Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Mitigating DoS Attacks On Home Network?

timothy posted about a year ago | from the send-them-to-your-dial-up-line-instead dept.

Security 319

First time accepted submitter Gavrielkay writes "We seem to have attracted the attention of some less than savory types in online gaming and now find our home network relentlessly DoSed. We bought a new router that doesn't fall over quite so easily, but it still overwhelms our poor little DSL connection and prevents us web browsing and watching Netflix occasionally. What's worse is that it seems to find us even if we change the MAC address and IP address of the router. Often the router logs IPs from Russia or Korea in these attacks (no packet logging, just a blanket 'DoS attack from...' in the log. But more often lately I've noticed the IPs trace back to Microsoft or Amazon domains. Are they spoofing those IPs? Did they sign us up for something weird there? And how do they find us with a new MAC address and IP within minutes? We're looking for a way to hide from these idiots that doesn't involve going to the Feds, although that is what our ISP suggested. Piles of money for a commercial grade router is out of the question. We are running antivirus and anti-malware programs and haven't seen any evidence of hacked computers so far."

cancel ×

319 comments

Sorry! There are no comments related to the filter you selected.

What evidence do you have that you're being DoSed? (5, Insightful)

Anonymous Coward | about a year ago | (#45109217)

Everyone is being scanned at every second by bots, do you have any real evidence you're being DoSed? It could be a crappy connection. Seeing a modem light flashing a lot does not mean you're being packeted.

Re:What evidence do you have that you're being DoS (1, Insightful)

Freshly Exhumed (105597) | about a year ago | (#45109233)

Exactly. Let's see some logs, please, and let's have some detailed descriptions of your gear so that we can make more than just guesses.

Re:What evidence do you have that you're being DoS (4, Informative)

Freshly Exhumed (105597) | about a year ago | (#45109305)

Also please post some speed tests from these sites:

http://www.speakeasy.net/speedtest/ [speakeasy.net]

http://www.speedtest.net/ [speedtest.net]

Don't forget to run more than one test on each to get a better sample.

Re:What evidence do you have that you're being DoS (3, Informative)

Gavrielkay (1819320) | about a year ago | (#45109905)

I have a speed test site provided by my ISP, which usually runs fine, but when the "attacks" are in full swing my download speed drops to 1 or 2 mbps (should be around 16) and I can't browse the web or watch anything on Netflix. I'm not saying I'm absolutely certain that my Netgear router isn't over-reporting, but there is something going on. And now, rather than being only when we're gaming online and getting threatened by folks, it's constant. I can't figure out what we're being tracked by though. What is there besides MAC address and IP address to latch on to? Something maybe that windows does that we've been "signed up" for? I just don't know. I'm a software geek, not a network guru sadly.

Re:What evidence do you have that you're being DoS (1)

Anonymous Coward | about a year ago | (#45109867)

Next, can you send us your IP address?

Re:What evidence do you have that you're being DoS (1)

Gavrielkay (1819320) | about a year ago | (#45109935)

I posted one of the logs in another post, my router doesn't provide proper packet logging, or I can't find it. My setup:
Windows 7 Ultimate and Home Premium
Vonage VOIP modem
DirecTV network hookup
NetGear D6200 DSL modem/router
NetGear WN2000RPTv2 wifi extender

We game on Steam but we've tried being logged off and getting a new IP address and still the "attacks" come. We're running bitdefender and malwarebytes. We've got PnP turned off and the firewall configured to allow only what we need for gaming and browsing etc.

Re:What evidence do you have that you're being DoS (5, Interesting)

Leroy Brown (71070) | about a year ago | (#45109273)

Ditto.

My next question is: is his machine compromised and part of a botnet. I.e. is he the one doing the DoSing, and his router is falling over as a result.

Re:What evidence do you have that you're being DoS (2, Informative)

Anonymous Coward | about a year ago | (#45109325)

This would seem like an obvious case here.

If your IP changes, how would the attackers be able to guess the new ip so fast?

Re:What evidence do you have that you're being DoS (1)

Impy the Impiuos Imp (442658) | about a year ago | (#45109745)

Unless they're pounding the entire subnet for some reason, only hitting machines whose ping responds.

Re:What evidence do you have that you're being DoS (2, Informative)

Anonymous Coward | about a year ago | (#45109361)

This.

It is far more likely that he has a compromised internal network and his dsl is being overwhelmed by outbound spam, not an inbound DoS, especially since 'they' find him within minutes of an IP switch. Invest in a good virus scanner dude, and seriously consider a wipe and reload of every system.

Re:What evidence do you have that you're being DoS (4, Informative)

benjfowler (239527) | about a year ago | (#45109507)

Agreed. OP should check the traffic on his own network before jumping to conclusions. As far as congestion goes, if there's a bot on his network pumping out huge amounts of outbound traffic, then that'll stuff his connection just as surely as if some script kiddie was DDoSing him.

Re:What evidence do you have that you're being DoS (4, Interesting)

next_ghost (1868792) | about a year ago | (#45109509)

The DSL router itself could be compromised as well. I'd start by booting up a Linux live CD, disconnecting everything else from the network and changing the external IP address again. Then I'd wait to see if they find you again. If they don't, start plugging everything back one device at a time, again checking if they find you after plugging the last device in.

Re:What evidence do you have that you're being DoS (0)

Anonymous Coward | about a year ago | (#45109589)

BAM!

Re:What evidence do you have that you're being DoS (1)

alostpacket (1972110) | about a year ago | (#45109781)

It's also possible, though maybe less likely that if the game they are playing creates P2P connections between the players for say chat, then they could be revealing their IP that way. Like Freshly Exhumed said above though, it all just guesses without some evidence.

But what do I know, I'm a packet who got lost on his way to 127.0.0.1

Re:What evidence do you have that you're being DoS (1)

Gavrielkay (1819320) | about a year ago | (#45109957)

It happens even when our computers are turned off. I recently reinstalled Windows which had no effect. We both run BitDefender and malwarebytes software. I've got the firewalls rules in the router turned up to only allow certain ports. What else can I check to see if it's us as opposed to outside traffic?

Re:What evidence do you have that you're being DoS (1)

mjwalshe (1680392) | about a year ago | (#45109321)

From experience not every second - doesn't sound like the normal background radiation of scans - scanners will be looking for /wp-admin/ /phpmyadmin and popular packages to exploit.

Re:What evidence do you have that you're being DoS (1)

stridebird (594984) | about a year ago | (#45109843)

I don't think you can call dictionary attacks on phpmyadmin and its possible installation paths a "scan". Well, you can if you want but in what I would call a scan one is scanning available ports for interesting services to attack. ydmv and fairly pointless comment on my part anyway so have a good day.

Gaming platform? (0)

Anonymous Coward | about a year ago | (#45109359)

If I were an online gamer, I'd be more inclined to blame the platform/service than someone Dos'ing little 'ole me.

Re:What evidence do you have that you're being DoS (1)

Gavrielkay (1819320) | about a year ago | (#45109887)

I have endless lists like this in the logs: [DoS attack: ACK Scan] from source: 216.39.55.12:80 Saturday, October 12,2013 12:08:28
[DoS attack: ACK Scan] from source: 2.39.202.191:80 Saturday, October 12,2013 12:06:04
[DoS attack: ACK Scan] from source: 54.208.162.210:80 Saturday, October 12,2013 12:05:13
[DoS attack: ACK Scan] from source: 54.246.147.204:80 Saturday, October 12,2013 12:04:52
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Saturday, October 12,2013 12:04:31
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 11:46:15
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 11:43:49
[DoS attack: ACK Scan] from source: 54.246.143.169:80 Saturday, October 12,2013 11:38:43
[DoS attack: ACK Scan] from source: 54.249.10.88:80 Saturday, October 12,2013 11:38:14
[DoS attack: ACK Scan] from source: 54.246.143.169:80 Saturday, October 12,2013 11:37:54
[DoS attack: ACK Scan] from source: 95.64.37.10:80 Saturday, October 12,2013 11:31:17
[DoS attack: ACK Scan] from source: 54.236.215.239:80 Saturday, October 12,2013 11:03:12
[DoS attack: ACK Scan] from source: 54.246.147.204:80 Saturday, October 12,2013 11:01:33
[DoS attack: ACK Scan] from source: 54.236.215.239:80 Saturday, October 12,2013 11:01:12
[DoS attack: ACK Scan] from source: 54.246.145.162:80 Saturday, October 12,2013 11:00:25
[DoS attack: ACK Scan] from source: 54.244.30.140:80 Saturday, October 12,2013 11:00:01
[DoS attack: ACK Scan] from source: 176.221.80.2:80 Saturday, October 12,2013 10:59:05
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 10:45:17
[DoS attack: ACK Scan] from source: 95.64.37.10:80 Saturday, October 12,2013 10:25:43
[DoS attack: ACK Scan] from source: 173.208.222.206:80 Saturday, October 12,2013 08:43:58
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 08:21:40
[DoS attack: ACK Scan] from source: 95.64.37.10:80 Saturday, October 12,2013 07:47:41
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 07:37:42
[DoS attack: ACK Scan] from source: 173.208.222.206:80 Saturday, October 12,2013 07:13:09
[DoS attack: ACK Scan] from source: 46.4.126.76:80 Saturday, October 12,2013 06:14:39
[DoS attack: ACK Scan] from source: 173.208.222.206:80 Saturday, October 12,2013 06:13:26
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 04:18:08
[DoS attack: ACK Scan] from source: 58.64.205.166:80 Saturday, October 12,2013 03:23:24
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 02:18:01
[DoS attack: ACK Scan] from source: 54.236.215.239:80 Saturday, October 12,2013 01:56:16
[DoS attack: ACK Scan] from source: 81.161.59.31:80 Saturday, October 12,2013 01:55:55
[DoS attack: ACK Scan] from source: 54.249.10.88:80 Saturday, October 12,2013 01:55:33
[DoS attack: ACK Scan] from source: 54.227.236.10:443 Saturday, October 12,2013 01:55:05
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 01:46:54
[DoS attack: ACK Scan] from source: 173.208.222.206:80 Saturday, October 12,2013 01:45:59
[DoS attack: ACK Scan] from source: 54.208.162.210:80 Saturday, October 12,2013 01:45:26
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Saturday, October 12,2013 01:45:05
[DoS attack: ACK Scan] from source: 81.161.59.32:80 Saturday, October 12,2013 01:30:23
[DoS attack: ACK Scan] from source: 46.51.207.184:80 Saturday, October 12,2013 01:30:02
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 01:24:44
[DoS attack: ACK Scan] from source: 54.244.30.147:80 Saturday, October 12,2013 01:22:53
[DoS attack: ACK Scan] from source: 81.161.59.32:80 Saturday, October 12,2013 01:08:27
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Saturday, October 12,2013 01:08:06
[DoS attack: ACK Scan] from source: 54.244.30.147:80 Saturday, October 12,2013 01:01:19
[DoS attack: ACK Scan] from source: 95.64.37.10:80 Saturday, October 12,2013 01:00:27
[DoS attack: ACK Scan] from source: 54.244.30.147:80 Saturday, October 12,2013 00:59:33
[DoS attack: ACK Scan] from source: 54.244.30.147:80 Saturday, October 12,2013 00:58:58
[DoS attack: ACK Scan] from source: 173.208.222.206:80 Saturday, October 12,2013 00:58:10
[DoS attack: ACK Scan] from source: 198.50.157.43:443 Saturday, October 12,2013 00:56:58
[DoS attack: ACK Scan] from source: 54.236.201.39:80 Saturday, October 12,2013 00:53:05
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Saturday, October 12,2013 00:52:45
[DoS attack: ACK Scan] from source: 203.211.130.242:80 Saturday, October 12,2013 00:47:18
[DoS attack: ACK Scan] from source: 95.64.37.10:80 Saturday, October 12,2013 00:46:34
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Saturday, October 12,2013 00:41:23
[DoS attack: ACK Scan] from source: 81.161.59.31:80 Saturday, October 12,2013 00:31:26
[DoS attack: ACK Scan] from source: 54.249.10.88:80 Saturday, October 12,2013 00:31:04
[DoS attack: RST Scan] from source: 190.24.142.90:55586 Saturday, October 12,2013 00:20:35
[DoS attack: ACK Scan] from source: 54.208.162.210:80 Friday, October 11,2013 23:54:27
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Friday, October 11,2013 23:54:06
[DoS attack: ACK Scan] from source: 89.238.130.247:80 Friday, October 11,2013 23:46:37
[DoS attack: ACK Scan] from source: 202.57.165.7:80 Friday, October 11,2013 23:20:43
[DoS attack: ACK Scan] from source: 54.236.215.239:80 Friday, October 11,2013 23:17:17
[DoS attack: ACK Scan] from source: 89.238.130.247:80 Friday, October 11,2013 22:58:10
[DoS attack: ACK Scan] from source: 54.236.215.239:80 Friday, October 11,2013 22:53:40
[DoS attack: ACK Scan] from source: 54.244.30.140:80 Friday, October 11,2013 22:53:19
[DoS attack: ACK Scan] from source: 54.236.215.239:80 Friday, October 11,2013 22:52:46
[DoS attack: ACK Scan] from source: 54.244.30.147:80 Friday, October 11,2013 22:52:25
[DoS attack: ACK Scan] from source: 205.188.155.221:995 Friday, October 11,2013 22:45:16
[DoS attack: ACK Scan] from source: 54.236.215.239:80 Friday, October 11,2013 22:40:24
[DoS attack: ACK Scan] from source: 54.249.10.88:80 Friday, October 11,2013 22:40:03
[DoS attack: ACK Scan] from source: 205.188.155.221:995 Friday, October 11,2013 22:25:28
[DoS attack: ACK Scan] from source: 81.161.59.32:80 Friday, October 11,2013 22:16:35
[DoS attack: ACK Scan] from source: 54.244.30.140:80 Friday, October 11,2013 22:16:14
[DoS attack: ACK Scan] from source: 81.161.59.31:80 Friday, October 11,2013 22:15:52
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Friday, October 11,2013 22:15:28
[DoS attack: ACK Scan] from source: 64.40.9.68:10646 Friday, October 11,2013 22:08:59
[DoS attack: ACK Scan] from source: 50.97.42.210:80 Friday, October 11,2013 22:05:23
[DoS attack: ACK Scan] from source: 50.97.42.210:80 Friday, October 11,2013 22:04:45
[DoS attack: ACK Scan] from source: 81.161.59.32:80 Friday, October 11,2013 22:03:20
[DoS attack: ACK Scan] from source: 54.249.10.88:80 Friday, October 11,2013 22:03:00
[DoS attack: ACK Scan] from source: 54.244.30.147:80 Friday, October 11,2013 22:01:43
[DoS attack: ACK Scan] from source: 205.188.155.217:995 Friday, October 11,2013 21:55:15
[DoS attack: ACK Scan] from source: 54.236.201.39:80 Friday, October 11,2013 21:39:31
[DoS attack: ACK Scan] from source: 54.244.30.140:80 Friday, October 11,2013 21:39:11
[DoS attack: ACK Scan] from source: 81.161.59.31:80 Friday, October 11,2013 21:38:48
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Friday, October 11,2013 21:38:26
[DoS attack: ACK Scan] from source: 205.188.155.221:995 Friday, October 11,2013 21:35:16
[DoS attack: ACK Scan] from source: 81.161.59.31:80 Friday, October 11,2013 21:26:19
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Friday, October 11,2013 21:25:59
[DoS attack: ACK Scan] from source: 54.244.30.140:80 Friday, October 11,2013 21:19:44
[DoS attack: ACK Scan] from source: 81.161.59.31:80 Friday, October 11,2013 21:02:45
[DoS attack: ACK Scan] from source: 46.51.207.184:80 Friday, October 11,2013 21:02:21
[DoS attack: ACK Scan] from source: 81.161.59.31:80 Friday, October 11,2013 21:01:55
[DoS attack: ACK Scan] from source: 46.51.207.184:80 Friday, October 11,2013 21:01:34
[DoS attack: ACK Scan] from source: 95.64.37.10:80 Friday, October 11,2013 21:01:14
[DoS attack: ACK Scan] from source: 205.188.155.221:995 Friday, October 11,2013 20:55:27
[DoS attack: ACK Scan] from source: 81.161.59.32:80 Friday, October 11,2013 20:49:18
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Friday, October 11,2013 20:48:58
[DoS attack: ACK Scan] from source: 63.228.223.103:80 Friday, October 11,2013 20:32:31
[DoS attack: ACK Scan] from source: 63.228.223.103:80 Friday, October 11,2013 20:32:03
[DoS attack: ACK Scan] from source: 81.161.59.32:80 Friday, October 11,2013 20:25:32
[DoS attack: ACK Scan] from source: 54.249.10.88:80 Friday, October 11,2013 20:25:11
[DoS attack: ACK Scan] from source: 81.161.59.31:80 Friday, October 11,2013 20:24:49
[DoS attack: ACK Scan] from source: 54.246.131.193:80 Friday, October 11,2013 20:24:18
[DoS attack: ACK Scan] from source: 81.161.59.31:80 Friday, October 11,2013 20:12:18
[DoS attack: ACK Scan] from source: 54.249.10.88:80 Friday, October 11,2013 20:11:57
[DoS attack: ACK Scan] from source: 141.101.118.203:80 Friday, October 11,2013 19:47:58
[DoS attack: ACK Scan] from source: 81.161.59.31:80 Friday, October 11,2013 19:35:15
[DoS attack: ACK Scan] from source: 54.249.10.88:80 Friday, October 11,2013 19:34:55
[DoS attack: ACK Scan] from source: 54.244.30.147:80 Friday, October 11,2013 19:22:54
[DoS attack: ACK Scan] from source: 81.161.59.31:80 Friday, October 11,2013 19:06:54
[DoS attack: ACK Scan] from source: 54.249.10.88:80 Friday, October 11,2013 19:06:31
[DoS attack: ACK Scan] from source: 81.161.59.31:80 Friday, October 11,2013 19:06:03
[DoS attack: ACK Scan] from source: 54.244.30.140:80 Friday, October 11,2013 19:05:40
[DoS attack: ACK Scan] from source: 81.161.59.31:80 Friday, October 11,2013 18:58:14
[DoS attack: UDP Port Scan] from source: 207.244.68.106:5082 Friday, October 11,2013 18:57:54
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Friday, October 11,2013 18:57:53
[DoS attack: ACK Scan] from source: 95.64.37.10:80 Friday, October 11,2013 18:37:10
[DoS attack: ACK Scan] from source: 54.246.143.169:80 Friday, October 11,2013 18:29:38
[DoS attack: ACK Scan] from source: 54.236.215.239:80 Friday, October 11,2013 18:29:16
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Friday, October 11,2013 18:28:43
[DoS attack: ACK Scan] from source: 54.208.162.210:80 Friday, October 11,2013 18:21:15
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Friday, October 11,2013 18:20:53
[DoS attack: ACK Scan] from source: 27.126.218.188:80 Friday, October 11,2013 17:59:23
[DoS attack: ACK Scan] from source: 81.161.59.32:80 Friday, October 11,2013 17:52:51
[DoS attack: ACK Scan] from source: 54.249.10.88:80 Friday, October 11,2013 17:52:30
[DoS attack: ACK Scan] from source: 81.161.59.31:80 Friday, October 11,2013 17:52:00
[DoS attack: ACK Scan] from source: 54.244.30.140:80 Friday, October 11,2013 17:51:39
[DoS attack: ACK Scan] from source: 81.161.59.31:80 Friday, October 11,2013 17:44:11
[DoS attack: ACK Scan] from source: 54.249.10.88:80 Friday, October 11,2013 17:43:51
[DoS attack: ACK Scan] from source: 205.188.155.221:995 Friday, October 11,2013 17:41:27
[DoS attack: ACK Scan] from source: 205.188.155.221:995 Friday, October 11,2013 17:31:27
[DoS attack: ACK Scan] from source: 54.246.131.193:80 Friday, October 11,2013 17:15:42
[DoS attack: ACK Scan] from source: 81.161.59.31:80 Friday, October 11,2013 17:14:59
[DoS attack: ACK Scan] from source: 54.244.30.140:80 Friday, October 11,2013 17:14:36
[DoS attack: ACK Scan] from source: 54.236.215.239:80 Friday, October 11,2013 17:07:13
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Friday, October 11,2013 17:06:51
[DoS attack: ACK Scan] from source: 205.188.155.221:995 Friday, October 11,2013 17:01:27
[DoS attack: ACK Scan] from source: 63.228.223.103:80 Friday, October 11,2013 16:47:30
[DoS attack: ACK Scan] from source: 63.228.223.103:80 Friday, October 11,2013 16:46:55
[DoS attack: ACK Scan] from source: 81.22.107.179:56 Friday, October 11,2013 16:43:12
[DoS attack: ACK Scan] from source: 208.64.202.69:80 Friday, October 11,2013 16:40:17
[DoS attack: ACK Scan] from source: 208.64.202.69:80 Friday, October 11,2013 16:39:48
[DoS attack: ACK Scan] from source: 46.51.207.184:80 Friday, October 11,2013 16:38:42
[DoS attack: ACK Scan] from source: 54.244.30.147:80 Friday, October 11,2013 16:38:22
[DoS attack: ACK Scan] from source: 54.208.162.210:80 Friday, October 11,2013 16:37:51
[DoS attack: ACK Scan] from source: 54.244.30.140:80 Friday, October 11,2013 16:37:28
[DoS attack: ACK Scan] from source: 81.161.59.32:80 Friday, October 11,2013 16:30:09
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Friday, October 11,2013 16:29:48
[DoS attack: ACK Scan] from source: 50.19.114.214:443 Friday, October 11,2013 16:29:19
[DoS attack: ACK Scan] from source: 50.19.114.214:443 Friday, October 11,2013 16:28:58
[DoS attack: ACK Scan] from source: 95.64.37.10:80 Friday, October 11,2013 16:26:53
[DoS attack: ACK Scan] from source: 54.244.30.140:80 Friday, October 11,2013 16:22:54
[DoS attack: ACK Scan] from source: 54.244.30.140:80 Friday, October 11,2013 16:11:46
[DoS attack: ACK Scan] from source: 95.64.37.10:80 Friday, October 11,2013 16:11:20
[DoS attack: ACK Scan] from source: 63.228.223.103:80 Friday, October 11,2013 16:10:56
[DoS attack: ACK Scan] from source: 63.228.223.103:80 Friday, October 11,2013 16:10:21
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Friday, October 11,2013 16:01:26
[DoS attack: ACK Scan] from source: 54.244.30.140:80 Friday, October 11,2013 16:01:02
[DoS attack: ACK Scan] from source: 54.244.30.140:80 Friday, October 11,2013 15:59:25
[DoS attack: ACK Scan] from source: 63.228.223.103:80 Friday, October 11,2013 15:58:57
[DoS attack: ACK Scan] from source: 54.236.215.239:80 Friday, October 11,2013 15:53:25
[DoS attack: ACK Scan] from source: 54.236.201.39:80 Friday, October 11,2013 15:53:00
[DoS attack: ACK Scan] from source: 173.208.222.206:80 Friday, October 11,2013 15:52:39
[Time synchronized with NTP server time-g.netgear.com] Friday, October 11,2013 15:36:45
[DoS attack: ACK Scan] from source: 54.244.30.147:80 Friday, October 11,2013 15:25:21
[DoS attack: ACK Scan] from source: 54.244.30.147:80 Friday, October 11,2013 15:24:13
[DoS attack: ACK Scan] from source: 81.161.59.31:80 Friday, October 11,2013 15:19:47
[DoS attack: ACK Scan] from source: 54.244.30.147:80 Friday, October 11,2013 15:19:26
[DoS attack: ACK Scan] from source: 54.246.145.162:80 Friday, October 11,2013 15:18:20
[DoS attack: ACK Scan] from source: 54.244.30.147:80 Friday, October 11,2013 15:18:00
[DoS attack: ACK Scan] from source: 173.208.222.206:80 Friday, October 11,2013 15:16:58
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Friday, October 11,2013 15:15:56
[DoS attack: ACK Scan] from source: 205.188.155.221:995 Friday, October 11,2013 14:54:19
[DoS attack: ACK Scan] from source: 173.208.222.206:80 Friday, October 11,2013 14:49:49
[DoS attack: ACK Scan] from source: 54.236.215.239:80 Friday, October 11,2013 14:42:45
[DoS attack: ACK Scan] from source: 54.244.30.147:80 Friday, October 11,2013 14:42:20
[DoS attack: ACK Scan] from source: 54.236.215.239:80 Friday, October 11,2013 14:41:22
[DoS attack: ACK Scan] from source: 54.249.10.88:80 Friday, October 11,2013 14:40:59
[DoS attack: ACK Scan] from source: 54.236.215.239:80 Friday, October 11,2013 14:39:27
[DoS attack: ACK Scan] from source: 54.208.162.210:80 Friday, October 11,2013 14:39:01
[DoS attack: ACK Scan] from source: 54.236.215.239:80 Friday, October 11,2013 14:38:36
[DoS attack: ACK Scan] from source: 54.236.215.239:80 Friday, October 11,2013 14:32:58
[DoS attack: ACK Scan] from source: 54.236.215.239:80 Friday, October 11,2013 14:26:46
[DoS attack: ACK Scan] from source: 54.236.215.239:80 Friday, October 11,2013 14:25:17
[DoS attack: ACK Scan] from source: 81.161.59.31:80 Friday, October 11,2013 14:23:51
[DoS attack: ACK Scan] from source: 54.249.10.88:80 Friday, October 11,2013 14:23:30
[DoS attack: ACK Scan] from source: 63.228.223.103:80 Friday, October 11,2013 14:23:09
[DoS attack: ACK Scan] from source: 63.228.223.103:80 Friday, October 11,2013 14:22:35
[DoS attack: ACK Scan] from source: 173.208.222.206:80 Friday, October 11,2013 14:17:16
[DoS attack: ACK Scan] from source: 81.161.59.31:80 Friday, October 11,2013 14:05:42
[DoS attack: ACK Scan] from source: 54.244.30.140:80 Friday, October 11,2013 14:05:19
[DoS attack: ACK Scan] from source: 54.236.215.239:80 Friday, October 11,2013 14:04:15
[DoS attack: ACK Scan] from source: 54.244.30.140:80 Friday, October 11,2013 14:03:55
[DoS attack: ACK Scan] from source: 81.161.59.32:80 Friday, October 11,2013 14:02:03
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Friday, October 11,2013 14:01:42
[DoS attack: ACK Scan] from source: 65.52.24.110:80 Friday, October 11,2013 13:59:04
[DoS attack: ACK Scan] from source: 205.188.155.221:995 Friday, October 11,2013 13:44:21
[DoS attack: ACK Scan] from source: 64.94.107.29:80 Friday, October 11,2013 13:36:15
[DoS attack: ACK Scan] from source: 64.94.107.45:80 Friday, October 11,2013 13:35:45
[DoS attack: ACK Scan] from source: 31.13.76.49:443 Friday, October 11,2013 13:35:18
[DoS attack: ACK Scan] from source: 54.244.30.140:80 Friday, October 11,2013 13:34:58
[DoS attack: ACK Scan] from source: 205.188.155.221:995 Friday, October 11,2013 13:34:30
[DoS attack: ACK Scan] from source: 66.117.23.101:80 Friday, October 11,2013 13:34:08
[DoS attack: ACK Scan] from source: 72.21.81.168:443 Friday, October 11,2013 13:33:30
[DoS attack: ACK Scan] from source: 54.244.30.140:80 Friday, October 11,2013 13:33:06
[DoS attack: ACK Scan] from source: 54.244.30.140:80 Friday, October 11,2013 13:32:43
[DoS attack: ACK Scan] from source: 54.244.30.140:80 Friday, October 11,2013 13:31:36
[DoS attack: ACK Scan] from source: 54.244.30.140:80 Friday, October 11,2013 13:31:15
[DoS attack: ACK Scan] from source: 66.117.23.101:80 Friday, October 11,2013 13:30:54
[DoS attack: ACK Scan] from source: 54.244.30.140:80 Friday, October 11,2013 13:30:33
[DoS attack: ACK Scan] from source: 66.235.142.2:80 Friday, October 11,2013 13:30:11
[DoS attack: ACK Scan] from source: 54.244.30.140:80 Friday, October 11,2013 13:29:28
[DoS attack: ACK Scan] from source: 54.244.30.140:80 Friday, October 11,2013 13:29:06
[DoS attack: ACK Scan] from source: 81.161.59.31:80 Friday, October 11,2013 13:28:32
[DoS attack: ACK Scan] from source: 54.244.30.147:80 Friday, October 11,2013 13:28:12
[DoS attack: ACK Scan] from source: 54.236.201.39:80 Friday, October 11,2013 13:27:16
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Friday, October 11,2013 13:26:55
[DoS attack: ACK Scan] from source: 54.236.201.39:80 Friday, October 11,2013 13:25:01
[DoS attack: ACK Scan] from source: 54.249.10.88:80 Friday, October 11,2013 13:24:41
[DoS attack: ACK Scan] from source: 173.208.222.206:80 Friday, October 11,2013 13:11:39
[DoS attack: ACK Scan] from source: 109.201.152.133:1935 Friday, October 11,2013 13:10:31
[DoS attack: ACK Scan] from source: 63.228.223.103:80 Friday, October 11,2013 13:05:25
[DoS attack: ACK Scan] from source: 63.228.223.103:80 Friday, October 11,2013 13:04:58
[DoS attack: ACK Scan] from source: 205.188.155.221:995 Friday, October 11,2013 13:04:20
[DoS attack: ACK Scan] from source: 54.236.201.39:80 Friday, October 11,2013 12:51:31
[DoS attack: ACK Scan] from source: 54.244.30.140:80 Friday, October 11,2013 12:51:08
[DoS attack: ACK Scan] from source: 54.236.201.39:80 Friday, October 11,2013 12:50:12
[DoS attack: ACK Scan] from source: 54.244.30.147:80 Friday, October 11,2013 12:49:51
[DoS attack: ACK Scan] from source: 63.228.223.103:80 Friday, October 11,2013 12:49:30
[DoS attack: ACK Scan] from source: 81.161.59.31:80 Friday, October 11,2013 12:48:01
[DoS attack: ACK Scan] from source: 54.249.0.5:80 Friday, October 11,2013 12:47:40
[DoS attack: ACK Scan] from source: 205.188.155.221:995 Friday, October 11,2013 12:34:22
[DoS attack: ACK Scan] from source: 63.228.223.103:80 Friday, October 11,2013 12:32:06
[DoS attack: ACK Scan] from source: 63.228.223.103:80 Friday, October 11,2013 12:31:32
[DoS attack: ACK Scan] from source: 27.126.218.188:80 Friday, October 11,2013 12:27:17
[DoS attack: ACK Scan] from source: 173.208.222.206:80 Friday, October 11,2013 12:24:39
[DoS attack: ACK Scan] from source: 46.51.207.184:80 Friday, October 11,2013 12:14:20
[DoS attack: ACK Scan] from source: 63.228.223.103:80 Friday, October 11,2013 12:13:52
[DoS attack: ACK Scan] from source: 54.236.201.39:80 Friday, October 11,2013 12:13:11

Go to your ISP (4, Informative)

ERJ (600451) | about a year ago | (#45109241)

The nature of a DOS attack (overwhelming your bandwidth / router with traffic) means it pretty much has to be handled upstream. Your ISP should be able to filter the traffic at their routers where they have the bandwidth / processing power to do so. Even if you get a super router it doesn't change the fact that they are using up your bandwidth with dud requests.

Re:Go to your ISP (1)

Freshly Exhumed (105597) | about a year ago | (#45109265)

Their ISP sent them to the Feds. So, no help forthcoming from them.

Re:Go to your ISP (0)

Anonymous Coward | about a year ago | (#45109405)

If so, the solution is to change ISPs. Threaten them with cancellation if they don't mitigate the problem. The odds of them doing anything are slim, but it might work.

DDoS attacks need to be handled at the network hardware level. The upstream provider should be routing those packets, once detected, into null space. Personally I would like to see them route all DDoS packets right back to the source, but that is probably mutually assured destruction.

If they are coming from Amazon's cloud services, that is Amazon's problem. They should detect it, an immediately disable the account. But that might cost them money, and hurt Jeff Bezos stock.

Re:Go to your ISP (3, Insightful)

Anonymous Coward | about a year ago | (#45109475)

The thing about DoS attacks is that the attacker doesn't need, or want, any return packets, so they're free to spoof whatever "from" IP address they like.
Bouncing packets "back where they came from" is a recipe for disrupting even more innocent parties.

Re:Go to your ISP (1)

v1 (525388) | about a year ago | (#45109597)

Bouncing packets "back where they came from" is a recipe for disrupting even more innocent parties.

Sounds like the DDoS version of "backscatter spam".

Re:Go to your ISP (1)

stridebird (594984) | about a year ago | (#45109853)

Bouncing packets "back where they came from" is a recipe for disrupting even more innocent parties.

Aye. DNS amplification attack, for example.

Re:Go to your ISP (1)

malacandrian (2145016) | about a year ago | (#45109959)

If you're just bouncing, with no additional information it's not an amplification attack, just reflected.

Re:Go to your ISP (0)

Anonymous Coward | about a year ago | (#45109279)

Indeed, if your uplink is saturated then mitigating on your home network is moot. If your ISP isn't able to help, there are third-party companies that offer mitigation services such as Cloudflare, Black Lotus, and Block Dos, although some of the services are costly.

Have you tried... (2, Insightful)

Endloser (1170279) | about a year ago | (#45109249)

changing your ISP?

Have you tried... (0)

Anonymous Coward | about a year ago | (#45109289)

RTFA!

Re:Have you tried... (-1)

Anonymous Coward | about a year ago | (#45109479)

Pull your head out of your ass and RTFA yourself,moron.

Re:Have you tried... (0)

Anonymous Coward | about a year ago | (#45109483)

Dieing in a fire?

From your ISP? (0)

Anonymous Coward | about a year ago | (#45109261)

I'm no expert. Could it be coming from your ISP? I suppose the method being used could give you an idea of whether the attacker is outside of your service provider (ie udp)

Not on your end (3, Informative)

Lorens (597774) | about a year ago | (#45109269)

If you're really being DOS'ed with more bytes per second than your little DSL can take, there isn't much you can do to mitigate it on your side. Either your ISP helps out, or you change your IP and they *don't* find your new one (how are they finding it?), or you make them stop (fat chance).

SubjectsInCommentsAreStupid (2)

lesincompetent (2836253) | about a year ago | (#45109293)

I've seen some SOHO router's firmware sporting this alleged "DoS protection". I think it's just a marketing point.
No idea of how the detection works but this sounds like a false positive to me.
And wouldn't your ISP notice first too?

How are they finding you? (0)

Anonymous Coward | about a year ago | (#45109297)

If they can find you even after you change your IP address, it's possible you have malware in at least one of your computers. Either that, or the game servers you connect to are controlled by the botnet masters.

Re:How are they finding you? (1)

Jacob Leclerc (2876617) | about a year ago | (#45109883)

If this user does nothing before they 'find' him he must have it on his system already. If connecting to a certain game triggers it find a diffrent server.

Speed of discovery (0)

Anonymous Coward | about a year ago | (#45109301)

If they're finding you so quickly, I'd guess there's something compromised inside your network.

What did you do? (-1)

Anonymous Coward | about a year ago | (#45109307)

Were you a douchebag online? People rarely go out of their way to attack others for 'no reason'.
Expended effort and all that...

What did you do... Don't do that.

compromised device or web account (0)

Anonymous Coward | about a year ago | (#45109309)

A device on your home network may be compromised (PC, network printer, Tivo, DVR, ...) or your email account or some other service that you log into may be compromised (For example, you can determine what IP address an email was sent from if you have access to the mail account).

Are you really being DoSed? (0)

Anonymous Coward | about a year ago | (#45109315)

But are you really being DoSed?
1) Check to see if other devices that aren't yours are using your router. Maybe your neighbour is using your WiFi.
2) If nobody else is using your WiFi, turn off/disconnect all your devices except the router. Does the network activity light still flash a lot?

If the network activity still flashes a lot then yes you might be being DoSed. If it doesn't then you are not being DoSed, at least not from the outside.

If you now figure you are not being DoSed try connecting directly to your router via a network cable (assuming it has a network port), if the connection is very stable then what you are experiencing is problems with your WiFi connection and not DoS.

If you are being DoSed from outside, turn off any dynamic DNS stuff and then try getting your router to reconnect to change your IP. You should no longer be DoSed at this point unless something strange is going on.

Re:Are you really being DoSed? (2)

TheLink (130905) | about a year ago | (#45109367)

Note: if someone on your network has been using P2P you may have to wait for a while when doing 2) since peers may still be trying to connect/respond to your router's IP. If it's still flashing like crazy after more than 30 minutes then you're probably being DoSed.

A few blinks every few seconds is not a DoS. Being DoSed = continuous blinking like a fast continuous data transfer.

Home solution (1)

tha_toadman (1266560) | about a year ago | (#45109319)

pfSense + snort.

Re:Home solution (1)

houstonbofh (602064) | about a year ago | (#45109729)

Agreed. pfSense or m0n0wall can both display a state table and let you know what traffic is really going where. You need a router you can look inside with an external IP address.

Cloud providers... (4, Interesting)

ayjay29 (144994) | about a year ago | (#45109323)

Hi,

>> I've noticed the IPs trace back to Microsoft or Amazon domains

This is probably stuff running on VMs in Amazon or Azure cloud services. Users can create VMs with insecure passwords and they are often the target of attacks.

Re:Cloud providers... (1)

tgd (2822) | about a year ago | (#45109845)

Hi,

>> I've noticed the IPs trace back to Microsoft or Amazon domains

This is probably stuff running on VMs in Amazon or Azure cloud services. Users can create VMs with insecure passwords and they are often the target of attacks.

At least in Azure, you have to go out of your way to do so -- both the out-of-the-box Linux VMs and Windows VMs create your primary user account for you, and they do some reasonable password strength checks on it.

Azure/AWS (0)

Anonymous Coward | about a year ago | (#45109327)

> But more often lately I've noticed the IPs trace back to Microsoft or Amazon domains

Obviously they're using Azure and AWS machines to launch attacks...

Re:Azure/AWS (0)

Anonymous Coward | about a year ago | (#45109403)

+1 On this.
(Also, I was surprised to find numerous phishing pages based on Azure, but no report page, if you have any hint...)

Well that settles it. (1)

Anonymous Coward | about a year ago | (#45109329)

I was thinking of being obnoxious in an online game, but now that I know there are consequences, I don't think I will.

They know your IP address? (1)

89cents (589228) | about a year ago | (#45109333)

Most gaming services don't show other users your IP address as things like a DoS could happen. Unless they are the admins of the game or you are using a third party service that they have access to such as a Teamspeak/Ventrillo server, guild/forum web server, etc. Be careful of what you visit. Also, even the best router is not going to stop your internet pipe from getting flooded with incoming packets.

Zombie (1)

BlackHawk-666 (560896) | about a year ago | (#45109335)

Check your system *thoroughly* for malware - you might be a part of the zombie network i.e. your system is compromised and picking up orders from a master controller - then sending out spam, kiddie pr0n, and plans for 3d printed parts.

A good backdoor shouldn't overwhelm your network, but it's still worth checking.

Re:Zombie (0)

Anonymous Coward | about a year ago | (#45109467)

THIS.

You have a computer infected with malware.

Nuke them from orbit, it's the only way to be sure.

Assuming That You Really Are Being DoSed (2, Insightful)

Anonymous Coward | about a year ago | (#45109337)

My bet is that you are participating in some sort of P2P network, file sharing, Spotify... I don;t think you are being targeted due to gaming.

And how do they find us with a new MAC address and IP within minutes?

Assuming that this is indeed a malicious DoS attack, there is something inside your network that is tipping them off. P2P gaming software, chat software, malicious local software. There is no way for them to simply find you with a new external IP.

As others have already stated, the only way to mitigate a saturated pipe DoS is to filter upstream, your ISP or their ISP.

To answer part of your question (4, Insightful)

istartedi (132515) | about a year ago | (#45109353)

We seem to have attracted the attention of some less than savory types in online gaming

Followed by:

And how do they find us with a new MAC address and IP within minutes?

This is pretty obvious. The game is telling them. Not much of a gamer myself; but I'm willing to wager you can see the IP address from which a particular user is logged on. Maybe the game will let you cloak that. If it won't they can always find you again...

Re:To answer part of your question (1)

Anonymous Coward | about a year ago | (#45109413)

I'm not a gamer either, but i suspect most games are controlled by server connections with no p2p connectivity. it would be chaos if you could just get everyones ip who is logged into a game easily :) perhaps there are p2p games (like old internet or lan games, or user hosted servers), but it seems like a security issue to me, and would expect everything modern is server-side only

Re:To answer part of your question (3, Interesting)

istartedi (132515) | about a year ago | (#45109641)

I'm not a gamer either, but i suspect most games are controlled by server connections with no p2p connectivity.

If I were building the kind of games you see depicted on Big Bang Theory, the gameplay would be through the server; but the chit-chat with the headphones would be p2p. There's no point routing all that chit-chat through the server. I guess you could play the game without the headphones; but it would be difficult to coordinate attacks with your partners.

When I thought about this a bit more, it occurred to me that the person being DoS'd should contact the game company. Now it gets interesting.

The game company has two aspects of its reputation to defend. 1. It doesn't want players being DoS'd. 2. It doesn't want to LART players based on spurious accusations.

That means it would have to make sure the suspect is guilty. They could have the user switch IP several times, and only display the new IP to the suspect. If displaying the new IP to the suspect resulted in the DoS being redirected, but displaying the new IP to other users didn't, then that seems like a smoking gun to me.

Now we get into the whole cost/benefit analysis for the game company to do something like that. It's probably easier just to log complaints against users, and pull the plug on people after N complaints. If say, 8 users from different walks of life have complained that X is DoS'ing them because he got pissed off, then there's a pretty good chance X is guilty. The best thing about this approach is that it works for all kinds of bad behavior, not just DoS'ing. You're going to have to handle complaints about users anyway, so there you have my answer for now:

Complain to the game company, but not until you've checked to make sure that something else isn't compromising your system..

Re:To answer part of your question (1)

Pozican (864054) | about a year ago | (#45109425)

There's been a flux of "famous" players getting DoS'ed even in games with no peer to peer connections. Turns out it was skype.

Re:To answer part of your question (0)

Anonymous Coward | about a year ago | (#45109545)

Have you consudered hiding your IP with a commercial VPN?

Re:To answer part of your question (2)

Impy the Impiuos Imp (442658) | about a year ago | (#45109755)

That used to happen in Quake all the time -- to gain an advantage, people would pound competitors' machines to slow their "ping" as it was the equivalent to making their reaction times drunk.

Re:To answer part of your question (1)

Tex Bravado (91447) | about a year ago | (#45109879)

Isn't (wasn't) that 'For all intents and purposes' ? Or is that no longer a phrase ?

Practical ways to fix it (0)

Anonymous Coward | about a year ago | (#45109369)

Assuming that it is a DoS and not just a terrible connection;
Are you sure that they don't have a virus on your home machine or your router firmware. Possible they're using that to track your MAC and IP.
If I were in your position I would start by:
1) Low level formatting on all of your boxes
2) Either replace, or factory reset the router
3) Change your ISP, technically speaking they should be able to detect and block such an attack from their core routers. So why can't they help you? Clearly they're either technically incompetent or just don't care. Either way I'd switch.

If those three steps don't work, you might have no choice but to enlist help from the Government (whenever it comes back online itself :) )
Good luck with it, hopefully you can sort this out.

Re:Practical ways to fix it (0)

Anonymous Coward | about a year ago | (#45109847)

1) Low level formatting on all of your boxes

Low level formatting anything has ceased being useful roughly 20 years ago. Nowadays, unless you find yourself in very unusual circumstances and know exactly what you're doing, low level formatting will either accomplish nothing or make your drive unusable.

Dude, you got malware (0)

Anonymous Coward | about a year ago | (#45109371)

and ET is phoning home. You should get some EFFECTIVE firewall and antivirus and get a pro to clean your system properly first.

easy way out (1)

shentino (1139071) | about a year ago | (#45109373)

If you managed to piss someone off that is now DoS'ing you like this chances are you're screwed and the attacks are only going to stop when your ISP gets fed up with it and pulls the plug on you.

there also torrent (1)

Behrooz Amoozad (2831361) | about a year ago | (#45109389)

I personally know a lot of guys using azure and aws to seed torrents, It may just be normal torrent bahavior(i.e. Peer exchange, port punching) having connections being initiated from outside and making your router think they're attacks.

Use VPN (0)

Anonymous Coward | about a year ago | (#45109393)

Unless you have very special relations with your ISP, DoS mitigation for home network is not possible. Try to make sure that you do not attract the attack to your own IP address by using VPN to an external provider that will handle it for you. It may present some issues for games sensitive to connection latency, but is still better than dealing with DoS. If you are technically savvy, bringing up micro instance in the closest Amazon datacenter and tunneling to it from DD-WRT router via OpenVPN is cheap and good ( though not necessarily easy to configure ) .

How are they finding you? (0)

Anonymous Coward | about a year ago | (#45109397)

And how do they find us with a new MAC address and IP within minutes?

You're changing your MAC address? wut? and why? But anyway...

Assuming it's really a DOS attack (as above,) and assuming you're really being targeted somehow (dubious, but OK,) and assuming that it's actually *you* and not your ISP's IP ranges being targeted, and assuming you're actually getting a different IP address and they're still finding you....

Then QED, you've got either some connection running that your adversary is reading (can't think of what that would be - but something like cloud storage and they're able to read the access logs???), or far more likely you have one or more compromised computers or devices which is broadcasting your location to whatever botnet is on you. Have you looked at your hosts files on your machines, and have you checked to see what DNS services you're using?

But I'm really with others above: Why haven't you talked to your ISP about this?

Re:How are they finding you? (1)

ziggit (811520) | about a year ago | (#45109625)

Not to mention, the only actual MAC address that would remotely matter would be the Modem's MAC address. And that would only matter until the next hop when the packet was out of that collision domain (Ok, probably more like outside the hands of your ISP since they have your information on file)

I don't see why people are so paranoid about their MAC addresses, I could maybe see in a coffee shop where someone can pull the AP's logs, but across the Internet, the only one who's gonna be able to see anything relating to your MAC address is going to be your ISP, and considering that they frequently identify customer's by the MAC address of their modem, that's not like its something that can change.

Its not like I've ever ranted about this before or anything.

Smells of rootkit (4, Informative)

SpaceLifeForm (228190) | about a year ago | (#45109409)

Something is calling home to give away your ip quickly. What computers and OSes are you using? What antivir? A lot of anitvirus programs suck. Shutdown everything. Force new WAN ip on router. See if problem occurs with no devices on behind the router. If it does, maybe it is the router that is running malware. If still quiet, bring up one machine at a time behind the router and wait a while before doing next machine. Any wireless devices? Is your wifi *really* secured?

Re:Smells of rootkit (1)

Anonymous Coward | about a year ago | (#45109453)

Among the wireless devices to check don't forget web enabled cellphones with malicious apps.

Re:Smells of rootkit (1)

toygeek (473120) | about a year ago | (#45109565)

This. Antivirus programs don't stop/fix rootkits. You likely have a compromised computer that is a zombie. TDSSKiller is a good start, Combofix if you need to. I'd go to bleepincomputer.com's forum and ask around there. If you're reluctant to do so, then at the very least run malwarebytes' Anti-Malware on all your PC's ASAP.

Use multiple tools (1)

Gibby13 (2675437) | about a year ago | (#45109411)

Right now I am using Zentyal(IDS module) and CSF(ConfigServer Security and Firewall) I really like CSF especially the ability to easily block whole country's. In the past I have used Untangle and PFsense.

Re: Use multiple tools (1)

Gibby13 (2675437) | about a year ago | (#45109427)

I forgot to add, fail2ban and change to non standard ports will help some too.

No silver bullet, but steps you can take. (1)

Anonymous Coward | about a year ago | (#45109465)

Small game server operator here. I used to get DDOSed and DOSed regularly (once a month) on my 50/5 megabit cable line.

What I did was deploy pfsense with snort (with all the emerging threats rules enabled). It will log attacks and it will be plain as day when you are ddosed or dosed.

The next step is to provide those logs along with a plea to the abuse addresses for the hosts from which the attacks originate. I have had responses ranging from complete empathy to complete ridicule.

What would be cool is detection and reputation ranking for compromised nodes, so each router on the internet can decide whether or not they want to route traffic from the assholes who are part of the botnet.

Since this will never happen, I resorted to learning the basics of amassing a simple botnet and pointing it at the origin of the compromised hosts which were attacking me. This is done either in whole or in part and is very simple with some simple IRC tricks.

I should mention that the game I host is an open source indie game that is totally free to play.

Identify the underling problem... (0)

Anonymous Coward | about a year ago | (#45109477)

The key is going to be determining how they are locating your new address, and then resolving that issue. Both Amazon and Microsoft have free hosting offers that could be used to generate attacks on a low bandwidth site such as that on the average DSL circuit.

Some simple suggestions (1)

eexaa (1252378) | about a year ago | (#45109485)

If you are not actually _hosting_ the game (in which case you are f-ed, because you simply need to examine all the packets by yourself, but from the fact you were not talking about any server I somehow suppose that you are just connecting), carrier-grade or similar NAT perfectly solves this problem. Your ISP should be able to hide you in an inner network in no time this way.

a suggestion for you that might help (1, Informative)

RobertLTux (260313) | about a year ago | (#45109489)

1 unplug your gateway device (dsl modem) and your router
2 on a know clean system download and create a Windows Defender Offline flashkey/dvd (you will need either or both of the 32 and 64 bit versions)
3 shut down ALL of your computers
4 make and have %meal% (don't forget the dishes)
5 run WDO on one computer (make sure it completes successfully)
6 plug in your dsl modem and wait for the blinky lights to settle
7 plugin your router and wait for its blinky lights to settle
8 plugin the computer that was scanned (and only that one)
9 see if the problem shows back up

10A IF NO: then FOR EACH IN ListOfComputers do 5 ,8 and 9 with the next computer IF RemainingComputers = 0 then GOTO 11
10B THEN dial tel:8002255324 and explain the situation
11 Spend some of your Profit! on a better AV solution

Change order of step 1 and 2 (1)

SpaceLifeForm (228190) | about a year ago | (#45109553)

Actually, he probably needs to go to some other location to be able to download tools in a timely manner.

Re:a suggestion for you that might help (1)

Anonymous Coward | about a year ago | (#45109713)

0 Take a class on how to communicate with humans.

Knoppix test (0)

Anonymous Coward | about a year ago | (#45109501)

Since you haven't shared any logs it's hard to say if it is you doing this to yourself with an infected box or if you are actually being DOS'd. A simple test would be to download Knoppix, or some other LiveCD, and boot into it and see if your problems dissappear. For this to work you obviously need everything else on your network offline while you try this, that includes cell phones, refrigerators or whatever. If you are being DOS'd you will need your ISP's help, if they can't do it, or are unwilling, change ISP's.

The ways I can think that they are finding your IP so quickly are 1) You have your own domain or 2) You have a program calling home.

HTH

VPN Proxy (0)

Anonymous Coward | about a year ago | (#45109541)

It depends on what you're playing, MMOs you can easily keep your IP a secret since you're all playing together through the game server, but if it's a FPS where one player hosts the game then you'd need to play through a proxy. It will cause some additional latency going through the proxy however so it may not be a viable option. I know most of the streamers on Twitch use Skype through a proxy and that's good enough for them.

Malware check? (0)

Anonymous Coward | about a year ago | (#45109543)

It seems strange that, a) people could be that bothered to DoS you b) that they find you IP address over and over. Have you considered that may be something inside your network is the cause? Like people have mentioned, you need to quantify whether this is an actual DoS attack, simple port scanning or Botnet connection attempts or a malware/virus infection.

  If you have a reasonable packet filtering firewall on the router this should be sufficient to prevent most attacks, check the internal machines for any strange connections, the netstat command is available on all OSs afaik.

If everything is ok on your side and this is a genuine attack (god knows how you pissed someone off that much) then contact your IP for some help.

Good luck, hope you get some resolution.

Go to the cops (1)

Giant Electronic Bra (1229876) | about a year ago | (#45109547)

Document what's happening as thoroughly as you can, and the whole history of the thing, and then go to the state police in your state. They may refer you to the FBI, and I'm guessing will not be all that eager to deal with the issue, but its a crime being committed against you and you should have the benefit of law enforcement to whatever degree they can feasibly help you. At the very least you will have documented what is happening and they'll know about it so that if the situation evolves they will have a clear understanding of what's going on. DOS by itself probably isn't really too alarming to them, but I've seen these things evolve into threats, vandalism, etc, and they'll take that sort of thing more seriously.

I also have to concur with other posters. SOMETHING has to be allowing them to discover your IP/MAC addresses even when they change. I'd assume you have some sort of malware on some system on your network that is the culprit. Its possible they could have compromised your ISP or in theory there could be other ways to obtain that information, but the simple explanation is your PC is telling them where it is. Burn it down to a bare drive and reinstall from scratch, then run some good AV/IPS software, and consider packet logging all outgoing traffic to see if you can spot something.

Re:Go to the cops (0)

Anonymous Coward | about a year ago | (#45109773)

Yeah, "Go to the cops" is going to work. If they do understand half the lingo you will use to explain your situation, they are just going to file a police report and charge you if you want a copy. You have a sploited box and need to figure out if its a pc, or router, or even a printer or voip on your network. If you have a smart TV make sure to count that as a computer as well as all your cell phones that are attached via wi-fi. Next, download wireshark, and spend the next few weeks learning how to install your favorite *nix distro. If there is no immediate physical threat, the police will not waste their time with this.

  Monitor all your outbound traffic from your own PC's and become a Network Security GURU. Set up a smoothwall w/ parameters to discard, not reject, inbound packets w/ the same behavior patterns as the one you have been using. Install and learn to use Logstash as a IDS, this will require you to learn how to set up sysmon or another monitoring system to gen logs, but then you can set it up to poll your logs and modify it interactively. Good luck, and may the force be with you...

Practical Advice, step by step (3, Informative)

RedLeg (22564) | about a year ago | (#45109549)

You more than likely have something "phoning home" that the bad guys are tracing back to you.

SO, to track that down, do this in exactly this order:

1. Prepare to reconfigure your router for new IP / MAC, but do not reboot it, yet. Make sure the router is NOT registering with some dynamic DNS service, if it is, that's probably part of the problem. Your ISP may be doing that for you, if so, ask them to change your reverse lookup name.

2. Power down every other computing device on the network. I'm assuming you have a wireless router? If so, track down everything that it connected to it, and power those down too. Save your most trusted device (an iPad perhaps?) for monitoring / reconfiging your router. If necessary, borrow a device from someone you trust.

3. Press "go" to reconfig the router, and observe. Your DOS should go away. If it does not, either the reconfig was unsuccessful, your ISP is somehow part of the problem, the router is registering itself somehow, or the router itself is infested.

4. Assuming the DOS abated, one by one, power up the devices you previously disconnected and observe. If the DOS starts after powering up a particular device, that's the culprit. There may be more than one. Do this slowly, to make sure as you power up a device, it's not waiting some period of time before calling home.

It would not be a bad idea to get your ISP on the phone, explain what you think is going on, and ask them to observe your traffic as you go through the above steps. If something "phones home", and you miss it, they should be able to see the traffic on their segment of the wire.

If you are successful at tracking down a culprit system, enlist the help of the anti-malware vendor in isolating the offending bits. Do this BEFORE you re-image the system. They would probably appreciate a sample. Of course, this assumes you are running anti-malware software on your endpoints.....

Hope this helps.

-Red

Re:Practical Advice, step by step (0)

Anonymous Coward | about a year ago | (#45109895)

Additionally, run something like Wire Shark. You can then see what you're sending out and rather quickly see if you are sending an invitation to some bot to come and hassle you.

Easily found back? (2)

gmuslera (3436) | about a year ago | (#45109575)

Unless you have some external name for your home connection (i.e. using dyndns or similar if your IP is dynamic), it is probably something you have in your network, like being part of a botnet node, having a misconfigured p2p client, or something that from inside announces itself to be accessed by others. Disable all the services that you know that access by itself outside (i.e. checking for software updates), and try to track all that you don't know that access outside by itself when the ip changes.

They could find you also because you have an easy to detect service that is exploitable. Knowing where they access and connect could be useful, even having a ip camera accessible from outside with a fixed admin password could be enough to cause that kind of behaviour. Considering that scanning the entire internet takes less than an hour [slashdot.org] , a lot could be doing so all the time so anything exposed you have could be easily detected.

Having antivirus is no guarantee of safety, some malware could be active for years [arstechnica.com] before is even hinted that something could be there by AV companies (and probably US based security products will have hardcoded to not report anything that could look as NSA backdoor or malware). If well is not a guarantee of not catching malware, lower a lot the odds of it using Linux or even Mac OS X.

Are they on your segment? (1)

bytesex (112972) | about a year ago | (#45109577)

What's your router's MAC address got to do with it?

Re:Are they on your segment? (1)

SeaFox (739806) | about a year ago | (#45109731)

He's likely on an Internet connection that uses a bridged modem and DHCP to assign IP addresses. He would have to change the MAC of the router to appear to be a new device connecting on his ISP's network if he wanted a new public IP address.

Re:Are they on your segment? (1)

bytesex (112972) | about a year ago | (#45109827)

Okay. Sure. Hadn't thought of that. I also understand that buying a DDoS is easy these days: even schoolkids do it.

The OP (0)

Anonymous Coward | about a year ago | (#45109583)

The OP doesn't have the slightest idea of what he is talking about. WTF with MAC and spoofing.

Also you don't mitigate a DoS, you either absorb it and wait till it stops, or you disappear and use another IP address thus effectively null routing your old connection.

In any case if the attacker has a bigger pipe then you then you're doomed.

Helpful advice (0)

Anonymous Coward | about a year ago | (#45109623)

First, look around your house, can you find something to make a rudimentary lathe?

You have Pando Media Booster (1)

rhazz (2853871) | about a year ago | (#45109645)

Sounds very much like you have the Pando Media Booster problem. This is a P2P client that gets installed automatically with certain games, and basically whores your internet connection for other gamers to download the game client from. It is not commerically defined as malware, but its stealthy nature and bandwidth saturation certainly makes it seem like it. It is basically a bit torrent client you don't control, so that could easily explain why you see connections coming in from random places and low bandwidth. You do not need this software to play your games, and I believe it can be uninstalled quite easily and separately from your game clients. http://www.lo-ping.org/2011/07/29/the-pando-pandemic-why-you-might-already-be-infected/ [lo-ping.org] I had bandwidth issues and this turned out to be the cause. In my case my wife had it on her machine after downloading some random MMO (Star Trek or Aion or something).

I'd try this... (1)

ewhenn (647989) | about a year ago | (#45109651)

Sounds More like an internal compromised machine. Use a live Linux CD, shutdown all other devices on your network except one PC. This includes phones tablets PCs etc. Reboot that remaining PC with the Linux CD. Reset the Mac address on your router to get a new IP. At that point you can be 100% sure that you don't have a compromised machine. If the flooding stops a machine is compromised, dimes to donuts that's the cause.

Deal with trolls just like you deal with ghosts (1)

Tasha26 (1613349) | about a year ago | (#45109657)

If those three stages of demonic possession are true:
1) Infestation
2) Oppression
3) Possession
...i think you're experiencing 1 and 2. Time to call in an expert.

The simple answer (2)

Anonymous Coward | about a year ago | (#45109699)

It's you.

If you went out and got a new IP and within minutes they "found" you again, really? C'mon. If that's the case, you seemed to have pissed off the worlds greatest hacker. It's either that or there is a sustained attack on that block of IP's that your ISP is using for DHCP or static assignments, AND if THAT's the case, then your ISP is being DOS'ed.

But really, download a LiveCD and disconnect everything in your network except the box you use with the LiveCD and see if the issue dissapears. Then plug in each device one at a time and see when you are "found" again. But wait, there's more! Say you plug it all back in and everything is working as it should, then you remove said LiveCD and reboot the test box back into zombie fest, er, the original OS and you are "found" again. So you know, that would be the infected box. Backup important files and reinstall the whole system.

Good Luck Space Ranger!

So.. I doubt you're actually,really getting DOS'd. (1)

megabeck42 (45659) | about a year ago | (#45109717)

I can envision two scenarios. First, the less likely one.

First Scenario: Trojan Horse
One or more machines on your network have been infected/trojaned/compromised somehow. Every time you switch your external IP address, the infected machine dutifully contacts it's nefarious overloards with the news. There's a good chance that one of your compromised machines may actually be part of a botnet. One important question is, "what conditions, specifically, trigger my router's 'DOS attack from xxx' in it's logs." These warnings could well be simply legitimate traffic.

Second Scenario: Operator Error.
Does anyone in your house use BitTorrent? If so, you're probably overflowing your upstream channel and, lo and behold, TCP acks start dropping like flies in a pool of DDT. Netflix doesn't really require a lot of bandwidth to stream it's content and it can manage with even moderate tcp congestion control. If your internet suddenly stops working, I'd suggest checking if your DSL modem has an internal diagnostic webpage. There's a convention, especially common to cablemodems, where the cable/dsl modem will accept traffic to 192.168.100.1 as itself. So, simply browse to http://192.168.100.1 and check if you have any signal quality issues. Basically, the situation needs to be more closely analyzed. Check your bandwidth usage on your router, if you find that your upload traffic is at or near the limit of your bandwidth - if so, get the roommate torrenting to cap his upload to something reasonable - like half of your upload limit.

Your router is fine. No greater, bigger, or fancier of a router will improve your situation if you really, truly are getting DOS'd. If the amount of packets being spewed at your IP address consumes the entirety of your subscribed bandwidth, then that's that. A fancier car won't get you through a traffic jam any faster than my honda, though, I imagine the fancier car's AC might actually work... which would be novel.

Bear in mind that there are different types of DOS attacks. Ping floods or UDP floods/smurf attacks. Making as many concurrent TCP connections to a server as possible to consume the server's kernel connection bookkeeping structures as well as to monopolize file descriptors in the actual server application. Botnet's may even DOS by making as many concurrent requests (you try to go for the cpu intensive ones, like, doing a directory lookup for *.) to consume the server's resources and, effectively, deny service to legitimate users. Oh, and if they get really fancy, they'll use a reverse tarpit wherein the client intentionally drags it's feet receiving the reply (a few bytes here, a few bytes 20 seconds later.) requiring the server's outbound buffers and application contexts bloated.

The above is why I genuinely doubt the veracity of your router's "DOS ATTACK FROM XXY" log message. Also because designing a computer program for identifying what traffic constitutes a DOS and what is legitimate are really quite non trivial.

Oh, hey, my backups are done and it's time to take these tapes to the vault; therefore, I shall conclude my post.

Do some more diagnosis and good luck!

Re:So.. I doubt you're actually,really getting DOS (1)

megabeck42 (45659) | about a year ago | (#45109739)

So, I read your initial question a bit closer and realized you'd identified the IPs as microsoft and amazon services. In fact, I suspect they're IPs related to content distribution servers. I'm quite certain your router's DOS warnings are false positives.

Your problem is most certainly not the result of a DOS.

FFXIV (0)

Anonymous Coward | about a year ago | (#45109719)

Some players playing FFXIV are having their router "fall over" by merely trying to play the game. I wouldn't put it past the game the OP is playing doing the same. This is because the firewall, or TOE/LSO is broken in either the router or the network card of the device connected to it, and for whatever goddamn reason the router think's it's being attacked and reboots.

(Specificly the router's in question were Linux routers, eg ASUS models)

block with a script (0)

Anonymous Coward | about a year ago | (#45109909)

Saw this a while back. Use the script, Luke.
http://www.linuxjournal.com/content/back-dead-simple-bash-complex-ddos

A few possible points (1)

darkonc (47285) | about a year ago | (#45109965)

If they're getting to you within minutes, then they're getting help from inside. It may be as simple as your router being configured for Dynamic DNS, or one or more of your machines is compromised... or -- as others said, they may be getting info from your game server.

Rather than paying gigabucks for a hardware router/firewall, take an ancient machine, add a second ethernet card to it and install OpenBSD [openbsd.org] onto it.OpenBSD will do you as well as anything hardware based, in terms of protecting your network -- even if it is bit more work to get properly configured. You can also then install stuff like Snort and wireshark [sourceforge.net] to REALLY watch what your system is doing.

It won't take much in terms of hardware -- even a sub 1Gz machine will be more than sufficient for a 20 megabit feed.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>