Jump to content



Photo

Help with someone DDOSSing me please!

ddoss

  • Please log in to reply
25 replies to this topic

#1 Anonymous persona

Anonymous persona

    King

  • Joined: 16-July 12

Posted 17 January 2014 - 21:47

So I sometimes chat with old friends on AOL/AIM in certain chats on AOL, anyway I believe someone got my IP address via a AOL email header,  and certain AOL idiots think it's funny to ddoss people ... (claims he has a botnet).  I don't know much about this type of thing.... I even called my ISP who gave basic answers, reset modem/router etc... still happens   ....   someone said I could get info via wireshark, anyway I have good internet security, (AVG PRO )  But my question is are they really DDOSSing as they claim? Cause my internet went down for 10/15 mins and I unplugged router/modem then worked for a few mins then it goes off again.

I guess my question is How do I protect myself in the future, and are they really DDOSSing?




#2 StealMySoda

StealMySoda

    Neowinian

  • Joined: 13-August 06
  • Location: Merseyside, UK

Posted 17 January 2014 - 21:59

First of all, depending on your ISP, what they've said could help as it could change your public IP address.

 

I would just make sure that respond to WAN ping requests on your router is switched off.

 

Good Luck :)



#3 Beyond Godlike

Beyond Godlike

    Neowinian

  • Joined: 21-December 10
  • Location: Winterpeg

Posted 17 January 2014 - 22:06

You can possibly change the external mac address on your router.  Some ISP's rotate your IP based on the mac address. 



#4 Marshall

Marshall

    ▇ ▂ ▃ ▁ ▁ ▅

  • Tech Issues Solved: 4
  • Joined: 22-June 03
  • Location: USA
  • OS: Windows 7

Posted 17 January 2014 - 22:12

I kind of doubt you're being attacked, but still possible. More than likely it's some script kiddie that got your IP address and enters it into a program and hits start.

 

Open a command prompt and type netstat -ano and post a screenshot of the results, or simply look for a bulk of connections coming from the same IP.



#5 OP Anonymous persona

Anonymous persona

    King

  • Joined: 16-July 12

Posted 17 January 2014 - 22:14

I might have found an answer but my question is would this work? Because I thought an attack comes from multiple IPS?

locking the Attack with Packet Filters on the Router(s)

This is by far the best method, and if you can do this, you are pretty much done, except that its still a good idea to contact the other ISPs who are victims of this attack. Most ISPs have a bunch of routers. For best results, do this on the "border" router(s) (the ones at the border between your network and the outside world) or, to reduce load, do this on the router closest to the machine under attack.

Here are some external articles you might find useful:

Most of these articles concern Cisco routers. If you (or your ISP) are not using a Cisco router, your router will certainly have similar commands. e.g. here is a command for a Pix firewall: shun 216.36.50.65

Here are some commands for a Cisco router:

  • Router_A(config)#access-list 1 deny 216.36.50.65 0.0.0.0
  • Router_A(config)#access-list 1 deny 69.163.239.247 0.0.0.0
  • Router_A(config)#access-list 1 permit any

    From http://www.gregthatc...viceAttack.aspx


#6 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 74
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 17 January 2014 - 23:50

Not sure where you got that info - but it sure an the hell has nothing to do with a HOME setup. Here is the thing, as already mentioned I highly doubt your under a ddos or even a dos.

But sure lets get some info, btw running any commands on your PC behind a nat router is not going to show you much, unless you have put your machine in the dmz, or they were sending traffic to a port you forwarded for some reason?

Lets look at this simple layout.

internet - isprouter - yourrouter - pc

So you want to talk to the internet from your pc(s) you talk to your router off your local network, common 192.168.x.x (rfc1918) it changes it to your public IP and sends it on to your isp router, who then sends it on to the next router that is listed via a routing table to get where your going, lets say google. Your http request gets to google, they send you back the answer to your publicIP:port.. Your router says yup I did request that info and sends it back to your pc.

Now someone knows your IP, they start a ddos, dos to your IP sending your loads and loads and loads of traffic.. Your router is going to say nope, didn't request that, nope didnt request that, etc.. and just not even answer the packet. So normally to take you offline or slow you down they would have to fill up the connection speed you have between your router and your isprouter. So you looking at your PC would show you nothing. You need to look at your router to see this traffic.

So to get this info - what is your router, its most likely not even capable of given you info that would tell you your even under any sort hit... Can you actually view the firewall logs of your router?

Something like this?

firewallrules.png

Most soho routers will not show any sort of detail of the traffic it dropped. So depending on what router you have we can take a look see.. Or you could connect your PC directly to your modem so we could see.. That is if you actually have a modem, and not a gateway modem router combo. If your cable and have an actual modem, and then a router behind it we could see what is going on by connecting your pc directly to the internet via the modem so you get a real publicIP.. Then as mentioned sure wireshark would show you all the traffic your PC is seeing.

But as mentioned changing the mac of the device to your modem will most likely get you a new public IP.. Many soho routers have a clone mac option, change one of the last number by one and renew your lease, reboot your router and see if you get a different public.. There should be no reason why you should not - since dhcp works based upon mac, your old mac had a different lease, so new mac should get you new IP.. There you go possible ddos gone.

If you let us know the details of your modem/router -- any model numbers of devices connected before your PC and I will be happy to help you figure out if your being ddosed.

But turning of icmp isn't going to fix anything, but sure unless you play games that check your IP for response time you most likely have no use for it to be on. Unless you remotely check if your network is up?

If we are lucky and your router does post your drops like mine -- post up a snip.. If your not seeing 1000's, I mean 1000's of drops a second your NOT under anysort of attack and it is just the typical noise you see on the net, like my above examples.

Now back to my oven drawing of how your connected.. There is no command you could do on your router, even if the fancy 50k$ highend model that could stop a true ddos from filling up your connection. And taking you offline, or making everything really really slow.

Lets say you have a 100Mbps connection to your isp -- if they send 100Mbps to your IP.. Be it your router drops it without breaking a sweat, your connection is still full and your request to google is going to have a hard time getting through, and when it does the answer will be just as hard to get back to you.

To stop an dos/ddos you need to change your IP so the attackers don't know where you are any more, and the traffic does not go down your connection any more. Or up the stream from you, say the isp router they need to stop the traffic from going down your connection. So then stuff like blocking netblocks from talking to you could slow down the attack.. But more than likely the way you stop the attack is look into the specific of the traffic they are sending and drop on something in that packet vs just source IP/network or dest port since they could be sending you traffic to random ports.. But sure if all to Port X they could block the traffic that way.

But again it has to be done upstream from your router.. Unless the attack is something very basic and just overloading your routers ability to drop packets and not coming anywhere close to filling up your pipe.

Your best bet if you truly believe your under attack is call your isp and give them your story, ask them to change your IP. Or check the traffic on your connection for any sort of attack.

#7 xendrome

xendrome

    In God We Trust; All Others We Monitor

  • Tech Issues Solved: 8
  • Joined: 05-December 01
  • OS: Windows 8.1 Pro x64

Posted 17 January 2014 - 23:55

Contact your ISP, see if they can force a change to your WAN DHCP address from them. Then, don't let the person DDOSing you, if you can help it, find out your new IP.



#8 +theblazingangel

theblazingangel

    Software Engineer

  • Tech Issues Solved: 3
  • Joined: 25-March 04
  • Location: England, UK

Posted 17 January 2014 - 23:58

So I sometimes chat with old friends on AOL/AIM in certain chats on AOL, anyway I believe someone got my IP address via a AOL email header,  and certain AOL idiots think it's funny to ddoss people ... (claims he has a botnet).  I don't know much about this type of thing.... I even called my ISP who gave basic answers, reset modem/router etc... still happens   ....   someone said I could get info via wireshark, anyway I have good internet security, (AVG PRO )  But my question is are they really DDOSSing as they claim? Cause my internet went down for 10/15 mins and I unplugged router/modem then worked for a few mins then it goes off again.

I guess my question is How do I protect myself in the future, and are they really DDOSSing?

 
Are they directing a DOS/DDOS attack against you? Perhaps. I really don't think it's worth the time to try and prove it though. Let's focus on simply on removing yourself from the line of fire.
 
So, stop communicating with this person. Delete them from your address book(s) / friend lists.
 
Next, let's get your IP address changed. Go here to find out what your current public IP address is. Turn off your router. Wait a few minutes. Turn it back on again. Go back to the website and check if your IP address has changed. If it has, good. If it hasn't, try again but wait longer. If you're tried waiting more than say 15mins and it hasn't changed, it's perhaps likely that your ISP assigns you a static one (or you could just call and ask). If you have a static IP address you'll have to call them and ask them to assign you a different one.
 
You should hopefully now be in the clear because they shouldn't know your correct IP address anymore. If it happens again, either somehow you've got some piece of malware on your computer which is communicating with them (unlikely but possible), in which case you may need to wipe your computer and re-install things (backup your data first), or at least perform malware scans with reputable software to get rid of it, or you've gotten back in touch with this same person (perhaps they remembered your nick and re-friended you using a different account - in which case stop accepting friend requests from strangers!!).
 

I might have found an answer but my question is would this work? Because I thought an attack comes from multiple IPS?

 
Err no, that applies to much more sophisticated routers that those used by home users.

#9 OP Anonymous persona

Anonymous persona

    King

  • Joined: 16-July 12

Posted 18 January 2014 - 00:15

 my screen shot is too big it will take up the whole page but here's the link http://imageshack.co...3/2263/41bs.png

(couldn't find a way to resize) I use a modem , and a router  (ethernet from modem to router to computer) I will PM you Budman I don't think it has a way to do what you are saying.  

 
Are they directing a DOS/DDOS attack against you? Perhaps. I really don't think it's worth the time to try and prove it though. Let's focus on simply on removing yourself from the line of fire.
 
So, stop communicating with this person. Delete them from your address book(s) / friend lists.
 
Next, let's get your IP address changed. Go here to find out what your current public IP address is. Turn off your router. Wait a few minutes. Turn it back on again. Go back to the website and check if your IP address has changed. If it has, good. If it hasn't, try again but wait longer. If you're tried waiting more than say 15mins and it hasn't changed, it's perhaps likely that your ISP assigns you a static one (or you could just call and ask). If you have a static IP address you'll have to call them and ask them to assign you a different one.
 
You should hopefully now be in the clear because they shouldn't know your correct IP address anymore. If it happens again, either somehow you've got some piece of malware on your computer which is communicating with them (unlikely but possible), in which case you may need to wipe your computer and re-install things (backup your data first), or at least perform malware scans with reputable software to get rid of it, or you've gotten back in touch with this same person (perhaps they remembered your nick and re-friended you using a different account - in which case stop accepting friend requests from strangers!!).
 
 
Err no, that applies to much more sophisticated routers that those used by home users.

How'd you know my name was nick? I thought I changed my username to Anonymous persona? Thanks I will try that. I did try ipconfig/renew  ipconfig/release    I will try to talk to a real tech at my ISP though, just takes a while..



#10 +theblazingangel

theblazingangel

    Software Engineer

  • Tech Issues Solved: 3
  • Joined: 25-March 04
  • Location: England, UK

Posted 18 January 2014 - 00:20

How'd you know my name was nick? I thought I changed my username to Anonymous persona?


not-sure-if-joking-or-serious-thumb.jpg

#11 Rohdekill

Rohdekill

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 06-July 05
  • Location: Earth

Posted 18 January 2014 - 00:27

^ funny.



#12 OP Anonymous persona

Anonymous persona

    King

  • Joined: 16-July 12

Posted 18 January 2014 - 00:37

lol :) (yes just kidding) anyway on a serious note I will try talking to my ISP, and also will ipconfig/release  /renew do anything  (hasn't seemed to do anything for me)

 

not-sure-if-joking-or-serious-thumb.jpg



#13 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 20
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 18 January 2014 - 01:31

I don't think anyone is ddosing you I think you have some network issues.
Www.ipcicken.com will give you your outside ip. Do a before reset and after. If you're ip changes it is impossible for someone to know what it it's minutes after you change it unless a computer on your network has random software on it communicating to a server that tells the ddoser where you are at. if that is really the case you have serious problems you need to fix. And that would probably be a virus/malwatr causing your internet issues not some ddoser causing issues for you. Malware it's more than likely your issue.

#14 +theblazingangel

theblazingangel

    Software Engineer

  • Tech Issues Solved: 3
  • Joined: 25-March 04
  • Location: England, UK

Posted 18 January 2014 - 01:44

lol :) (yes just kidding) anyway on a serious note I will try talking to my ISP, and also will ipconfig/release  /renew do anything  (hasn't seemed to do anything for me)

 

the ipconfig stuff isn't going to do anything. These commands affect the local ip address assigned to your computer, unique within your LAN (your small private home network). What you need to change is your public (internet) IP address which your router is assigned by your ISP and everything on your LAN shares when communicating over the internet. It is this that you need to change. Read my earlier post for how.



#15 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 74
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 18 January 2014 - 03:09

Yeah that E1000 is not going to show you anything about your wan interface usage or dropped packets, etc.

If this ddos is so bad, how exactly are you using neowin?

As mentioned doing anything your pc, as I also stated is not going to do anything.

Here is where you can enable, or disable clone mac.. If enabled disable it, if disabled enable it. Then reboot your cable modem (remove power) and when it resets reboot your e1000 router

changemac.png

As also mentioned before doing so use one of the many websites that will show you your public IP.. Or even on your router
wanaddress.png

After using clone mac or disable it if enabled already verify your IP changed.

Also for grins - this will tell us if your behind a double nat or not. The address your router shows you now.. It starts with what? If 10.x.x.x, 192.168.x.x or 172.16-31.x.x then your behind a double nat and would have to do something to what that e1000 is plugged into



Click here to login or here to register to remove this ad, it's free!