cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1229
Views
1
Helpful
7
Replies

DDoS & DoS attacks

Myleslandish
Spotlight
Spotlight

I have to be careful in how I word this because it’s a matter in which nothing I say and nothing that our network hardware says is believed to be anything but error and paranoia. Beginning about a month or two ago, our ISP provided  router had a constant stream of two separate DoS attacks that its logs detailed were occurring every few seconds or so. It’s been a lot of other things since then so, I can’t recall at the moment how close together they each were but it was steady, constant, and from the same source. One computer in the home that’s only use is “supposed to be” used for working at home with SF insurance company. She uses Cisco Anyconnect and the entire system and operating system is managed by SF and their IT department. They have stated just today that they see nothing and no reason or problem. Our home network has been completed overwhelmed and is shut down at least 3-10 times daily. The home has a total of 6 personal devices including streaming tvs, smart phones, and computers. When the issue first comes to light I rerouted the network to where it wasn’t capped off immediately by the attacking computer and the total length of networking cable went from 3 feet to over 150 feet out to the separate structure on the property I live in. I began to try and diagnose the issue and in that time every single device that has logs all reported the same things. Just different DoS and/DDoS attacks taking place. The first that the ISP router reported was called the “ping of deth” attack and I can’t recall what the second one was. But they were constant and from that one computer; named by name, mac address, and ip address. After running the cat5 to my home and setting up a simple set of mesh routers and bypassing that computer and leaving the ISP router in the hole it belonged in; the first speed test results had went from a 2 year regular average of 30-40mb/s max to a level I didn’t think was necessary or possible given that we have a standard basic fiber connection. As I said the speeds were an average of 30-40mb/s for two years and as soon as I added over 100 foot of cable to the network and added a 2 simple economy mesh routers (2 of the 3 routers in the set) I thought if anything I was going to have to explain the loss of speed is a small price to pay for the security gained by running the network through the firewalls first. But to my surprise, the speeds were topping over 200mb/s to 220 & 230. The speeds stayed that high until the day came when she started work again. Then dropped to still being higher at around 90mb/s now down to about 70 a month later. I’m having more than a difficult time convincing her that there is what every single router and firewall we own are all saying is more than guesses and that it’s not just random errors. That these attacks don’t happen to individuals unless they’re being targeted by someone with a sick and immoral desire to disrupt the lives of others. She will not be convinced that the logs are actually indicating what they say. She refuses to accept anything that’s said or read unless it’s stated by someone wearing a company shirt and name tag. As comforting that is, I’m reaching out to you and anyone here to please take a few moments of your time to please share your knowledge about these kind of attacks, how they occur, when and why a router announces/ logs them, and what they mean. Is it at all possible that the two different NGear routers and the ISP router are all making up this data and if so why or how do they all seem to choose the same things. A total of 4 I believe different DoS attacks and the only two I recall the names of are the “ping of deth” and the “Smurf” attack. Take into account that this is the only network on the property and has a maximum of 6-7 devices online at any given moment using no more than a small handful of mb’s of data. Yet our network began to be shut down and hasn’t stopped being crippled since the first attacks were noted in the logs. Why would the speed more than quadruple after adding over 100 plus feet to the layout or network topology? Why or how would three different routers all start to log various DoS attacks taking place if there truly isn’t any DoS attacks happening? Also, why or how can a perfectly fine and an uninfected computer (SF’s words/ remotely during a 10 minute conversation) be pointed to or at by the network hardware as the source of various DoS attacks that aren’t taking place and aren’t really happening? Lastly, why would a home networks routers under such a little load repeatedly be shut down/ fail over and over daily after these logs began if there isn’t any actual DoS attacks taking place? Is it at all possible that something else is the case? 

7 Replies 7

Myleslandish
Spotlight
Spotlight

I need help stopping a particular level or type of hack that’s taking place and nothing will end it. I’ve saved the logs of the firewall as it’s started to be reconfigured or whatever is happening. It first starts without any of it happening. The isp came a few days ago; said the router was full of alterations. They swapped it with a new one and I connected to it with my firewall and I saved the logs as it was first starting to start bk communicating with a group of ip address groups that are in the private range that have no part in our network. It’s one router we don’t even have a need for an internal network. Just internet access. It starts communicating with variations of 192.0.77.22 192.0.78 and a couple other private ip range networks. Networks our one router isn’t using or supposed to be on. Stuff like that that has NO true home here and it’s an outside path that’s being put in every time it’s ever fixed by them. Starts and follows with continuous probing of the firepower port from the 172.x.x.x a handful of variations. Then these and another small handful of private ip ranges start and continue making connections with the rest. I’ve created access lists to weed them out and in the end if you block them all the internet stops working from that ASA. Remove the restrictions and it works. It’s one home router one home network I’m connecting to on the LAN port to the isp router. Every time they come they have to swap the router and say it’s been heavily reconfigured. 

This is in order but I’m not sure if it starts at the end to the beginning or beginning to end. I mean they go in order of time from the second time to connect after the entire network was reset and given a different router by the ISP. 

I guess because it’s new configuration and has to be re whatevered jacked up and twisted to their will, u can see its constant saying it has a working Ethernet connection but wasn’t working on a few of those because of the various access lists of the fake public ip ranges that are hitting it. Toward the 1 hour mark (which is about the span of time on the connection and is what’s covered in the pictures from this morning. I can’t stand that the ISP even suspects it’s me. It doesn’t make much sense for me to continually alert them to the issues if I’m the perpetrator though. I’m wondering if I can ask them to arrange a constant remote connection for their own confirmations and/or to see what happens as it happens. I know it’s set to where it doesn’t take any full affect until its sure it’s a staying/returning member of the network. It did none of these things in the first hour or so. It was first connected a few hours before and did none of it. I disconnected it, went to town and when I returned I reconnected it, and that’s the hour span of the images I’ve post. If it wasn’t so new of an alteration to the normal network it would show an issue with the connection with the yellow exclamation mark on the Ethernet symbol. It also was so new it’s the first time I’ve gotten this particular answer to why the internet wasn’t working at the moment. It says it can’t connect to the remote network. That shouldn’t be the case. Please please help

@Myleslandish hi, we can understand your frustration. i have few request to understand the big picture. 

1. if your firewall connected to internet directly or via ISP router?

2. if its via ISP router, do you have private range between router and Firewall? 

3. is there any NAT rules configured in router?

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

The outside interface is in the LAN port of the ISP router. The ISP doesn’t bother to do any disabling of all the added functionalities undoubtedly always at play. I don’t get why they haven’t charged her to keep replacing it. It’s been like 1 a year and needed to be more often but bc it’s a difficult subject for all it never comes to that until it’s basically forced to not work. I set up a basic Tenda mesh up in place of the ISP router just before this, and in protest used a few different and constant DoS or DDoS to keep shutting it down basically forcing our hand to go back to the configuration city of the Zyxel from the ISP. It’s bc the Tenda routers were set up to where the only network we used or saved in any way was the guest network. Also disabled PnP and port forwarding. It took a number of days maybe 5 or so idk. With the ISP one that keeps being changed in some way our speeds were always sufficient at between 30-60mb/s max. And by adding over 100ft of Ethernet line to the Tenda mesh instead of the mid level Zyxel gigabit router from the ISP. I thought if anything I was gonna have to explain the loss of some speed for the additional security of starting it all after my ASAs. It was only allowed to work for a week or so then was being bombarded with the attacks. I’m not wanting to log in the router now because of how many times they’ve done this to it and when they showed up last week to put in the new router and diagnose the other one was full of abnormal configurations which is nothing new. But they show up and the line is run out the main isp port and managed from my home little over 100ft away. On the ground had to link two together to get there. Like I said I thought it would be slightly slower. I really mean this when I say I had no idea a basic connection ran that high. It topped the thing out completely at a little over 220mb/s. Never Never has there been speeds like that. I just really think it’s key to see what happens with new connections like now where it was new to my network pretty much. I had to change rhe BVI to 162.x.x.x to avoid having to even need to change its ip. I’m sure I have more than u ask for. It’s just spectacular to heave a listener Fr. Thanku.

Sorry. It’s hard to stay on point with this. Too much information and too much emotion. I just reread that and it makes me want to redo it but I’ll just ask for some understanding instead. 

I need help stopping a particular level or type of hack that’s taking place and nothing will end it. I’ve saved the logs of the firewall as it’s started to be reconfigured or whatever is happening. It first starts without any of it happening. The isp came a few days ago; said the router was full of alterations. They swapped it with a new one and I connected to it with my firewall and I saved the logs as it was first starting to start bk communicating with a group of ip address groups that are in the private range that have no part in our network. It’s one router we don’t even have a need for an internal network. Just internet access. It starts communicating with variations of 192.0.77.22 192.0.78 and a couple other private ip range networks. Networks our one router isn’t using or supposed to be on. Stuff like that that has NO true home here and it’s an outside path that’s being put in every time it’s ever fixed by them. Starts and follows with continuous probing of the firepower port from the 172.x.x.x a handful of variations. Then these and another small handful of private ip ranges start and continue making connections with the rest. I’ve created access lists to weed them out and in the end if you block them all the internet stops working from that ASA. Remove the restrictions and it works. It’s one home router one home network I’m connecting to on the LAN port to the isp router. Every time they come they have to swap the router and say it’s been heavily reconfigured. 

Review Cisco Networking for a $25 gift card