Slashdot Mirror
Ask Slashdot: Mitigating DoS Attacks On Home Network?
First time accepted submitter Gavrielkay writes "We seem to have attracted the attention of some less than savory types in online gaming and now find our home network relentlessly DoSed. We bought a new router that doesn't fall over quite so easily, but it still overwhelms our poor little DSL connection and prevents us web browsing and watching Netflix occasionally. What's worse is that it seems to find us even if we change the MAC address and IP address of the router. Often the router logs IPs from Russia or Korea in these attacks (no packet logging, just a blanket 'DoS attack from...' in the log. But more often lately I've noticed the IPs trace back to Microsoft or Amazon domains. Are they spoofing those IPs? Did they sign us up for something weird there? And how do they find us with a new MAC address and IP within minutes? We're looking for a way to hide from these idiots that doesn't involve going to the Feds, although that is what our ISP suggested. Piles of money for a commercial grade router is out of the question. We are running antivirus and anti-malware programs and haven't seen any evidence of hacked computers so far."
Everyone is being scanned at every second by bots, do you have any real evidence you're being DoSed? It could be a crappy connection. Seeing a modem light flashing a lot does not mean you're being packeted.
The nature of a DOS attack (overwhelming your bandwidth / router with traffic) means it pretty much has to be handled upstream. Your ISP should be able to filter the traffic at their routers where they have the bandwidth / processing power to do so. Even if you get a super router it doesn't change the fact that they are using up your bandwidth with dud requests.
If you're really being DOS'ed with more bytes per second than your little DSL can take, there isn't much you can do to mitigate it on your side. Either your ISP helps out, or you change your IP and they *don't* find your new one (how are they finding it?), or you make them stop (fat chance).
Ditto.
My next question is: is his machine compromised and part of a botnet. I.e. is he the one doing the DoSing, and his router is falling over as a result.
Also please post some speed tests from these sites:
http://www.speakeasy.net/speedtest/
http://www.speedtest.net/
Don't forget to run more than one test on each to get a better sample.
I deny that I have not avoided attaining the opposite of that which I do not want.
Hi,
>> I've noticed the IPs trace back to Microsoft or Amazon domains
This is probably stuff running on VMs in Amazon or Azure cloud services. Users can create VMs with insecure passwords and they are often the target of attacks.
Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated up.
We seem to have attracted the attention of some less than savory types in online gaming
Followed by:
And how do they find us with a new MAC address and IP within minutes?
This is pretty obvious. The game is telling them. Not much of a gamer myself; but I'm willing to wager you can see the IP address from which a particular user is logged on. Maybe the game will let you cloak that. If it won't they can always find you again...
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Something is calling home to give away your ip quickly. What computers and OSes are you using? What antivir? A lot of anitvirus programs suck. Shutdown everything. Force new WAN ip on router. See if problem occurs with no devices on behind the router. If it does, maybe it is the router that is running malware. If still quiet, bring up one machine at a time behind the router and wait a while before doing next machine. Any wireless devices? Is your wifi *really* secured?
You are being MICROattacked, from various angles, in a SOFT manner.
Agreed. OP should check the traffic on his own network before jumping to conclusions. As far as congestion goes, if there's a bot on his network pumping out huge amounts of outbound traffic, then that'll stuff his connection just as surely as if some script kiddie was DDoSing him.
The DSL router itself could be compromised as well. I'd start by booting up a Linux live CD, disconnecting everything else from the network and changing the external IP address again. Then I'd wait to see if they find you again. If they don't, start plugging everything back one device at a time, again checking if they find you after plugging the last device in.
SO, to track that down, do this in exactly this order:
1. Prepare to reconfigure your router for new IP / MAC, but do not reboot it, yet. Make sure the router is NOT registering with some dynamic DNS service, if it is, that's probably part of the problem. Your ISP may be doing that for you, if so, ask them to change your reverse lookup name.
2. Power down every other computing device on the network. I'm assuming you have a wireless router? If so, track down everything that it connected to it, and power those down too. Save your most trusted device (an iPad perhaps?) for monitoring / reconfiging your router. If necessary, borrow a device from someone you trust.
3. Press "go" to reconfig the router, and observe. Your DOS should go away. If it does not, either the reconfig was unsuccessful, your ISP is somehow part of the problem, the router is registering itself somehow, or the router itself is infested.
4. Assuming the DOS abated, one by one, power up the devices you previously disconnected and observe. If the DOS starts after powering up a particular device, that's the culprit. There may be more than one. Do this slowly, to make sure as you power up a device, it's not waiting some period of time before calling home.
It would not be a bad idea to get your ISP on the phone, explain what you think is going on, and ask them to observe your traffic as you go through the above steps. If something "phones home", and you miss it, they should be able to see the traffic on their segment of the wire.
If you are successful at tracking down a culprit system, enlist the help of the anti-malware vendor in isolating the offending bits. Do this BEFORE you re-image the system. They would probably appreciate a sample. Of course, this assumes you are running anti-malware software on your endpoints.....
Hope this helps.
-Red
I have a speed test site provided by my ISP, which usually runs fine, but when the "attacks" are in full swing my download speed drops to 1 or 2 mbps (should be around 16) and I can't browse the web or watch anything on Netflix. I'm not saying I'm absolutely certain that my Netgear router isn't over-reporting, but there is something going on. And now, rather than being only when we're gaming online and getting threatened by folks, it's constant. I can't figure out what we're being tracked by though. What is there besides MAC address and IP address to latch on to? Something maybe that windows does that we've been "signed up" for? I just don't know. I'm a software geek, not a network guru sadly.
Software geek?
Put ONE machine on your router.
Load up Wireshark.
Put DMZ options on the router to send all unsolicited traffic to that one PC's IP.
Watch what's being used and where it's coming from and where it's going.
To be honest, out of all the people who've ever come to me with a similar problem it's either a) a crap router, b) a crap ISP, c) Something on the machine/network talking OUT that's killing the connection (nothing external at all, e.g. P2P apps etc.), d) wireless connections being affected.
If you are genuinely changing your EXTERNAL IP (your internals mean nothing, your MAC means nothing), and it follows you that quickly, then YOU are broadcasting your location (or it's something internal to the network and nothing to do with packets from the Internet at all).
I know if I refresh my TF2 server list too often, my router can sometimes crap out.
Do some proper diagnosis. That means rather than guessing at something and trying things that have NO correlation (MAC addresses), that you follow Sherlock Holmes - when you have eliminated the possible, whatever remains must be the truth. Go through things and eliminate one at a time.
Put ONE device on the router. Change the router. Change the way you connect to the router. Look what's going out and coming in rather than guessing that you're being DDOS'd (I have yet to witness an actual DDOS in 15 years of network management). Or just talk to your damn ISP (who, almost certainly, will tell you there's nothing DDOS'ing you at all).
If you're getting a flood of recorded packets, you can see what they are, where they come from, and what prompts them and even how they have "found" you again. If you're just stabbing at solutions in the dark, then you're no better off at all.
And when you find out that this almost certainly is nothing to do with a deliberate external DDOS, come back here and apologise for wasting our time.
changing your ISP?
They said it didn't matter if they changed the IP address or MAC of the router. This means the attacker can track them across domains. They should try NOT playing the online games after changing the IP address and see if the DoS persists. Also if they are being DoS'ed then a Distributed Reflective DoS DRDoS is probably what's causing up to 5 spoofed SYN-ACK packets to be sent per single attacker's packet (SYN Amazon, spoofed target return IP, Amazon tries to complete the TCP handshake with the target). They didn't sign them up for anything, that's the nature of a reflective attack.
Coincidentally, the surefire way to protect against DRDoS is to simply use DR-DOS, to play games that have far less chance of exposing you to assholes.
Exactly, it doesn't even have to be sophisticated, setup Dynamic DNS on router/internal PC and it'll play follow the leader for years. "looks like http://imaspawncamper.noobstoddos.dynamicdns.moc/ is back up on nother MAC and IP lulz"
Horror & SciFi Erotic Nudes
This is not a DoS attack. Look at how infrequent the packets are...it's essentially background noise that every IP address will see.
This feels like 2002 all over again, when people had host-based firewalls and would freak out any time they got hit with a port scan, not really understanding what they were looking at.
The logs you posted are not evidence of DoS, they show a random packet here and there.
A DoS would be characterized by, at a minimum, thousands of packets per second.
Most of dynamic addresses there translate to "ep-reverse.nimbus.bitdefender.net", and you say you use BitDefender, this - 63.228.223.103 - is "steamcommunity.com", and one with different port "205.188.155.221:995" is indeed a mail server as specified by port.
It very well might be just your router bullshitting you. Try asking at dslreports.com, or better yet, try searching there for similar problems.
Yeah, seems more likely to me he's got a zombie machine on his network participating in DDoS of another target that actually is worth targeting.
You are fine. That is normal background noise. Not really a DoS, just normal probes, which are not frequent enough to be considered a DoS. Ignore the terminolgy that netgear is using. The slowness you encounter at times likely is upstream from you. You should expect it in the evening.
You are being MICROattacked, from various angles, in a SOFT manner.
The advice about recording transmissions sounds like good advice, and I've heard WireShark praised before for that kind of diagnosis.
If you do that, then you can identify what signals are coming from where. If it's a DDOS, of course, there will be a wide variety of different TCP addresses, but THAT is informative, too. Not directly helpful, but good evidence as to what is going on.
Don't be too sure that your anti-virus and anti-malware tools actually catch all viruses/malware. They are generally obsolete at the time they are released. They catch the ones known about at the time.
If the attacks are quite frequent, try booting off a live CD/DVD, say a recent KNOPPIX. (I think that has diagnostic tools. They don't all, so you may need a specialized distro.) That way you can be sure that nothing in the local software is causing the problem. And THEN record the results onto a USB stick.
P.S.: This is from theory. I've never actually experienced your problem.
P.P.S.: Did you release your TCP connection? I don't know how to do that under MSWind, which I'm guessing you are using, because you talk about being a gamer. But replacing your router won't automatically do that. It's probably done somewhere in network configuration.
I think we've pushed this "anyone can grow up to be president" thing too far.
Unless they're pounding the entire subnet for some reason, only hitting machines whose ping responds.
Most folks that'd DDOS you aren't that sophisticated, and if they are there's really nothing you can do until someone decides to focus their malice elsewhere.
The best bet for the poster is mitigation. Talk to the ISP, let them know the situation, and start feeding them a list of IPs to block at their head-end. While you as a client only have X bandwidth before it overwhelms your DSL, they have X^n and are usually amenable to blocking malicious traffic before it screws-up all the clients in an area.
But, to repeat what's already been said. If the attack's following you to new IPs your only bet is:
- Factory reset the router, then plug it (and only it) in.
- Have it get a fresh IP
- Wait 30 minutes and see if an attack starts
- Plug-in a known safe device to check the router. Fixed devices like an iPhone or Android phone should work (unlikely that's what's compromised).
- Use the device to check the router and see what kind of traffic is happening
- Slowly start reconnecting your devices, one at a time, waiting a safe amount of time in between each.
If the router starts getting hammered without anything connected you could have a compromised router. Just last year thousands of routers were compromised that had too simple a password and remote access enabled.
If it starts after a certain device is plugged-in, time to track-down the culprit or (better) format the compromised machine. You're probably safe 90% of the time, but one a machine is rooted it's a good policy to never trust it.
If the router is getting traffic and you know it's safe, then you might be seeing an attack on your network segment. Only your ISP can help.
-Matt
--- Need web hosting?
And when you find out that this almost certainly is nothing to do with a deliberate external DDOS, come back here and apologise for wasting our time.
Pray tell, good sir. If your time is so precious, what are you doing on Slashdot?
Given the log you posted, you are most definitely not being hit with a DoS attack. You are barely taking any traffic at all, with only a few hits / minute
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Saturday, October 12,2013 12:04:31
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 11:46:15
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 11:43:49
I mean look at that...there's 21 minutes worth of time passing in just 3 log entries, that's just plain old net noise.
It's more likely that your ISP is suffering backhaul congestion, or you are running a torrent client, or someone is DLing ultra pr0n at some insane rate or you left your wi-fi open and someone is hijacking it.
Go to http://www.speedtest.net/ and run a bandwidth check on your network.
All those moments will be lost in time, like tears in rain.
Point 1: The fact that you mention mac addresses and dos in the same question shows that you do not know enough about networking to assess this situation properly.
Point 2: Home internet connections don't get DOSed. There is no profit in it to justify the the effort or risk. Anyone with the skill and capability to attack a network most certainly has better things to do.
Point 3: All of your symptoms fit perfectly with a local problem. None of them match a DOS very well.
You very likely have a compromised PC or a PC running something like torrents/other P2P software that isnt properly configured. Use up all your outbound bandwidth either way and you will have exactly the situation described.
obligatory: wtf is this doing on slashdot? Its a basic home user networking issue.
-Lod
Executive summary: Welcome to the real world. Everybody with an "always on" connection is getting this kind of crap, it's just that most people don't realize it.
Discussion: We have a cable modem for internet service. I run a SSH honeypot (Kippo) to collect information on folks knocking on our door.
Friday morning, my Kippo honeypot recorded a dictionary attack run of 291 SSH login attempts (against root) in 12 minutes (from 178.141.148.236, look it up if you want). I don't even bother to record to record the crap coming against port 80.
This isn't unusual, not even for an IP address in a residential cable block! And the more you look for this kind of activity, like running a honeypot, or even reviewing your router logs, the more bewildered you'll become, particularly about how "normal" people's computers survive under these continuous attacks.
The answer, of course, is that so many do not, their home computers rooted within minutes of being connected to the net, or when a child in the household (using a Windows account with admin privileges) clicks on some enticing link in IE... Their computer gets added to one or more botnets, an eventually they toss it out because it's too slow.
Suggestions: Make sure your network is as secure as you can make it, then ask for help to make it better. Help those you care about do the same. Friends don't let friends use IE (or windows) is a good start.
This intensity is NOT a DoS. You'd get a flood of messages every second, not singular attempts once an hour.
This is likely just usual - bots and script-kiddies scanning networks for vulnerabilities. I get a dozen or two of those scans every day as well.
Nothing to worry about, but reminds you how Internet is not a friendly place and how you'd better be updated and not showing out more ports than neccessary.
Shitty connection is probably just that - a shitty connection, and your DSL's tech support would be more useful here. Call them when you're experiencing those slowdowns and try to troubleshoot it.
The problem with one device running wireshark and other devices all connected to a router is that, by virtue of IP, the wireshark running box won't see the traffic sent to the other PCs. You need to either set up a good Knoppix or Kali Linux boot disc device to act as a pass through, or get a cheap hub, or learn about ARP poisoning to get the traffic to first go to the monitoring box, then get passed along to the target device.
Ideally, Your network would be a very simple DSL modem, not a modem+router. Just a modem or your router reconfigured to bridge mode. Then a hub, yeah, the dumb collision prone boxes are very useful still. Uplink of the hub goes to the modem, and your sniffing box and a good NAT+firewall router get connected to it. Then, behind that NAT and firewall goes your computer. Against, ideally, the sniffing computer will not have requested an IP address, will not even have put it's ethernet port into anything but a passive state. Then you can start up wireshark. After that, start up your machine you think is attracting the attacks. You can sort wireshark traffic by incoming and outbound. And if changing the externally visible IP hasn't helped, you want to look at outbound to see what you are sending to who to get yourself noticed.
I have done exactly this, and it isn't fun or easy, but it did help pass a few Cisco network tests later. Once you get into packet sniffing, and ARP poisoning switches, and packet manipulation of those ARP poisoned packets, you can do all kinds of interesting things. Upsidedownternet doesn't have to be a proxy, it can be done with any switched network if done right. And then, after you graduate from wired networks to sniffing on wireless (and collecting large logs to break keys, or doing deauth attacks on your own gear to see how your modem+router and PC stand up) then you can start in on a whole world of fun and crazy bit-level cleverness.
disclaimer: I've cracked WEP back in the PCMCIA days of having a high speed 802.11b card (custom firmware to go into monitor mode) but it was on my own network or with permission (parents wanted to know how long it would take for a neighbor to borrow their wifi, I remember leaving the linux box running about an hour and a half, but sibling had lots of traffic going). WPA deauth attacks are the same way, don't screw with other people without permission. But once you have permission, go wild; showing my younger sibling their AIM chats when they thought 'the network is encrypted, you can't see me' was a hilarious way to spend my first summer home from college.