So I've just hit my 100gb cap. Something that normally never happens unless I'm a few days away from the end of the month and I know I've got data to burn to download stuff. Even then I'd be lucky to reach it. I'm currently 20 days into my broadband month, and I've also done no major downloads that I can really think of. If I'm being very generous, I've probably done 50gb.
To my shock and horror I checked my slingshot account yesterday to see I'd done 95% of my cap. Somewhat freaked out thinking what on earth is going on in my network. I've spent most of this afternoon trying to pin point what was going on. I eventually ironed out it wasn't any devices within my network initiating anything so I started to look on my firewall for clues. I did a TCPDump (basically a wireshark capture for those who don't know what that is) and could see a lot of what looks like DNS requests. As I started to analyse it more, I came across some very interesting packets.
Example: 21:32:34.352324 IP 108.162.207.5.http > 10.1.1.254.domain: 14259+ [1au] ANY? isc.org. (36)
Well what the heck is that? At this point I'd like to show my network topology:
INTERNET-------|LinksysAG310|.1----10.0.0.0/24--DMZofEverything------WAN--.254|PFSenseFirewall].254----192.168.0.0/24---internal.
I also looked at some rather interesting graphs on my firewall:
As you can see, my traffic IN is at 63GB, and I've uploaded 46GB. That's crazy! but it's correct. Slingshot didn't slow me down for probably 20 hours after I hit my 100gb.
Back to that packet from before. A quick google on "isc.org dns ddos" reveals countless pages on DNS servers geting hit with fake requests exactly like that packet above. One example being this page that goes over it: http://foxpa.ws/2010/07/21/thwarting-the-isc-org-dns-ddos/
For anyone who would like to look, I did a TCPdump on my wan interface on the firewall for about 2 minutes here: http://mattie47.com/Downloads/capture.txt as you can see, the amount of dns and udp traffic is quite large (also throttled obviously right now).
So to my point, what are users suppose to do in this situation? Do ISPs have any role in it? This isn't traffic that I've initiated, and these requests constantly come to my IP as soon as I reconnect the modems PPP connection.
The only solution (for me) that I can think of, is to disconnect my modem over night and hope I get a new dynamic IP. I tried 30 min, but I'm still stuck with the same one.
The alternative is to drop the requests on my firewall as well (which I should, but I'm not 100% sure how), but that's still using data with the attack coming to me. It would only stop upload.
I could be wrong, but the next user to pick up my dynamic IP will encounter the same problem, which is why I'm unsure of what should be done in this position.
I guess you could say I'm posting this here because I'm hoping someone at slingshot will see it (please someone with networking knowledge and understanding like CCNA or CCNP level :/)
Anyone else got thoughts on this?
Thanks,
Matt
Trusted
Retired Mod
Biddle Corp
