Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
This subforum is now locked. Please post TelstraClear topics in the Vodafone forum. You can find more information here.




327 posts

Ultimate Geek
+1 received by user: 8


Topic # 109946 30-Sep-2012 07:02 Send private message

Hi there,

When my computer (or computers) on my 'network' - which is just a desktop and my laptop, are subject to a DoS attack:

(1) On TelstraClear's end, are they aware of all the traffic going to my IP and could potentially step in?
(2) If the DoS attack data reaches my modem, which is then passed onto my router - because we have a Static IP - if things got out of hand I would simply turn the modem and router off for a while.
But when I turn things back on, would it be expected the DoS attack to have stopped (probably before another one starts again if they find my IP is 'live' again), because the DoS data is getting to TC but then not getting to my modem because it is off?
(3) I have enabled DoS settings. If needs be, I will post them here and maybe someone can suggest some changes. I guess if the router gets overloaded, it will simply crash. Would that be due to the amount of memory of the router?
(4) Are there any other ways to reduce the impact of DoS attacks as to not have to turn off equipment, etc., and have my computer AND router not being fed all this data thus slowing its running speed down to the point it may just freeze?

I know there is not a lot you can do with DoS attacks, but if you can implement something that MAY help if its a minor DoS attack (i.e. not from Anonymous, who attack US Govt websites and shut them down), I would appreciate some advise.

Create new topic
BDFL
47927 posts

Uber Geek
+1 received by user: 3540

Administrator
Trusted
Geekzone
Subscriber

  Reply # 693543 30-Sep-2012 08:59 Send private message

What are "DDoS" attacks? Is this what your router is reporting?

A lot of background noise happens on the Internet. A port scan is not an attack. Broadcasts are not attacks. Some routers use the wrong terminology when reporting traffic.

Turning off your modem/router won't change anything.




129 posts

Master Geek
+1 received by user: 16

Trusted
Subscriber

  Reply # 693575 30-Sep-2012 11:50 Send private message

StevieT: Hi there,

When my computer (or computers) on my 'network' - which is just a desktop and my laptop, are subject to a DoS attack:


(1) On TelstraClear's end, are they aware of all the traffic going to my IP and could potentially step in?

Depending on the severity of the attack, the traffic levels to a single host can be detected.  If you're on a residental service, then it's possible that the last mile technology will be the smallest link in the chain and it won't appear as more than say, 20Mb/s of traffic.
That wouldn't raise any alarm bells at a NOC level but might effectively knock you off the net.  Now, if it's half of the interface capacity of one of the provider routers (say greater than 500Mb), then that will quickly catch peoples attention and actions get kicked off, people start talking with Upstream providers etc.

(2) If the DoS attack data reaches my modem, which is then passed onto my router - because we have a Static IP - if things got out of hand I would simply turn the modem and router off for a while.

Yes that is one option but it also isn't a particularly useful one.  Better to call the helpdesk and log a fault.

But when I turn things back on, would it be expected the DoS attack to have stopped (probably before another one starts again if they find my IP is 'live' again), because the DoS data is getting to TC but then not getting to my modem because it is off?

If the attack is of signinficant size, then it's likely to be affecting other systems in TCL, so there is a vested interest to get the offending addresses the traffic is originating from null routed as close to the source as possible.  It has been seen before where an attack resumes after an end-point is re-enabled.

(3) I have enabled DoS settings. If needs be, I will post them here and maybe someone can suggest some changes. I guess if the router gets overloaded, it will simply crash. Would that be due to the amount of memory of the router?

I'm unsure how effective the DDoS settings in home routers are.  Really, if there are 4 million SYN/handshake start packets hitting your device a second, then it's likely to run out of resources quite quickly.  So yes to that question, it's often that a home router will only have limited memory and cannot manage attempting to open 4 million network sockets to handle the incoming requests

(4) Are there any other ways to reduce the impact of DoS attacks as to not have to turn off equipment, etc., and have my computer AND router not being fed all this data thus slowing its running speed down to the point it may just freeze?

Your ISP should be able to determine if it is a distributed attack, through some investigation, or a magic box in their network may have already categorised the traffic against a known pattern.  Either way, they can request their upstream provider null route the source addresses as they are known.


I know there is not a lot you can do with DoS attacks, but if you can implement something that MAY help if its a minor DoS attack (i.e. not from Anonymous, who attack US Govt websites and shut them down), I would appreciate some advise.


Depending on the nature of the attack size, payload, and other things, it may go unnoticed by a provider, so if you're struggling and you can see a bunch of traffic heading your way that plainly isn't as a result of a request from your systems, give your ISP service desk a call.  Doing so "should' flag that you think there is a problem and acts as a starting point for you to say "Hey, this traffic isn't mine, please don't bill me for 40 extra traffic blocks as I've busted through my bandwidth cap" as a result of an attack.

Often the only way to quickly and effectively deal with traffic of this nature is to get rid of it as close to the source as possible, then everyone wins for having not wasted their interconnect/transit bandwidth on gigbytes of crap.






"Customers don’t expect you to be perfect. They do expect you to fix things when they go wrong." Donald Porter – British Airways

The views expressed here are my own and are not reflective of other organisms or organisations.

129 posts

Master Geek
+1 received by user: 16

Trusted
Subscriber

  Reply # 693582 30-Sep-2012 12:27 Send private message

freitasm: What are "DDoS" attacks? Is this what your router is reporting?
A port scan is not an attack.


Mauricio, If I saw a source IP sequentially atempting to handshake up my port list, esp. sub 1024 ports, I'd consider that reconnaisance with a view to deciding if the scanned system is a viable target. it's certainly one of the preludes to potentially hostile action.
Is port scanning legal?

edit:damn bbcode




"Customers don’t expect you to be perfect. They do expect you to fix things when they go wrong." Donald Porter – British Airways

The views expressed here are my own and are not reflective of other organisms or organisations.

BDFL
47927 posts

Uber Geek
+1 received by user: 3540

Administrator
Trusted
Geekzone
Subscriber

  Reply # 693583 30-Sep-2012 12:34 Send private message

Many domestic routers report even normal traffic as "attacks". Not being disrespectful, just trying to determine if the OP directly identified the problem, as it seems s/he is speedy looking at a solution.







327 posts

Ultimate Geek
+1 received by user: 8


  Reply # 693717 30-Sep-2012 19:34 Send private message

Do please note - I am not being DDoS'd attacked. Even when I posted this thread.

I apologise in advance if you inferred I was. But nothing in the thread explicity said I was undergoing such an attack, either.

Simply mere inquiries pertaining to said attack.



327 posts

Ultimate Geek
+1 received by user: 8


  Reply # 693846 1-Oct-2012 03:52 Send private message

Posted are my some of current settings for my router:

"Basic Security": Image 1

"Advanced Security": Image 2

"Statistics Settings": Image 3

I guess VPN passthrough can be disabled - but only if that pertains to VPN other disable things working correctly like Windows Remote Desktop (currently just set-up as LAN connections accepted only on the desktop. Disabled on my laptop, as well as both computers having Remote Assistance disabled). Or, if I set up TightVNC and configure the router to traffic the appropriate data to 198.168.1.* when I connect to my Static IP when I'm on another network (but not likely needing to be done often, if at all, but just in case), then by having VPN passthrough disabled this will not cause trouble with this TightVNC (or even RealVNC) setup, if I do set such up.

I guess - how will I know that there is potentially a DDoS attack going on? Will I notice on both (or one) computers going slower than normal, and if so, should I go to task manager and see what is taking up high usage. Is there anything in particular to look out for, and so if that shows, what would the next step be to more fully confirm that yes, some form of DDoS attack is occuirng, rather than something else going on. Or if I'm not going to notice slow computer speed (note, no mention of noticing Internet speed), but if I notice suddendly that drops, regardless of whether the computer is noticable slowly, plus also when I can tell from the disk sound and the applicable laptop light that activity is happening in processing hardware), then its investigation time?

Or if I don't notice the slow Internet or slow computer (no slow internet detected because the attack is not using up every of 'road' that data can take to my IP -> modem), is there something that can pop up alerting me (which would probably need to be a router setting) that hey, this is what I'm reporting to you. And then I guess its what do I look for in what is being reported (or could there be someone that I can contact easily from here via some other means and say, hey, this is what reported, should I be concerned or not?)

Would it be wise, if I do at some stage determine that some DDoS attack is occuring, is to inform TC, but perhaps just unplug the ethernet cable going from the modem to the router, and leave the router on (or perhaps turn the router off after disconnecting it from the modem to give it a rest period)? So will the data still flood to the modem or my IP which can be picked up my TC if I call them?


I'm just enhancing security, etc. of my network. My mum told me last week that there was an article in the Saturday paper about wifi security, and she was talking to me about it. But when my mum reads things, she thinks she then knows it all and I'm like 'I know what I'm doing'. But she gave me the article yesterday, I looked at it briefly and just put it down because everything it pretty much said I had already put in place. But I guess my mum is talking to me in front of my dad, and my mum and dad are pretty computer useless (especially my mum who thinks she knows it all from reading this article, but doesn't know how to log onto Kurtis' account (my half brother) on my old laptop I gave him. She even calls USB sticks, UBS sticks.) and my dad will start asking questions in the usual, annoying way he does, and I'm there getting stressed trying to say, look, things are fine. But of course my mum just continues to rant which drives me insane and I simply just give up responding).

It should be mandatory that you have some form of certificate from somewhere that then allows you to use a computer and speak about basic/intermediate computer issues. I think that whoever reads this and knows quite a bit about computers, or even has basic/intermediate understanding (which my mum and dad don't) of computers, you'll get why I make that comment. :P


(OMG I am so lucky that I copied and pasted that, because when I went to post it it asked me to sign in again and it took me so long to write. And I was praying that the ctrl>c worked because I've known sometimes I've done that and I go to paste it and nothing pastes!)

129 posts

Master Geek
+1 received by user: 16

Trusted
Subscriber

  Reply # 694356 1-Oct-2012 16:46 Send private message

StevieT, get yourself one of the SNMP polling apps that are available for most platforms.  Have it query the external interface of your router every 5 mins (or however often you with to be informed). 

That will give you an indication of the traffic levels into and out of the interface.  Any of the apps that graph the information over a historic period are also useful from a "When do I need to upgrade my service" standpoint also.

There are also more complex solutions like locate an IDS on your network or in a bastion area outside your router.  These are starting to get beyond the bounds of "what is easy or a good return on your time investment"




"Customers don’t expect you to be perfect. They do expect you to fix things when they go wrong." Donald Porter – British Airways

The views expressed here are my own and are not reflective of other organisms or organisations.

Create new topic








Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when new jobs are posted to our jobs board:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »

Trending now »
Hot discussions in our forums right now:

Forms of government for New Zealand
Created by charsleysa, last reply by Kyanar on 18-Apr-2014 20:55 (98 replies)
Pages... 5 6 7


MH370 - Call for Search & Rescue Help
Created by DS248, last reply by Sideface on 17-Apr-2014 17:28 (735 replies)
Pages... 47 48 49


galaxy s4 now on 4.4.2
Created by nzrock, last reply by timmmay on 19-Apr-2014 08:44 (52 replies)
Pages... 2 3 4


why does the tax payer have to pay for the prince and princess' 6 star holiday?
Created by joker97, last reply by Geektastic on 17-Apr-2014 15:49 (67 replies)
Pages... 3 4 5


Snap suffering Trans-Tasman congestion 18/04?
Created by Lias, last reply by NonprayingMantis on 19-Apr-2014 00:05 (26 replies)
Pages... 2


Help ! Home business connection and VDSL dead. yikes.
Created by Scotsman, last reply by Scotsman on 17-Apr-2014 21:10 (26 replies)
Pages... 2


Free connection to Ultra Fibre not true
Created by kapitikarl, last reply by cbrpilot on 15-Apr-2014 13:24 (27 replies)
Pages... 2


Amazon Fire TV
Created by sonyxperiageek, last reply by freitasm on 19-Apr-2014 11:04 (205 replies)
Pages... 12 13 14



Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.