Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Forums2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus)DOS attacks on Slingshot
sjikade

6 posts

Wannabe Geek


#130883 1-Oct-2013 17:30
Send private message

I have broadband via Slingshot (ADSL2) and since the last couple of weeks I noticed that my Broadband was getting slow for a while and then it picked up again. I had a look and noticed that  I got lots of attacks (see below).
I contacted Slingshot but the say they can't do anything about it.
I have a static IP address so turning modem off and on doesn't help.

Anyone out there who has bright ideas or suggestions?

Speed problems caused by DOS attacks on Slingshot, as seen by our router.
The table below shows where the attacks come from. Date              IP address         Country 24 September 222.189.228.111 China 24 September 123.215.15.156 Korea 24 September 112.216.140.51 Korea 26 September 218.25.129.123 China 26 September 210.31.10.158 China 26 & 27 September 204.15.135.26 United States 27 September 117.135.241.112 China 28 September 61.147.113.26 China 28 September 61.175.112.244 China 29 September 58.213.29.194 China 29 September 190.29.99.249 Colombia 29 September 202.137.9.177 Indonesia 29 September 190.147.33.16 Colombia 29 September 66.175.112.244 Haiti 29 September 200.12.49.147 Guatemala 27 September 218.94.151.98 China

Filter this topic showing only the reply marked as answer Create new topic
1080p
1332 posts

Uber Geek
+1 received by user: 152
Inactive user


  #905888 1-Oct-2013 18:40
Send private message

What tool(s)/analysis have you done to prove this is actually an attack as opposed to internet noise?



sjikade

6 posts

Wannabe Geek


  #905969 1-Oct-2013 20:25
Send private message

By logging into Winbox - see below. 

freitasm
BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #905970 1-Oct-2013 20:30
Send private message

There isn't really anything Slingshot can do. This is just probes running around to see if there's any unprotected device on any given IP address.




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 



Zeon
3926 posts

Uber Geek
+1 received by user: 759

Trusted

  #905975 1-Oct-2013 20:37
Send private message

You would be best to not have port 22 open but rather switch your SSH to a random port.




Speedtest 2019-10-14

sbiddle
30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #905976 1-Oct-2013 20:43
Send private message

Why do you have port 22 open and exposed to the whole internet?

It's a bit like leaving the key under a rock in the garden and complaining that people are trashing your garden searching for it.

Follow security 101 and secure your network and the problem will go away. It won't matter what ISP you go with, you'll see exactly the same issue.

ubergeeknz
3344 posts

Uber Geek
+1 received by user: 1041

Trusted
Vocus

  #905978 1-Oct-2013 20:44
Send private message

Having SSH on port 22 is part of the reason why you are getting so many attempts.  Move it to some obscure high port and they should die down.

 
 
 
 

Stream your favourite shows now on Apple TV (affiliate link).
LennonNZ
2459 posts

Uber Geek
+1 received by user: 411

ID Verified
Trusted

  #906030 1-Oct-2013 22:19
Send private message

Hmm. your running 5.20 with an open ssh server? Upgrade. I am sure it doesn't say 5.26 up the top.

Mikrotik says its not exploitable but crashing ssh on the mikrotik is 100% possible

Do you need ssh open on the external interface?

http://forum.mikrotik.com/viewtopic.php?p=384465#p384465

zaptor
745 posts

Ultimate Geek
+1 received by user: 39


  #906055 1-Oct-2013 23:18
Send private message

You - or anyone in the house - do any online gaming? (MMORPG or Xbox/PS3)

DDoS'ing is nearing epidemic levels in gaming. Especially with the prevalence of booter (rent-a-DDoS) services.

michaelmurfy
meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator
ID Verified
Trusted
Lifetime subscriber

  #906097 2-Oct-2013 03:27
Send private message

Do what I do and direct SSH to a raspberry pi running Kippo ;) - have a bit of fun with these script kiddies instead of trying to block them out.

(Kippo is a SSH honeypot, logs everything)




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

1080p
1332 posts

Uber Geek
+1 received by user: 152
Inactive user


  #906100 2-Oct-2013 04:25
Send private message

Is it really a DOS with a SSH attempt every few seconds?

sjikade

6 posts

Wannabe Geek


  #906545 2-Oct-2013 16:47
Send private message

Hi

Thanks heaps to everybody for all the good suggestions and hints.  Tomorrow I am going to dive into it and see what can be done.

 
 
 
 

Shop now on AliExpress (affiliate link).
webwat
2036 posts

Uber Geek
+1 received by user: 145

Trusted

  #908553 5-Oct-2013 17:52
Send private message

If SSH or Telnet ports are open (or even HTTP) then they should be secured to only an approved external IP number (eg your office IP address) so that nobody else can see the open port. Don't routers have things like that blocked by default these days anyway?




Time to find a new industry!

sbiddle
30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #908563 5-Oct-2013 18:19
Send private message

webwat: If SSH or Telnet ports are open (or even HTTP) then they should be secured to only an approved external IP number (eg your office IP address) so that nobody else can see the open port. Don't routers have things like that blocked by default these days anyway?


A standard Mikrotik configuration only allows TCP established and TCP related traffic through and blocks everything else including all remote access.

sjikade

6 posts

Wannabe Geek


  #909111 7-Oct-2013 09:55
Send private message

Mikrotik provides firewall rule examples in their Brute Force Login Prevention manual
available at "http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention".
For ssh logins the offender is blacklisted after four unsuccessful attempts in a row.
Any following ssh packet from an IP address on the blacklist is dropped.
Offenders remain on the blacklist for 10 days.

The solution works well and the list was 10 entries long in 2 days.

Filter this topic showing only the reply marked as answer Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright