infrequent the packets are...it's essentially background noise that every IP address will see.
This feels like 2002 all over again, when people had host-based firewalls and would freak out any time they got hit with a port scan, not really understanding what they were looking at.
The logs you posted are not evidence of DoS, they show a random packet here and there.
A DoS would be characterized by, at a minimum, thousands of packets per second.
Most of dynamic addresses there translate to "ep-reverse.nimbus.bitdefender.net", and you say you use BitDefender, this - 63.228.223.103 - is "steamcommunity.com", and one with different port "205.188.155.221:995" is indeed a mail server as specified by port.
It very well might be just your router bullshitting you. Try asking at dslreports.com, or better yet, try searching there for similar problems.
Yeah, seems more likely to me he's got a zombie machine on his network participating in DDoS of another target that actually is worth targeting.
1) your router is owned and/or sucks.
2) you are being port scanned constantly, and your router is not behaving well (responding with ICMP unreachable for example), exposing the fact that you are there.
Have you tried to reset your router to factory defaults and start over? If you reset router, and do not open *ANY* ports, and reject ident requests, etc, that is, only allow NAT, does the problem still occur?
It may be your VOIP box, it may be your DirecTV box. You need to turn *everything* off in order to find the box that is leading to the problem.
If everything is off, and you restart the router, with no ports open, get a new WAN ip, and leave everything off behind the router, and the problem starts up again, then router is suspect, or your ISP has issues.
I see you have a combo DSL modem/router. I prefer separate modem from router, but it should work. That does not mean that it has not been hacked.
One final thing. Find someone else that is local to you on the same ISP, and see if they notice the same problems.
(P.S. Appologies for assuming your sex incorrectly)
You are being MICROattacked, from various angles, in a SOFT manner.
You may have a long log file with those messages, but look at the time stamps... Getting hit once every minute, sometimes every 5 or 10 minutes? That's not a DoS. You would need to see a lot of those per second for it to impact your connection. I would say that is likely just normal Internet chatter/scanning.
You are fine. That is normal background noise. Not really a DoS, just normal probes, which are not frequent enough to be considered a DoS. Ignore the terminolgy that netgear is using. The slowness you encounter at times likely is upstream from you. You should expect it in the evening.
You are being MICROattacked, from various angles, in a SOFT manner.
The advice about recording transmissions sounds like good advice, and I've heard WireShark praised before for that kind of diagnosis.
If you do that, then you can identify what signals are coming from where. If it's a DDOS, of course, there will be a wide variety of different TCP addresses, but THAT is informative, too. Not directly helpful, but good evidence as to what is going on.
Don't be too sure that your anti-virus and anti-malware tools actually catch all viruses/malware. They are generally obsolete at the time they are released. They catch the ones known about at the time.
If the attacks are quite frequent, try booting off a live CD/DVD, say a recent KNOPPIX. (I think that has diagnostic tools. They don't all, so you may need a specialized distro.) That way you can be sure that nothing in the local software is causing the problem. And THEN record the results onto a USB stick.
P.S.: This is from theory. I've never actually experienced your problem.
P.P.S.: Did you release your TCP connection? I don't know how to do that under MSWind, which I'm guessing you are using, because you talk about being a gamer. But replacing your router won't automatically do that. It's probably done somewhere in network configuration.
I think we've pushed this "anyone can grow up to be president" thing too far.
The ISP's speed test should be fine for judging the connection between him and the ISP. If he's actually being DDOSed, then that should slow down the connection to his ISP (during the attack). OTOH, if it's the ISP that has the problem, then you're right, that might well not reveal it. So both tests are useful, for showing different information.
I think we've pushed this "anyone can grow up to be president" thing too far.
Unless they're pounding the entire subnet for some reason, only hitting machines whose ping responds.
Most folks that'd DDOS you aren't that sophisticated, and if they are there's really nothing you can do until someone decides to focus their malice elsewhere.
The best bet for the poster is mitigation. Talk to the ISP, let them know the situation, and start feeding them a list of IPs to block at their head-end. While you as a client only have X bandwidth before it overwhelms your DSL, they have X^n and are usually amenable to blocking malicious traffic before it screws-up all the clients in an area.
But, to repeat what's already been said. If the attack's following you to new IPs your only bet is:
- Factory reset the router, then plug it (and only it) in.
- Have it get a fresh IP
- Wait 30 minutes and see if an attack starts
- Plug-in a known safe device to check the router. Fixed devices like an iPhone or Android phone should work (unlikely that's what's compromised).
- Use the device to check the router and see what kind of traffic is happening
- Slowly start reconnecting your devices, one at a time, waiting a safe amount of time in between each.
If the router starts getting hammered without anything connected you could have a compromised router. Just last year thousands of routers were compromised that had too simple a password and remote access enabled.
If it starts after a certain device is plugged-in, time to track-down the culprit or (better) format the compromised machine. You're probably safe 90% of the time, but one a machine is rooted it's a good policy to never trust it.
If the router is getting traffic and you know it's safe, then you might be seeing an attack on your network segment. Only your ISP can help.
-Matt
--- Need web hosting?
And when you find out that this almost certainly is nothing to do with a deliberate external DDOS, come back here and apologise for wasting our time.
Pray tell, good sir. If your time is so precious, what are you doing on Slashdot?
Given the log you posted, you are most definitely not being hit with a DoS attack. You are barely taking any traffic at all, with only a few hits / minute
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Saturday, October 12,2013 12:04:31
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 11:46:15
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 11:43:49
I mean look at that...there's 21 minutes worth of time passing in just 3 log entries, that's just plain old net noise.
It's more likely that your ISP is suffering backhaul congestion, or you are running a torrent client, or someone is DLing ultra pr0n at some insane rate or you left your wi-fi open and someone is hijacking it.
Go to http://www.speedtest.net/ and run a bandwidth check on your network.
All those moments will be lost in time, like tears in rain.
You are probably either the victim of a malware infection, or you're torrenting too much. If a machine on your network has been properly pwned (and this is a lot more likely than you being the target of a DDOS) then running AV on top of the OS most likely won't find the malware...
Download and burn the Kaspersky Rescue CD, boot off that (a known-good OS) and scan your machines. Report back how much malware it found that everything else missed.
If you're participating in a DDOS (or otherwise maxing out your upstream bandwidth - eg torrents) then uploading at the maximum throughput will have the side effect of dropping your download speed to the same as your upload speed.
Specialist Mac support for creative pros, Melbourne
Point 1: The fact that you mention mac addresses and dos in the same question shows that you do not know enough about networking to assess this situation properly.
Point 2: Home internet connections don't get DOSed. There is no profit in it to justify the the effort or risk. Anyone with the skill and capability to attack a network most certainly has better things to do.
Point 3: All of your symptoms fit perfectly with a local problem. None of them match a DOS very well.
You very likely have a compromised PC or a PC running something like torrents/other P2P software that isnt properly configured. Use up all your outbound bandwidth either way and you will have exactly the situation described.
obligatory: wtf is this doing on slashdot? Its a basic home user networking issue.
-Lod
Can you spot any pattern in the IPs and times they appear?
Also, this is a long shot, but are you hosting any web pages? Big companies unleashing irresponsible crawlers can effectively DOS you without meaning to.
Further, and I know this isn't a comfortable question, but is it possible that someone in the house is logging on to certain gaming servers, and this is bringing about the attacks? If so, is there a way to get them to log in from other places?
Finally, where the hell is the NSA? Surely they're reading this thread. ;)
Futurist Traditionalism
Executive summary: Welcome to the real world. Everybody with an "always on" connection is getting this kind of crap, it's just that most people don't realize it.
Discussion: We have a cable modem for internet service. I run a SSH honeypot (Kippo) to collect information on folks knocking on our door.
Friday morning, my Kippo honeypot recorded a dictionary attack run of 291 SSH login attempts (against root) in 12 minutes (from 178.141.148.236, look it up if you want). I don't even bother to record to record the crap coming against port 80.
This isn't unusual, not even for an IP address in a residential cable block! And the more you look for this kind of activity, like running a honeypot, or even reviewing your router logs, the more bewildered you'll become, particularly about how "normal" people's computers survive under these continuous attacks.
The answer, of course, is that so many do not, their home computers rooted within minutes of being connected to the net, or when a child in the household (using a Windows account with admin privileges) clicks on some enticing link in IE... Their computer gets added to one or more botnets, an eventually they toss it out because it's too slow.
Suggestions: Make sure your network is as secure as you can make it, then ask for help to make it better. Help those you care about do the same. Friends don't let friends use IE (or windows) is a good start.
And while something on your network being owned is a likely problem, that is not the only possible problem. You could have a bad nic that is spitting out bad packets. This is why we use managed switches on big networks.
If you have an old PC lying around or can borrow one, try putting up a real firewall, like pfsense. This will let you see more of what is entering and exiting your network. It doesn't have to be a permanent installation.
Cheap storage VM.
This intensity is NOT a DoS. You'd get a flood of messages every second, not singular attempts once an hour.
This is likely just usual - bots and script-kiddies scanning networks for vulnerabilities. I get a dozen or two of those scans every day as well.
Nothing to worry about, but reminds you how Internet is not a friendly place and how you'd better be updated and not showing out more ports than neccessary.
Shitty connection is probably just that - a shitty connection, and your DSL's tech support would be more useful here. Call them when you're experiencing those slowdowns and try to troubleshoot it.
The modem side won't have an IP or MAC, it's a layer 1 device, but since it's a DSL router (layer 3 is for routers, you know, IP layer?) it will have both. You know, so the computer can chat with the router at x.x.x.1 or be routed to the other devices in the network by IP? If you have a combined device, and don't have enough access to it's controls to change it's MAC, then get it into a simple Modem mode (sometimes called bridge mode) and hook up a single router that you do control as the first step in the network and feed all traffic through that router. This will, as a consequence of being a simple modem now, make only one of the ethernet ports active and probably/hopefully turn off it's wifi if it has a radio. Then, you really can change your MAC on your router and just hit refresh to get a brand new IP from the ISP.
Now, one thing that hasn't been covered is whether all the traffic is at one port, or across a range or at random. That I noticed, I showed up late to the thread. If your ISP is giving you a NAT address (192.168.x.x or 10.x.x.x or a few others), and you have gotten one port at their outside linked to a certain port inside your network (steaming, gaming, etc) then a DDOS against your ISP could spill over to you every time someone outside tosses packets at the port you are attempting to use.
Lastly, a simple traceroute is still a useful tool. If you get to your ISP's network boarder without very large latency or packet loss, then the problem might be completely external to your network and just leaking in as described above. If you can't even get a ping to the first router beyond your modem, then the OP is being targeted. How? See the other posts.
The problem with one device running wireshark and other devices all connected to a router is that, by virtue of IP, the wireshark running box won't see the traffic sent to the other PCs. You need to either set up a good Knoppix or Kali Linux boot disc device to act as a pass through, or get a cheap hub, or learn about ARP poisoning to get the traffic to first go to the monitoring box, then get passed along to the target device.
Ideally, Your network would be a very simple DSL modem, not a modem+router. Just a modem or your router reconfigured to bridge mode. Then a hub, yeah, the dumb collision prone boxes are very useful still. Uplink of the hub goes to the modem, and your sniffing box and a good NAT+firewall router get connected to it. Then, behind that NAT and firewall goes your computer. Against, ideally, the sniffing computer will not have requested an IP address, will not even have put it's ethernet port into anything but a passive state. Then you can start up wireshark. After that, start up your machine you think is attracting the attacks. You can sort wireshark traffic by incoming and outbound. And if changing the externally visible IP hasn't helped, you want to look at outbound to see what you are sending to who to get yourself noticed.
I have done exactly this, and it isn't fun or easy, but it did help pass a few Cisco network tests later. Once you get into packet sniffing, and ARP poisoning switches, and packet manipulation of those ARP poisoned packets, you can do all kinds of interesting things. Upsidedownternet doesn't have to be a proxy, it can be done with any switched network if done right. And then, after you graduate from wired networks to sniffing on wireless (and collecting large logs to break keys, or doing deauth attacks on your own gear to see how your modem+router and PC stand up) then you can start in on a whole world of fun and crazy bit-level cleverness.
disclaimer: I've cracked WEP back in the PCMCIA days of having a high speed 802.11b card (custom firmware to go into monitor mode) but it was on my own network or with permission (parents wanted to know how long it would take for a neighbor to borrow their wifi, I remember leaving the linux box running about an hour and a half, but sibling had lots of traffic going). WPA deauth attacks are the same way, don't screw with other people without permission. But once you have permission, go wild; showing my younger sibling their AIM chats when they thought 'the network is encrypted, you can't see me' was a hilarious way to spend my first summer home from college.
Better yet, put a managed switch which allows port mirroring (or a hub if you are old school) in front of your router and run wireshark on the mirrored port going into the router. That way you will capture any package going to and from the router. Even packages stopped by and sent from the router.
You guys clearly are not even remotely familiar with the landscape of online gaming today.
DoS and DDoS attacks are so common in gaming today that it's nigh-unbelievable. Minecraft especially, there are groups of skids with booters, who purchase subscriptions to "stresser services" (EXTREMELY common), and even some I've seen who have their own botnets.
I'm talking about 12-16 year olds I might add. .01% have a no-bullshit botnet made with skid tools and tutorials online.
In most online gaming my personal experience is 3-5% of them have a stresser service they've bought or booter. Out of those about
On minecraft I would peg it more at 5-10% with stresser services or booters, and about 1-2% of them have botnets. It's something I've encountered fairly frequently (I use a VPN for that exact reason in my teamspeak which has MC players.)
In our teamspeak which has nearly a thousand people from several games at least 5-6 DoS/DDoS attacks will take place. Most if not all will be minecraft-related.
So if you're into online gaming, especially PC, and ESPECIALLY minecraft, it just might be a DDoS.
Note: I am NOT saying it's a DDoS. But I am saying that you guys who dismiss it outright and don't discuss mitigation don't realize these attacks are not "serious" anymore. It's not just done by people with know-how, and a few script-kiddies who are slightly more advanced.
Literally any random kid with $2.99 a month can run an attack on you. If they managed to steal or buy a better account to a stresser? They can launch an attack for literally 45 minutes to an hour at a go, unlimited times, from a server. If you think I'm exaggerating as to how popular it's become google "buy stresser" or something. Look at how many of those services are around...and notice the way the advertise..nuff said.
If you are actually being DDoSd or DoSd if it's from one IP (such as from a server in the above case) or a few, then you can make a few changes to your ip tables. You can set it to drop all packets from a specific IP.
Better yet, put a managed switch which allows port mirroring (or a hub if you are old school) in front of your router and run wireshark on the mirrored port going into the router. That way you will capture any package going to and from the router. Even packages stopped by and sent from the router.
This is so right, I wish I had mod points. If it really is a DoS attack, and you need to find out how they get your IP, then this is the only way. It could be a trojan checking in on IRC, or it could just be some dodgy "cloud service" from a bogus company. If someone has your gmail password they could even look at the IP log of where it was accessed from (this works the other way too)
I keep a hub around for exactly this purpose. If you don't have a hub or a managed switch, there is the option of a PC with two NICs. These are quite common on desctop motherboards. Boot a Linux live-CD and turn off NetworkManager, then look up how to bridge the two NICs (hint: brctl). It is best if you run some live distro which includes wireshark, and which doesn't set up the NICs at boot. Look at the pen testing distros for this