It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
Getting Hammered with DoS Attacks
page: 1share:
Greetings ATS,
As the title says, I've been getting hammered with DoS attacks over the last couple of weeks. I had a Netgear Orbi which was about 5-6 years old when this first started. Long story short, I discussed the issue with a few colleagues and the thinking was that it was just old and the messages were caused by hardware failure.
I replaced it last week with a new Netgear Nighthawk CAX80 (they are both cable modem/router combos). I kept an eye on the router logs and for the first few days I didn't see any messages...until Saturday morning. Also, there was a firmware update which was supposed to address some security issues so I installed it. After restarting I've been getting flooded with DoS attacks.
There seem to be two types: LAND attacks are the bulk of them but I see NULL attacks as well. If you're not familiar, a LAND attack is where someone crafts a packet with the same source/destination as your router. It won't know how to respond and puts it in a endless loop that eventually will make it crash. The NULL attacks I'm less familiar with but they have null info in the packet header messes with the router because they don't know how to handle them. (Someone feel free to correct me if I'm wrong).
The interesting thing about the NULL attacks is there is a valid Source IP address. I'm not able to do a lookup on these addresses but a quick google search says that they're coming from China.
I did open a ticket with my ISP about this. My question(s) to the board is has anyone else experienced this? Should I report this elsewhere? Was anything done or did they just stop after a while? Luckily my service hasn't been impacted too much.
Thanks.
As the title says, I've been getting hammered with DoS attacks over the last couple of weeks. I had a Netgear Orbi which was about 5-6 years old when this first started. Long story short, I discussed the issue with a few colleagues and the thinking was that it was just old and the messages were caused by hardware failure.
I replaced it last week with a new Netgear Nighthawk CAX80 (they are both cable modem/router combos). I kept an eye on the router logs and for the first few days I didn't see any messages...until Saturday morning. Also, there was a firmware update which was supposed to address some security issues so I installed it. After restarting I've been getting flooded with DoS attacks.
There seem to be two types: LAND attacks are the bulk of them but I see NULL attacks as well. If you're not familiar, a LAND attack is where someone crafts a packet with the same source/destination as your router. It won't know how to respond and puts it in a endless loop that eventually will make it crash. The NULL attacks I'm less familiar with but they have null info in the packet header messes with the router because they don't know how to handle them. (Someone feel free to correct me if I'm wrong).
The interesting thing about the NULL attacks is there is a valid Source IP address. I'm not able to do a lookup on these addresses but a quick google search says that they're coming from China.
I did open a ticket with my ISP about this. My question(s) to the board is has anyone else experienced this? Should I report this elsewhere? Was anything done or did they just stop after a while? Luckily my service hasn't been impacted too much.
Thanks.
I see that sort of thing all the time in my field of work, but generally I'm only dealing with high end security equipment that handles it easily.
The easiest way to cut down on most of the garbage traffic on the internet is with a GEO-IP filter, that will simply be configured with the countries you want to get traffic with, and discard the rest.
You can generally discard anything not based in the US and *most* websites will function just fine. Every now and then you need some UK IP space, but that's about it. With everything hosted in "the cloud" these days it just works out pretty well.
Of course, I have no idea if consumer grade hardware supports geo-ip filtration. I know my $65 asus doesn't.
The easiest way to cut down on most of the garbage traffic on the internet is with a GEO-IP filter, that will simply be configured with the countries you want to get traffic with, and discard the rest.
You can generally discard anything not based in the US and *most* websites will function just fine. Every now and then you need some UK IP space, but that's about it. With everything hosted in "the cloud" these days it just works out pretty well.
Of course, I have no idea if consumer grade hardware supports geo-ip filtration. I know my $65 asus doesn't.
originally posted by: lordcomac
I see that sort of thing all the time in my field of work, but generally I'm only dealing with high end security equipment that handles it easily.
The easiest way to cut down on most of the garbage traffic on the internet is with a GEO-IP filter, that will simply be configured with the countries you want to get traffic with, and discard the rest.
You can generally discard anything not based in the US and *most* websites will function just fine. Every now and then you need some UK IP space, but that's about it. With everything hosted in "the cloud" these days it just works out pretty well.
Of course, I have no idea if consumer grade hardware supports geo-ip filtration. I know my $65 asus doesn't.
That's interesting, thank you. I paid a pretty penny for my unit but yeah, since it's a home setup I don't think it would support it either? There may be an option...I have the Netgear Armor which has a piece that runs on the router. This acts as an IP filter. I wonder if that can be configured? I know it's not highly thought of in the industry.
a reply to: RomaSempre
I know that several of Netgears gaming Routers support geo fencing. Not sure about the CAX series.
See if this helps : kb.netgear.com...
-SB
I know that several of Netgears gaming Routers support geo fencing. Not sure about the CAX series.
See if this helps : kb.netgear.com...
-SB
What devices are you connecting with ?
Are they WIFI , wired , or both ?
This sounds really weird just using the information as presented .
Usually a device , and not a router is the target .
Also , as an FYI , folks are hiding silent miners inside harmless looking programs nowadays .
Are they WIFI , wired , or both ?
This sounds really weird just using the information as presented .
Usually a device , and not a router is the target .
Also , as an FYI , folks are hiding silent miners inside harmless looking programs nowadays .
I have two devices hardwired and the rest WIFI, so yeah a mix of both. I've run AV scans on all my machines and they come up clean.
I agree that it sounds weird and for a time I thought it was a false positive but after seeing the IP from China...well, I don't know. My guess is that someone or something is banging on a whole range of addresses. I don't know why I would get singled out save that it's just some random thing.
I agree that it sounds weird and for a time I thought it was a false positive but after seeing the IP from China...well, I don't know. My guess is that someone or something is banging on a whole range of addresses. I don't know why I would get singled out save that it's just some random thing.
originally posted by: network dude
a reply to: RomaSempre
is your IP static, or dynamic?
The address that I get from my ISP is dynamic...however, it doesn't seem to change very often.
I've asked several times for them to change it and the answer is always the same: we can't because you own the equipment.
I've been wondering if they're doing some sort of address reservation? I think it's the same address I had with my old router even though I was told I get it through DHCP.
edit on 31-5-2022 by RomaSempre because: additional info
Most dhcp will give your IP address to another modem if you are disconnected for a long period of time 4hrs will do it normally
Another trick is to change your Mac address I don't think your hardware can but for me I use ddwrt and just use Mac address clone to switch between my router and modem Mac address this will change my IP address
Another trick is to change your Mac address I don't think your hardware can but for me I use ddwrt and just use Mac address clone to switch between my router and modem Mac address this will change my IP address
a reply to: RomaSempre
Markovian is correct. Often times you can "force" a new WAN ip address to be issued from your isp by simply disconnecting (powering off) your router for a period of time. I believe comcast/xfinity leases WAN IP addresses last 24 or 48 hours.
SB
Markovian is correct. Often times you can "force" a new WAN ip address to be issued from your isp by simply disconnecting (powering off) your router for a period of time. I believe comcast/xfinity leases WAN IP addresses last 24 or 48 hours.
SB
originally posted by: lordcomac
I see that sort of thing all the time in my field of work, but generally I'm only dealing with high end security equipment that handles it easily.
The easiest way to cut down on most of the garbage traffic on the internet is with a GEO-IP filter, that will simply be configured with the countries you want to get traffic with, and discard the rest.
You can generally discard anything not based in the US and *most* websites will function just fine. Every now and then you need some UK IP space, but that's about it. With everything hosted in "the cloud" these days it just works out pretty well.
Of course, I have no idea if consumer grade hardware supports geo-ip filtration. I know my $65 asus doesn't.
While that may seem assuring, the second most source of attacks is the US.
Top 10 Countries Where Cyber Attacks Originate
originally posted by: SirBobkat
a reply to: RomaSempre
Markovian is correct. Often times you can "force" a new WAN ip address to be issued from your isp by simply disconnecting (powering off) your router for a period of time. I believe comcast/xfinity leases WAN IP addresses last 24 or 48 hours.
SB
I usually power it off in the evening. My idea is basically no one can bang on it if it's down, lol.
I was told I would get a new address if I got a new modem. Well, this is a new modem but they still gave me the same address. It makes me wonder if it's tied to my account in some way?
Anyway, I did receive a call from the Comcast security team last night. They said they would have a solution in the next 24-48 hours. We'll see what that is...hopefully they can block all this stuff for good.
a reply to: RomaSempre
ipconfig / release
then
Ipconfig / renew
at an administrative command prompt .
The address that I get from my ISP is dynamic...however, it doesn't seem to change very often.
ipconfig / release
then
Ipconfig / renew
at an administrative command prompt .
a reply to: RomaSempre
AV scans , for the most part , do not detect silent miners .
At this point , I believe that the attack is not against your router .
It's against one or more of your devices .
You could try to do a hard reset of the router .
But , you would have to reset all your settings again .
Unplugging or restarting is not a reset .
I have two devices hardwired and the rest WIFI, so yeah a mix of both. I've run AV scans on all my machines and they come up clean.
AV scans , for the most part , do not detect silent miners .
At this point , I believe that the attack is not against your router .
It's against one or more of your devices .
You could try to do a hard reset of the router .
But , you would have to reset all your settings again .
Unplugging or restarting is not a reset .
edit on 6/1/22 by Gothmog because: (no reason given)
edit on 6/1/22 by Gothmog because: (no reason given)
Wait .
One of the most simplest reasons for this to happen .
A network card failing and doing a "broadcast storm"
I am getting old ......
One of the most simplest reasons for this to happen .
A network card failing and doing a "broadcast storm"
I am getting old ......
a reply to: Gothmog
Thanks for the replies. This is a brand new router and so far from what I can see is that nothing is really getting through as my internet service hasn't been affected. I may download Malwarebytes and see if that turns up anything?
I've been thinking about a hard reset. I don't have that many devices on my home network so it won't be too bad reconfiguring everything.
I did have someone (who works for a security company) look up one of the IP addresses that's hitting me. It's definitely coming from China and it's been scanning over 800 targets resulting in over 2,000 reports since the end of April. That's just one of three addresses hitting me. This makes me think it's more of a brute force attack on the US in general. Also, FWIW I found a post yesterday where someone else has the same setup and is experiencing the same problems.
The security team at Comcast is supposed to get back to me today with a solution. Hopefully it's not "lease our equipment".
Thanks for the replies. This is a brand new router and so far from what I can see is that nothing is really getting through as my internet service hasn't been affected. I may download Malwarebytes and see if that turns up anything?
I've been thinking about a hard reset. I don't have that many devices on my home network so it won't be too bad reconfiguring everything.
I did have someone (who works for a security company) look up one of the IP addresses that's hitting me. It's definitely coming from China and it's been scanning over 800 targets resulting in over 2,000 reports since the end of April. That's just one of three addresses hitting me. This makes me think it's more of a brute force attack on the US in general. Also, FWIW I found a post yesterday where someone else has the same setup and is experiencing the same problems.
The security team at Comcast is supposed to get back to me today with a solution. Hopefully it's not "lease our equipment".
a reply to: RomaSempre
To make this short :
1) Most attacks are against a device that the router picks up as DoS
2) Malwarebytes MAY pick it up . You may need to research Spybot's Search and Destroy (S&D)
3) Research Wireshark for your systems (network sniffing program) .
4) Disconnect one cable at a time from your systems . (or disable WIFI on that system) Monitor for message to return . If it doesn't that would be the culprit . If it does , continue to the next .
Another hint . Let one system at a time go into sleep mode . That is when the silent miners go full active and your resource usage goes to 110%
The above are merely suggestions .
Changing routers with Comcast does not alter any IP addresses . You merely just get a different MAC address on that router.
Good luck to you .
If I can think of something else , I will be back
To make this short :
1) Most attacks are against a device that the router picks up as DoS
2) Malwarebytes MAY pick it up . You may need to research Spybot's Search and Destroy (S&D)
3) Research Wireshark for your systems (network sniffing program) .
4) Disconnect one cable at a time from your systems . (or disable WIFI on that system) Monitor for message to return . If it doesn't that would be the culprit . If it does , continue to the next .
Another hint . Let one system at a time go into sleep mode . That is when the silent miners go full active and your resource usage goes to 110%
The above are merely suggestions .
Changing routers with Comcast does not alter any IP addresses . You merely just get a different MAC address on that router.
Good luck to you .
If I can think of something else , I will be back
a reply to: RomaSempre
Forever , unless your ISP will issue new ones . (most are very reluctant to)
Going back to building my new 3rd PC , which is going to be "all for show" .
If needed , just PM me here.
I was told I would get a new address if I got a new modem. Well, this is a new modem but they still gave me the same address. It makes me wonder if it's tied to my account in some way?
Forever , unless your ISP will issue new ones . (most are very reluctant to)
Going back to building my new 3rd PC , which is going to be "all for show" .
If needed , just PM me here.
edit on 6/2/22 by Gothmog because: (no reason given)
new topics
-
VP's Secret Service agent brawls with other agents at Andrews
Mainstream News: 51 minutes ago -
Sunak spinning the sickness figures
Other Current Events: 1 hours ago -
Nearly 70% Of Americans Want Talks To End War In Ukraine
Political Issues: 1 hours ago -
Late Night with the Devil - a really good unusual modern horror film.
Movies: 3 hours ago -
Cats Used as Live Bait to Train Ferocious Pitbulls in Illegal NYC Dogfighting
Social Issues and Civil Unrest: 4 hours ago -
The Good News According to Jesus - Episode 1
Religion, Faith, And Theology: 6 hours ago -
HORRIBLE !! Russian Soldier Drinking Own Urine To Survive In Battle
World War Three: 8 hours ago -
Bobiverse
Fantasy & Science Fiction: 11 hours ago -
Florida man's trip overseas ends in shock over $143,000 T-Mobile phone bill
Social Issues and Civil Unrest: 11 hours ago
top topics
-
Florida man's trip overseas ends in shock over $143,000 T-Mobile phone bill
Social Issues and Civil Unrest: 11 hours ago, 8 flags -
SETI chief says US has no evidence for alien technology. 'And we never have'
Aliens and UFOs: 15 hours ago, 7 flags -
Cats Used as Live Bait to Train Ferocious Pitbulls in Illegal NYC Dogfighting
Social Issues and Civil Unrest: 4 hours ago, 7 flags -
VP's Secret Service agent brawls with other agents at Andrews
Mainstream News: 51 minutes ago, 4 flags -
Former Labour minister Frank Field dies aged 81
People: 14 hours ago, 4 flags -
HORRIBLE !! Russian Soldier Drinking Own Urine To Survive In Battle
World War Three: 8 hours ago, 3 flags -
Bobiverse
Fantasy & Science Fiction: 11 hours ago, 3 flags -
Nearly 70% Of Americans Want Talks To End War In Ukraine
Political Issues: 1 hours ago, 3 flags -
Sunak spinning the sickness figures
Other Current Events: 1 hours ago, 3 flags -
Late Night with the Devil - a really good unusual modern horror film.
Movies: 3 hours ago, 2 flags
active topics
-
The Reality of the Laser
Military Projects • 42 • : Zaphod58 -
President BIDEN Vows to Make Americans Pay More Federal Taxes in 2025 - Political Suicide.
2024 Elections • 121 • : Zanti Misfit -
HORRIBLE !! Russian Soldier Drinking Own Urine To Survive In Battle
World War Three • 27 • : RickyD -
Nearly 70% Of Americans Want Talks To End War In Ukraine
Political Issues • 7 • : Consvoli -
Sunak spinning the sickness figures
Other Current Events • 1 • : Justoneman -
Mood Music Part VI
Music • 3100 • : TheDiscoKing -
VP's Secret Service agent brawls with other agents at Andrews
Mainstream News • 12 • : xuenchen -
Ditching physical money
History • 19 • : 20241105 -
Breaking Baltimore, ship brings down bridge, mass casualties
Other Current Events • 484 • : ThatSmellsStrange -
SETI chief says US has no evidence for alien technology. 'And we never have'
Aliens and UFOs • 39 • : SchrodingersRat