Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


sjikade

6 posts

Wannabe Geek


#130883 1-Oct-2013 17:30
Send private message

I have broadband via Slingshot (ADSL2) and since the last couple of weeks I noticed that my Broadband was getting slow for a while and then it picked up again. I had a look and noticed that  I got lots of attacks (see below).
I contacted Slingshot but the say they can't do anything about it.
I have a static IP address so turning modem off and on doesn't help.

Anyone out there who has bright ideas or suggestions?

Speed problems caused by DOS attacks on Slingshot, as seen by our router.
The table below shows where the attacks come from. Date              IP address         Country 24 September 222.189.228.111 China 24 September 123.215.15.156 Korea 24 September 112.216.140.51 Korea 26 September 218.25.129.123 China 26 September 210.31.10.158 China 26 & 27 September 204.15.135.26 United States 27 September 117.135.241.112 China 28 September 61.147.113.26 China 28 September 61.175.112.244 China 29 September 58.213.29.194 China 29 September 190.29.99.249 Colombia 29 September 202.137.9.177 Indonesia 29 September 190.147.33.16 Colombia 29 September 66.175.112.244 Haiti 29 September 200.12.49.147 Guatemala 27 September 218.94.151.98 China

Filter this topic showing only the reply marked as answer Create new topic
1080p
1332 posts

Uber Geek
Inactive user


  #905888 1-Oct-2013 18:40
Send private message

What tool(s)/analysis have you done to prove this is actually an attack as opposed to internet noise?

Affiliate link
 
 
 

Affiliate link: Shop Mighty Ape for electronics, games, computers books and more.
sjikade

6 posts

Wannabe Geek


  #905969 1-Oct-2013 20:25
Send private message

By logging into Winbox - see below. 

freitasm
BDFL - Memuneh
74171 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #905970 1-Oct-2013 20:30
Send private message

There isn't really anything Slingshot can do. This is just probes running around to see if there's any unprotected device on any given IP address.




Support Geekzone by subscribing, making a donation. or using one of our referral links: Sharesies | Goodsync  | Mighty Ape | Backblaze | Norton 360 | Lenovo laptops 

 

freitasm on Keybase | My technology disclosure

 

 

 

 

 

 




Zeon
3861 posts

Uber Geek

Trusted

  #905975 1-Oct-2013 20:37
Send private message

You would be best to not have port 22 open but rather switch your SSH to a random port.




Speedtest 2019-10-14


sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #905976 1-Oct-2013 20:43
Send private message

Why do you have port 22 open and exposed to the whole internet?

It's a bit like leaving the key under a rock in the garden and complaining that people are trashing your garden searching for it.

Follow security 101 and secure your network and the problem will go away. It won't matter what ISP you go with, you'll see exactly the same issue.



ubergeeknz
3344 posts

Uber Geek

Trusted
Vocus

  #905978 1-Oct-2013 20:44
Send private message

Having SSH on port 22 is part of the reason why you are getting so many attempts.  Move it to some obscure high port and they should die down.

LennonNZ
2444 posts

Uber Geek

Trusted

  #906030 1-Oct-2013 22:19
Send private message

Hmm. your running 5.20 with an open ssh server? Upgrade. I am sure it doesn't say 5.26 up the top.

Mikrotik says its not exploitable but crashing ssh on the mikrotik is 100% possible

Do you need ssh open on the external interface?

http://forum.mikrotik.com/viewtopic.php?p=384465#p384465



zaptor
738 posts

Ultimate Geek


  #906055 1-Oct-2013 23:18
Send private message

You - or anyone in the house - do any online gaming? (MMORPG or Xbox/PS3)

DDoS'ing is nearing epidemic levels in gaming. Especially with the prevalence of booter (rent-a-DDoS) services.

michaelmurfy
/dev/ttys0
11027 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #906097 2-Oct-2013 03:27
Send private message

Do what I do and direct SSH to a raspberry pi running Kippo ;) - have a bit of fun with these script kiddies instead of trying to block them out.

(Kippo is a SSH honeypot, logs everything)




Michael Murphy | https://murfy.nz | https://keybase.io/michaelmurfy - Referral Links: Sharesies | Electric Kiwi
Are you happy with what you get from Geekzone? Please consider supporting us by making a donation.


1080p
1332 posts

Uber Geek
Inactive user


  #906100 2-Oct-2013 04:25
Send private message

Is it really a DOS with a SSH attempt every few seconds?

sjikade

6 posts

Wannabe Geek


  #906545 2-Oct-2013 16:47
Send private message

Hi

Thanks heaps to everybody for all the good suggestions and hints.  Tomorrow I am going to dive into it and see what can be done.

webwat
2036 posts

Uber Geek

Trusted

  #908553 5-Oct-2013 17:52
Send private message

If SSH or Telnet ports are open (or even HTTP) then they should be secured to only an approved external IP number (eg your office IP address) so that nobody else can see the open port. Don't routers have things like that blocked by default these days anyway?




Time to find a new industry!


sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #908563 5-Oct-2013 18:19
Send private message

webwat: If SSH or Telnet ports are open (or even HTTP) then they should be secured to only an approved external IP number (eg your office IP address) so that nobody else can see the open port. Don't routers have things like that blocked by default these days anyway?


A standard Mikrotik configuration only allows TCP established and TCP related traffic through and blocks everything else including all remote access.

sjikade

6 posts

Wannabe Geek


  #909111 7-Oct-2013 09:55
Send private message

Mikrotik provides firewall rule examples in their Brute Force Login Prevention manual
available at "http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention".
For ssh logins the offender is blacklisted after four unsuccessful attempts in a row.
Any following ssh packet from an IP address on the blacklist is dropped.
Offenders remain on the blacklist for 10 days.

The solution works well and the list was 10 entries long in 2 days.

Filter this topic showing only the reply marked as answer Create new topic





News and reviews »

Belkin Screenforce Tempered Glass Screen Protector and Bumper - Apple Watch
Posted 15-Aug-2022 17:20


Samsung Introducing Galaxy Z Flip4 and Galaxy Z Fold4
Posted 11-Aug-2022 01:00


Samsung Unveils Health Innovations with Galaxy Watch5 and Galaxy Watch5 Pro
Posted 11-Aug-2022 01:00


Google Bringing First Cloud Region to Aotearoa New Zealand
Posted 10-Aug-2022 08:51


ANZ To Move to FIS Modern Banking Platform
Posted 10-Aug-2022 08:28


GoPro Hero10 Black Review
Posted 8-Aug-2022 17:41


Amazon to Acquire iRobot
Posted 6-Aug-2022 11:41


Samsung x LIFE Picture Collection Brings Iconic Moments in History to The Frame
Posted 4-Aug-2022 17:04


Norton Consumer Cyber Safety Pulse Report: Phishing for New Bait on Social Media
Posted 4-Aug-2022 16:50


Microsoft Announces New Solutions for Threat Intelligence and Attack Surface Management
Posted 3-Aug-2022 21:54


Seagate Addresses Hyperscale Workloads with Enterprise-Class Nytro SSDs
Posted 3-Aug-2022 21:50


Visa Launching Eco-friendly Payment Solutions in New Zealand
Posted 3-Aug-2022 21:48


NCR Delivers Services to Run Bank of New Zealand ATM Network
Posted 30-Jul-2022 11:06


New HP Portfolio Supports New Era of Hybrid Work
Posted 28-Jul-2022 17:14


Harman Kardon Launches Citation MultiBeam 1100 Soundbar
Posted 28-Jul-2022 17:10









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







Backblaze unlimited backup