Being flooded with UDP packets - Telecom say 'nothing they can do'

Forums › Spark New Zealand (including Skinny and BigPipe) › Being flooded with UDP packets - Telecom say 'nothing they can do'

chriswiggins

413 posts

Ultimate Geek

#93386 19-Nov-2011 20:29

Hi All,

About to head out to dinner so this will be quick. On Friday I noticed a huge amount of UDP traffic coming from 119.59.100.71... Blocked with an ACL but 3 days later I have had more than 3.5 million (yes, you read right, MILLION) packets dropped from that IP.

Rang Telecom and was told that there was nothing they could do - I think this is complete and utter bullcrap. It's counting towards our quota and I'm not happy.

What can I do Geekzoners! Anyone from Telecom who KNOWS that there is something that can be done and can help me out???

Cheers
Chris

1 | 2

1332 posts

Uber Geek
Inactive user

#547307 19-Nov-2011 21:48

There is likely nothing they can be _bothered_ doing. Null routing that IP is not hard but probably just not something their first level tech guys know much about. Try hard resetting your modem and see if you get a different IP. Problem solved.

chriswiggins

413 posts

Ultimate Geek

#547311 19-Nov-2011 21:57

Static IP. I wouldn't be running a PBX or Nameservers on a dynamic ip haha

rphenix

985 posts

Ultimate Geek

Lifetime subscriber

#547312 19-Nov-2011 22:00

Keep going at the helpdesk for starters, do a whois on the ip address, and contact the abuse contact details (or if missing, just the owner of the ip range) and maybe they will do something for you.

LennonNZ

2459 posts

Uber Geek

ID Verified

Trusted

#547313 19-Nov-2011 22:02

http://metrabyte.co.th/contact.php

lapimate

352 posts

Ultimate Geek

Trusted

Lifetime subscriber

#547314 19-Nov-2011 22:11

Is your ADSL modem on 24/7? Do you really require it to be on full-time? Are the UDP packets arriving regularly distributed during the day/night/week?

As a palliative measure if you have a fixed IP address maybe you could put the modem on a time-switch so the modem is off when you are unlikely to want internet access. That might reduce the traffic received (my understanding is that Telecom will not count packets which they cannot forward).

rphenix

985 posts

Ultimate Geek

Lifetime subscriber

#547318 19-Nov-2011 22:18

Is that true these days? I remember a few years ago customers would get charged even if the modem was off on xtra.

chriswiggins

413 posts

Ultimate Geek

#547322 19-Nov-2011 22:30

As I said above, I run SERVERS on this connection. Backup mail, DNS, PBX the list goes on.

Thanks for trying to help but I need real technical assistance from someone in the know at telecom or similar.

Cheers
Chris

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

mattwnz

20141 posts

Uber Geek

#547324 19-Nov-2011 22:32

rphenix: Keep going at the helpdesk for starters, do a whois on the ip address, and contact the abuse contact details (or if missing, just the owner of the ip range) and maybe they will do something for you.

Contacting the owner of the ip is a waste of time from my experience, unless it is NZ based, as they won't do anything, and they have no incentive to either.

cws82us

788 posts

Ultimate Geek

#547325 19-Nov-2011 22:43

Best thing to do is change up address and use no-ip.org

join Quic and get free sign up when you click my link https://account.quic.nz/refer/250676

chriswiggins

413 posts

Ultimate Geek

#547326 19-Nov-2011 22:45

How do people not get I need a static ip?!

Never mind

Oblivian

7296 posts

Uber Geek

ID Verified

#547333 19-Nov-2011 23:26

Chances are they are over looking your first post and joining the reply bandwagon based on topic name.

I would call your business manager (on a business plan?)

Cause well.. chances are if you aren't on a business SHDSL or similar, they may not like the idea of helping. The standard BB plan terms tend to not reccommend you run servers on it...

Telecom Broadband is not designed to support:
Virtual Private Networks (VPNs)
Two-way voice applications
Two-way video applications
Web servers

For these activities that Broadband does not suit we encourage you to contact 0800 22 55 98 to find out what alternatives are available.

They use to explicitly say you agree not to run any servers.. but appear to have changed that some years ago now the speeds have gone up nationwide and the DHCP leases have been increased.

chriswiggins

413 posts

Ultimate Geek

#547335 19-Nov-2011 23:42

Yeah unfortunately it's residential. It's sad that I can't get help from them on this... They provide a service and I am or at least should be free to use it how I like.

Not going to be with telecom for long anyway they are useless when anything slightly out of the realm of the norm is happening.

Even if I was using 2talk or some other VoIP provider with 5060 forwarded I could have the same issue. They are just being lazy

insane

3237 posts

Uber Geek

ID Verified

Trusted

#547336 19-Nov-2011 23:50

How much extra usage has it clocked up, if you're not really seeing much impact on your monthly CAP then just let your firewall continue to do its job, they will eventually get board.

Having said that, is your PABX compromised at all?

chriswiggins

413 posts

Ultimate Geek

#547356 20-Nov-2011 08:29

Nope it's completely fine. They never got anywhere thank goodness.

I'm not sure how much it is actually using as I'm just denying it with an ACL on my cisco router. Might have to see what I can do on that front

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#547359 20-Nov-2011 08:40

What is the actual traffic targetting? If you're running Asterisk is it a bot trying to brute force your PBX?

Slightly OT but you mentioned a few posts back about having port forwarding for a PBX. Unless you're fully aware of the security implications of a port forward to a PBX you should never do it. Letting the firewall NAT pinhole handle this is vastly more secure as it will (or should) only allow inbound traffic back from the destination IP of the outbound traffic.

1 | 2