DOS attacks on Slingshot

Forums › 2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus) › DOS attacks on Slingshot

sjikade

6 posts

Wannabe Geek

#130883 1-Oct-2013 17:30

I have broadband via Slingshot (ADSL2) and since the last couple of weeks I noticed that my Broadband was getting slow for a while and then it picked up again. I had a look and noticed that I got lots of attacks (see below).
I contacted Slingshot but the say they can't do anything about it.
I have a static IP address so turning modem off and on doesn't help.

Anyone out there who has bright ideas or suggestions?

Speed problems caused by DOS attacks on Slingshot, as seen by our router.
The table below shows where the attacks come from. Date IP address Country 24 September 222.189.228.111 China 24 September 123.215.15.156 Korea 24 September 112.216.140.51 Korea 26 September 218.25.129.123 China 26 September 210.31.10.158 China 26 & 27 September 204.15.135.26 United States 27 September 117.135.241.112 China 28 September 61.147.113.26 China 28 September 61.175.112.244 China 29 September 58.213.29.194 China 29 September 190.29.99.249 Colombia 29 September 202.137.9.177 Indonesia 29 September 190.147.33.16 Colombia 29 September 66.175.112.244 Haiti 29 September 200.12.49.147 Guatemala 27 September 218.94.151.98 China

1080p

1332 posts

Uber Geek
Inactive user

#905888 1-Oct-2013 18:40

What tool(s)/analysis have you done to prove this is actually an attack as opposed to internet noise?

sjikade

6 posts

Wannabe Geek

#905969 1-Oct-2013 20:25

By logging into Winbox - see below.

freitasm

BDFL - Memuneh
79297 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#905970 1-Oct-2013 20:30

There isn't really anything Slingshot can do. This is just probes running around to see if there's any unprotected device on any given IP address.

Zeon

3916 posts

Uber Geek

Trusted

#905975 1-Oct-2013 20:37

You would be best to not have port 22 open but rather switch your SSH to a random port.

Speedtest 2019-10-14

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#905976 1-Oct-2013 20:43

Why do you have port 22 open and exposed to the whole internet?

It's a bit like leaving the key under a rock in the garden and complaining that people are trashing your garden searching for it.

Follow security 101 and secure your network and the problem will go away. It won't matter what ISP you go with, you'll see exactly the same issue.

ubergeeknz

3344 posts

Uber Geek

Trusted

Vocus

#905978 1-Oct-2013 20:44

Having SSH on port 22 is part of the reason why you are getting so many attempts. Move it to some obscure high port and they should die down.

LennonNZ

2459 posts

Uber Geek

ID Verified

Trusted

#906030 1-Oct-2013 22:19

Hmm. your running 5.20 with an open ssh server? Upgrade. I am sure it doesn't say 5.26 up the top.

Mikrotik says its not exploitable but crashing ssh on the mikrotik is 100% possible

Do you need ssh open on the external interface?

http://forum.mikrotik.com/viewtopic.php?p=384465#p384465

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

zaptor

745 posts

Ultimate Geek

#906055 1-Oct-2013 23:18

You - or anyone in the house - do any online gaming? (MMORPG or Xbox/PS3)

DDoS'ing is nearing epidemic levels in gaming. Especially with the prevalence of booter (rent-a-DDoS) services.

michaelmurfy

meow
13260 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#906097 2-Oct-2013 03:27

Do what I do and direct SSH to a raspberry pi running Kippo ;) - have a bit of fun with these script kiddies instead of trying to block them out.

(Kippo is a SSH honeypot, logs everything)

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

1080p

1332 posts

Uber Geek
Inactive user

#906100 2-Oct-2013 04:25

Is it really a DOS with a SSH attempt every few seconds?

sjikade

6 posts

Wannabe Geek

#906545 2-Oct-2013 16:47

Hi

Thanks heaps to everybody for all the good suggestions and hints. Tomorrow I am going to dive into it and see what can be done.

webwat

2036 posts

Uber Geek

Trusted

#908553 5-Oct-2013 17:52

If SSH or Telnet ports are open (or even HTTP) then they should be secured to only an approved external IP number (eg your office IP address) so that nobody else can see the open port. Don't routers have things like that blocked by default these days anyway?

Time to find a new industry!

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#908563 5-Oct-2013 18:19

webwat: If SSH or Telnet ports are open (or even HTTP) then they should be secured to only an approved external IP number (eg your office IP address) so that nobody else can see the open port. Don't routers have things like that blocked by default these days anyway?

A standard Mikrotik configuration only allows TCP established and TCP related traffic through and blocks everything else including all remote access.

sjikade

6 posts

Wannabe Geek

#909111 7-Oct-2013 09:55

Mikrotik provides firewall rule examples in their Brute Force Login Prevention manual
available at "http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention".
For ssh logins the offender is blacklisted after four unsuccessful attempts in a row.
Any following ssh packet from an IP address on the blacklist is dropped.
Offenders remain on the blacklist for 10 days.

The solution works well and the list was 10 entries long in 2 days.