Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




4 posts

Wannabe Geek


Topic # 130883 1-Oct-2013 17:30
Send private message

I have broadband via Slingshot (ADSL2) and since the last couple of weeks I noticed that my Broadband was getting slow for a while and then it picked up again. I had a look and noticed that  I got lots of attacks (see below).
I contacted Slingshot but the say they can't do anything about it.
I have a static IP address so turning modem off and on doesn't help.

Anyone out there who has bright ideas or suggestions?

Speed problems caused by DOS attacks on Slingshot, as seen by our router.
The table below shows where the attacks come from. Date              IP address         Country 24 September 222.189.228.111 China 24 September 123.215.15.156 Korea 24 September 112.216.140.51 Korea 26 September 218.25.129.123 China 26 September 210.31.10.158 China 26 & 27 September 204.15.135.26 United States 27 September 117.135.241.112 China 28 September 61.147.113.26 China 28 September 61.175.112.244 China 29 September 58.213.29.194 China 29 September 190.29.99.249 Colombia 29 September 202.137.9.177 Indonesia 29 September 190.147.33.16 Colombia 29 September 66.175.112.244 Haiti 29 September 200.12.49.147 Guatemala 27 September 218.94.151.98 China

Filter this topic showing only the reply marked as answer Create new topic
1332 posts

Uber Geek
+1 received by user: 152
Inactive user


  Reply # 905888 1-Oct-2013 18:40
Send private message

What tool(s)/analysis have you done to prove this is actually an attack as opposed to internet noise?



4 posts

Wannabe Geek


  Reply # 905969 1-Oct-2013 20:25
Send private message

By logging into Winbox - see below. 

 
 
 
 


BDFL - Memuneh
62293 posts

Uber Geek
+1 received by user: 12829

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 905970 1-Oct-2013 20:30
Send private message

There isn't really anything Slingshot can do. This is just probes running around to see if there's any unprotected device on any given IP address.




3439 posts

Uber Geek
+1 received by user: 435

Trusted

  Reply # 905975 1-Oct-2013 20:37
Send private message

You would be best to not have port 22 open but rather switch your SSH to a random port.





27481 posts

Uber Geek
+1 received by user: 6949

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 905976 1-Oct-2013 20:43
Send private message

Why do you have port 22 open and exposed to the whole internet?

It's a bit like leaving the key under a rock in the garden and complaining that people are trashing your garden searching for it.

Follow security 101 and secure your network and the problem will go away. It won't matter what ISP you go with, you'll see exactly the same issue.



3344 posts

Uber Geek
+1 received by user: 1089

Trusted
Vocus

  Reply # 905978 1-Oct-2013 20:44
Send private message

Having SSH on port 22 is part of the reason why you are getting so many attempts.  Move it to some obscure high port and they should die down.

2358 posts

Uber Geek
+1 received by user: 378

Trusted

  Reply # 906030 1-Oct-2013 22:19
Send private message

Hmm. your running 5.20 with an open ssh server? Upgrade. I am sure it doesn't say 5.26 up the top.

Mikrotik says its not exploitable but crashing ssh on the mikrotik is 100% possible

Do you need ssh open on the external interface?

http://forum.mikrotik.com/viewtopic.php?p=384465#p384465

658 posts

Ultimate Geek
+1 received by user: 28


  Reply # 906055 1-Oct-2013 23:18
Send private message

You - or anyone in the house - do any online gaming? (MMORPG or Xbox/PS3)

DDoS'ing is nearing epidemic levels in gaming. Especially with the prevalence of booter (rent-a-DDoS) services.

Mr Snotty
8306 posts

Uber Geek
+1 received by user: 4274

Moderator
Trusted
Lifetime subscriber

  Reply # 906097 2-Oct-2013 03:27
Send private message

Do what I do and direct SSH to a raspberry pi running Kippo ;) - have a bit of fun with these script kiddies instead of trying to block them out.

(Kippo is a SSH honeypot, logs everything)




1332 posts

Uber Geek
+1 received by user: 152
Inactive user


  Reply # 906100 2-Oct-2013 04:25
Send private message

Is it really a DOS with a SSH attempt every few seconds?



4 posts

Wannabe Geek


  Reply # 906545 2-Oct-2013 16:47
Send private message

Hi

Thanks heaps to everybody for all the good suggestions and hints.  Tomorrow I am going to dive into it and see what can be done.

1984 posts

Uber Geek
+1 received by user: 133

Trusted

  Reply # 908553 5-Oct-2013 17:52
Send private message

If SSH or Telnet ports are open (or even HTTP) then they should be secured to only an approved external IP number (eg your office IP address) so that nobody else can see the open port. Don't routers have things like that blocked by default these days anyway?




Qualified in business, certified in fibre, stuck in copper, have to keep going  ^_^

27481 posts

Uber Geek
+1 received by user: 6949

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 908563 5-Oct-2013 18:19
Send private message

webwat: If SSH or Telnet ports are open (or even HTTP) then they should be secured to only an approved external IP number (eg your office IP address) so that nobody else can see the open port. Don't routers have things like that blocked by default these days anyway?


A standard Mikrotik configuration only allows TCP established and TCP related traffic through and blocks everything else including all remote access.



4 posts

Wannabe Geek


  Reply # 909111 7-Oct-2013 09:55
Send private message

Mikrotik provides firewall rule examples in their Brute Force Login Prevention manual
available at "http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention".
For ssh logins the offender is blacklisted after four unsuccessful attempts in a row.
Any following ssh packet from an IP address on the blacklist is dropped.
Offenders remain on the blacklist for 10 days.

The solution works well and the list was 10 entries long in 2 days.

Filter this topic showing only the reply marked as answer Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.