How to know and combat being a DOS victim

What's the best way to setup a home network? Why should I care about BGP?

How to know and combat being a DOS victim

Post by MidN8 on Sun Jul 27, 2014 3:21 pm
([msg=82536]see How to know and combat being a DOS victim[/msg])

Hello,

I have been encountering some issues recently regarding my broadband. Specifically it either slows down or simply dies out on me. I have checked my routers logs and found that the routers firewall records a number of UDP bomb attacks from various IP addresses. The DOS attacks (if they are DOS attacks and not simply my router misconstruing strenuous network activity as such) are happening to a home network but has been happening every few days now my questions are.
What can i do about this, if anything at all?
With the wide variety of IP addresses being used for the DOS does it make sense blocking (especially if someone is using proxies) the IP addresses
thanks in advance.
MidN8
New User
New User
 
Posts: 6
Joined: Wed Jul 03, 2013 1:10 pm
Blog: View Blog (0)


Re: How to know and combat being a DOS victim

Post by akorshikai on Sun Jul 27, 2014 4:49 pm
([msg=82537]see Re: How to know and combat being a DOS victim[/msg])

What can you do? Plenty. But I don't have enough information on your situation. Before I offer some tips, I'm highly skeptic a series of UDP packets can cause continual degradation of network conditions. Could it be a UDP flood? Yes, but this attack is very obvious, noisy and kind of antiquated imo.

Translation: it could (and very well) be other things that are the true causes to your issues.

Tailoring my suggestions to the scope of your situation, I've got some questions.

1. What port are these UDP packets coming through?
Solution #1: Block inbound UDP traffic from that port. Please verify if it's a router firewall or host-based. There are too many different ways to accomplish Solution #1 for me to offer.

2. Are these "UDP Bombs" occurring at the same time you experience network degradation?

Balls in your court.
akorshikai
New User
New User
 
Posts: 40
Joined: Sat Jun 28, 2014 8:21 pm
Blog: View Blog (0)


Re: How to know and combat being a DOS victim

Post by cyberdrain on Sun Jul 27, 2014 5:06 pm
([msg=82538]see Re: How to know and combat being a DOS victim[/msg])

While it's true it can be a DoS, in which case akorshikai's advice should be heeded, I don't see a reason for anyone to attack a home router that way. It just doesn't make sense (barring some vulnerability or targeted attack). I'd first check more likely sources before concluding it's anything more elaborate. For example, is your modem/router more than 2 years old? Does your ISP have a habit of throttling users when they use up too much bandwidth? Are there other people on the network that might use too much bandwidth? The router might also just misinterpret packets because the hardware is old (similar to what you said). Very strange things can happen if equipment is not up to date in my experience.
Free your mind / Think clearly
User avatar
cyberdrain
Contributor
Contributor
 
Posts: 969
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: How to know and combat being a DOS victim

Post by MidN8 on Mon Jul 28, 2014 1:33 pm
([msg=82541]see Re: How to know and combat being a DOS victim[/msg])

Hi cyberdrain and akorshikai and thanks for your replies regarding my questions

i currently would describe me router to be at least 1 year old as it is a replacement of a previous one, but would consider that specific model to be more than 2 years old, the router is a standard router that comes included from the ISP as part of a broadband package deal so i suspect that the router would typically lack a lot of features an enterprise router would (well i think this would be a given).

I would consider myself to be the only user of the home network as other family member usages would be extremely limited so i typically describe myself as the main user if only user.

It is quite possible my ISP does throttle users for too much bandwidth and yes i did use too much bandwidth last month.

the following is a quotation (minus the IP addresses) from my routers firewall log

"kernel: [fwlog] Udp bomb attack, SRC=x.x.x.x DST=x.x.x.x. " on a given day i received 21 of these reports within the space of 1 minute and 40 seconds, this was then followed subsequently by the network going down (when i say the network went down, i could not even ping my router as the LAN was also down)

Regarding ports types in logs, this information is not available in the logs i looked around to see if i could change the system log configuration and there are no settings that are offered for port identification.

My router does offer me security features regarding DOS attack such as prevention of UDP bombs and with this feature enabled it still has made little difference.

Also regarding your last statement cyberdrain relating to outdated hardware or firmware, it is quite plausible to say the router isn't the most up to date, the firmware however is as up to date as it could be.

I hope the information provided is informative enough for more advice to be offered and thanks for taking the time.
MidN8
New User
New User
 
Posts: 6
Joined: Wed Jul 03, 2013 1:10 pm
Blog: View Blog (0)


Re: How to know and combat being a DOS victim

Post by akorshikai on Mon Jul 28, 2014 4:19 pm
([msg=82544]see Re: How to know and combat being a DOS victim[/msg])

Given your provided input, my best recommendation towards a viable solution is to go out and purchase your own router with a configurable firewall. ISP's lending you their own routers is a waste of equity, especially since most charge you a monthly rate to rent them - only for you to return it when you're done with their service.

If you're unable to find the port where these "UDP bomb attacks" are coming from, I strongly advise you download a network protocol analyzer (Wireshark is common) and run it for a few hours, filtering to only show UDP - that'll give you the information needed. In addition, it'll give you an idea of whether or not it's inbound or outbound traffic.

Unfortunately, I can't ascertain whether it's in/outbound traffic because you didn't disclose the IP's. There's an internal and external interface, concerning network address translation. Why is this relevant? Because it could be the case that your computer's been compromised and may be participating in these "UDP bomb attacks", which could be chewing up your bandwidth. Not enough info to speculate, however.

Cyberdrain, thoughts?
akorshikai
New User
New User
 
Posts: 40
Joined: Sat Jun 28, 2014 8:21 pm
Blog: View Blog (0)


Re: How to know and combat being a DOS victim

Post by tremor77 on Tue Jul 29, 2014 6:03 am
([msg=82556]see Re: How to know and combat being a DOS victim[/msg])

Another question is, have you pissed anyone off lately? The attack you are seeing is being generated by a single source user of LOIC or similar skiddie DoS tool. I used to use this very same attack against people who were better than me in FPS Games, to tick up their latency and give them lag so I could kill them easier. So to speak, this isn't random it is a targetted attack. Does your IP remain static, perhaps request a release/renew from your ISP on your IP will completely resolve the issue. If it's dynamic and this continues.. you may have a call-home malware residing on a computer in your home network in which case an antivirus / antimalware scan should be your first move.
Image
User avatar
tremor77
Contributor
Contributor
 
Posts: 870
Joined: Wed Mar 31, 2010 12:00 pm
Location: New York
Blog: View Blog (0)


Re: How to know and combat being a DOS victim

Post by cyberdrain on Tue Jul 29, 2014 10:59 am
([msg=82562]see Re: How to know and combat being a DOS victim[/msg])

tremor77 wrote: If it's dynamic and this continues.. you may have a call-home malware residing on a computer in your home network in which case an antivirus / antimalware scan should be your first move.

Hey that's a good one, I've been thinking about outside attack, but it could just as easily be coming from a zombie computer inside the network.

akorshikai wrote:Given your provided input, my best recommendation towards a viable solution is to go out and purchase your own router with a configurable firewall. ... I strongly advise you download a network protocol analyzer (Wireshark is common) and run it for a few hours, filtering to only show UDP - that'll give you the information needed. In addition, it'll give you an idea of whether or not it's inbound or outbound traffic.

I'm guessing based on the information provided by the router, it's not very useful to determine the source by analysing the packets. The router already displays the source(s) and drops the packets, in which case they don't even reach inside the network (if originating from outside). The only use I can think of would be to confirm that the firewall doesn't work (confirming being outdated) or that an inside zombie computer is to blame. Then again, maybe it provides some much needed extra information.

Using a user owned router and/or modem is a good way to improve security and stability. So does asking for a new or different modem from the ISP (which usually is forced on you anyway). Have you contacted your ISP yet? If they are unwilling to help and you can't use your own router, dd-wrt might also be an option (seeing as the router runs *nix). I'm just exploring a few different options, as you seem to need more tools to fight this than the router provides.

akorshikai wrote:Not enough info to speculate, however.
Cyberdrain, thoughts?

I agree, too little information. As the attack is within minutes, I'd agree with skiddie attack or just router problem. But that would be speculation based on what you've given. I don't think I could add much more to that.

Edit:
Please provide every x (not y) in SRC=x.x.y.y DST=x.x.y.y, it won't be enough to identify you, but will help with understanding the problem.
Free your mind / Think clearly
User avatar
cyberdrain
Contributor
Contributor
 
Posts: 969
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: How to know and combat being a DOS victim

Post by MidN8 on Tue Jul 29, 2014 2:14 pm
([msg=82563]see Re: How to know and combat being a DOS victim[/msg])

Thanks for your help both of you, this is actually quite educational.

Personally there is nothing i would love more than to purchase my own router as i do know that ISP's would tend to provide their most "cost effective" networking equipment available especially since it comes free with the contract. However, while i am the main/sole user of the broadband i am not actually the one being billed (my parents are).

I am very hesitant about releasing a potentially external facing IP address due to traceability but i suppose i could take cyberdrain's recommendation on the supplying of the first 16bits
kernel: [fwlog] Udp bomb attack, SRC=89.230.x.x DST=93.107.x.x.
kernel: [fwlog] Udp bomb attack, SRC=213.157.x.x DST=109.76.x.x.
kernel: [fwlog] Udp bomb attack, SRC=50.67.x.x DST=93.107.x.x.

Now, i heard of zombie attacks, i heard that DDOS attacks use zombie computers to take part but i would never expect my network to participate in one, as i do try to take care of my PC by regularly using malware scanners, anti-virus scans and rootkit scans, until this popped up (this log input was actually delayed by many hours after me submitting my previous reply to this thread)

kernel: [fwlog] Udp bomb attack, SRC=192.168.x.x DST=239.255.x.x. "" times 18

this source is an internal address as is clear, however the specific machine within that network is something i am not aware of (i.e. it is not being used , so either someone got access to my LAN and started using an IP address on the network and then left or .. i don't know).

Now you brought up an interesting point regarding the use of Wireshark, i actually tried to do this, but i don't have a bloody clue as to how to set up the router as the intended listener.

Also i did contact my ISP regarding this, i have yet to receive any reply to my emails about this. i have restarted my router several times as i kind of hoped that the external facing IP was a dynamically assigned IP address from my ISP's DHCP server (this is quite likely wishful thinking on my side, this of course is me assuming that ISP's have a DHCP server to dynamically allocate IP's to its customers)

now i suppose there can't be any more harm of me pointing out a few other things that may have some impact or none at all
I have a virtual machine with a backtrack and another with kali Linux distro's installed on my current machine , both are bridged further more i use homeplugs, i only bought them within this month and one is plugged into an extension cord due to really poor electrical socket placement in my room. As a last statement to a reasonable question, have i pissed off anyone, NO, not that i am aware of, i have not participated in any campaigns (ever), do not really play games anymore (well not competitive or actively anyways) and have not attempted to hack anyones network to provoke an attack. I hope this is enough info but feel free to expand more questions and as always, its gratefully appreciated.
MidN8
New User
New User
 
Posts: 6
Joined: Wed Jul 03, 2013 1:10 pm
Blog: View Blog (0)


Re: How to know and combat being a DOS victim

Post by akorshikai on Tue Jul 29, 2014 6:24 pm
([msg=82566]see Re: How to know and combat being a DOS victim[/msg])

I'll expand on a few things you indicated, but reiterate that the best solution remains purchasing a commercial router with a configurable firewall.

Starting with Wireshark:

MidN8 wrote: Now you brought up an interesting point regarding the use of Wireshark, i actually tried to do this, but i don't have a bloody clue as to how to set up the router as the intended listener.


You really don't need to do anything to the router, since it's not a listener. It just performs NAT functions and passes traffic. In Wireshark, all you really need to do is go to "Capture Interfaces" and select the appropriate Interface. This is indicated by the hardware specifications of your transceiver, i.e. Broadcom/Atheros/Intel, etc. An easier way is just pick the interface with the greatest number of packets. Hit "Start".

When the "UDP bomb attacks" happen, Wireshark should light up and reflect the same thing you posted in the logs. Find any random UDP packet and click on. A series of fields will display in the lower reading pane. The fields drill from the top down, "Frame", "Ethernet II", "IPv4" (or 6), "User Datagram Protocol" <--- jackpot. In this line, it'll display the port. You're interested in "Dst Port", which will probably be 53 by what you described (assuming it's a DNS issue).

MidN8 wrote:kernel: [fwlog] Udp bomb attack, SRC=192.168.x.x DST=239.255.x.x. "" times 18


Here's the bad news:
1. You listed one of the destination IP's with the second octet of 255. I find that highly unusual because 255 is reserved as a broadcast address. I don't know what the remaining two octets are, but I'll hedge a bet they too are 255. Do some homework on that if you would.
2. The source IP associated with that 293.255.x.x destination IP was in fact from your own network. Smells like a compromise.

There's a ton of what-ifs, between BT/Kali, potential proxies involved, etc. Best bet is to get your own router and start denying UDP (both in/outbound, especially on port 53) and see if your symptoms improve.

Good luck.
akorshikai
New User
New User
 
Posts: 40
Joined: Sat Jun 28, 2014 8:21 pm
Blog: View Blog (0)


Re: How to know and combat being a DOS victim

Post by -Ninjex- on Wed Jul 30, 2014 8:20 am
([msg=82574]see Re: How to know and combat being a DOS victim[/msg])

Well, firstly since you said it's coming from multiple IP adresses, that would define this as a DDOS attack, which is a lot harder to defend against than just a stand alone DOS attack. Now, there is no 100% solution to D/DOS attacks, but there are some steps you can take to hopefully mitigate most attacks and prevent this. The three main things you need to be looking at in defending these types of attacks are
1: Detection
2: Resistance
3: Response
I suggest heavily restricting UDP since that's where you said the attacks are hitting, but I will also suggest blocking ICMP if possible, as they may attempt to attack there too.
Blocking invalid inbound traffic may help in mitigating the attacks
Implement egress filtering
Implement RPF (Reverse Path Forwarding)
Implement a sink hole if you have the technical know hows
You could also look into getting some products from vendors to handle some of this for you.
http://www.arbornetworks.com/ or http://www.prolexic.com/ is a good choice
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1303
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Next

Return to Networking

Who is online

Users browsing this forum: No registered users and 0 guests