Help with someone DDOSSing me please!


Recommended Posts

So I sometimes chat with old friends on AOL/AIM in certain chats on AOL, anyway I believe someone got my IP address via a AOL email header,  and certain AOL idiots think it's funny to ddoss people ... (claims he has a botnet).  I don't know much about this type of thing.... I even called my ISP who gave basic answers, reset modem/router etc... still happens   ....   someone said I could get info via wireshark, anyway I have good internet security, (AVG PRO )  But my question is are they really DDOSSing as they claim? Cause my internet went down for 10/15 mins and I unplugged router/modem then worked for a few mins then it goes off again.

I guess my question is How do I protect myself in the future, and are they really DDOSSing?

Link to comment
Share on other sites

First of all, depending on your ISP, what they've said could help as it could change your public IP address.

 

I would just make sure that respond to WAN ping requests on your router is switched off.

 

Good Luck :)

Link to comment
Share on other sites

I kind of doubt you're being attacked, but still possible. More than likely it's some script kiddie that got your IP address and enters it into a program and hits start.

 

Open a command prompt and type netstat -ano and post a screenshot of the results, or simply look for a bulk of connections coming from the same IP.

Link to comment
Share on other sites

I might have found an answer but my question is would this work? Because I thought an attack comes from multiple IPS?

locking the Attack with Packet Filters on the Router(s)

This is by far the best method, and if you can do this, you are pretty much done, except that its still a good idea to contact the other ISPs who are victims of this attack. Most ISPs have a bunch of routers. For best results, do this on the "border" router(s) (the ones at the border between your network and the outside world) or, to reduce load, do this on the router closest to the machine under attack.

Here are some external articles you might find useful:

Most of these articles concern Cisco routers. If you (or your ISP) are not using a Cisco router, your router will certainly have similar commands. e.g. here is a command for a Pix firewall: shun 216.36.50.65

Here are some commands for a Cisco router:

Link to comment
Share on other sites

Not sure where you got that info - but it sure an the hell has nothing to do with a HOME setup. Here is the thing, as already mentioned I highly doubt your under a ddos or even a dos.

But sure lets get some info, btw running any commands on your PC behind a nat router is not going to show you much, unless you have put your machine in the dmz, or they were sending traffic to a port you forwarded for some reason?

Lets look at this simple layout.

internet - isprouter - yourrouter - pc

So you want to talk to the internet from your pc(s) you talk to your router off your local network, common 192.168.x.x (rfc1918) it changes it to your public IP and sends it on to your isp router, who then sends it on to the next router that is listed via a routing table to get where your going, lets say google. Your http request gets to google, they send you back the answer to your publicIP:port.. Your router says yup I did request that info and sends it back to your pc.

Now someone knows your IP, they start a ddos, dos to your IP sending your loads and loads and loads of traffic.. Your router is going to say nope, didn't request that, nope didnt request that, etc.. and just not even answer the packet. So normally to take you offline or slow you down they would have to fill up the connection speed you have between your router and your isprouter. So you looking at your PC would show you nothing. You need to look at your router to see this traffic.

So to get this info - what is your router, its most likely not even capable of given you info that would tell you your even under any sort hit... Can you actually view the firewall logs of your router?

Something like this?

post-14624-0-86672600-1390002128.png

Most soho routers will not show any sort of detail of the traffic it dropped. So depending on what router you have we can take a look see.. Or you could connect your PC directly to your modem so we could see.. That is if you actually have a modem, and not a gateway modem router combo. If your cable and have an actual modem, and then a router behind it we could see what is going on by connecting your pc directly to the internet via the modem so you get a real publicIP.. Then as mentioned sure wireshark would show you all the traffic your PC is seeing.

But as mentioned changing the mac of the device to your modem will most likely get you a new public IP.. Many soho routers have a clone mac option, change one of the last number by one and renew your lease, reboot your router and see if you get a different public.. There should be no reason why you should not - since dhcp works based upon mac, your old mac had a different lease, so new mac should get you new IP.. There you go possible ddos gone.

If you let us know the details of your modem/router -- any model numbers of devices connected before your PC and I will be happy to help you figure out if your being ddosed.

But turning of icmp isn't going to fix anything, but sure unless you play games that check your IP for response time you most likely have no use for it to be on. Unless you remotely check if your network is up?

If we are lucky and your router does post your drops like mine -- post up a snip.. If your not seeing 1000's, I mean 1000's of drops a second your NOT under anysort of attack and it is just the typical noise you see on the net, like my above examples.

Now back to my oven drawing of how your connected.. There is no command you could do on your router, even if the fancy 50k$ highend model that could stop a true ddos from filling up your connection. And taking you offline, or making everything really really slow.

Lets say you have a 100Mbps connection to your isp -- if they send 100Mbps to your IP.. Be it your router drops it without breaking a sweat, your connection is still full and your request to google is going to have a hard time getting through, and when it does the answer will be just as hard to get back to you.

To stop an dos/ddos you need to change your IP so the attackers don't know where you are any more, and the traffic does not go down your connection any more. Or up the stream from you, say the isp router they need to stop the traffic from going down your connection. So then stuff like blocking netblocks from talking to you could slow down the attack.. But more than likely the way you stop the attack is look into the specific of the traffic they are sending and drop on something in that packet vs just source IP/network or dest port since they could be sending you traffic to random ports.. But sure if all to Port X they could block the traffic that way.

But again it has to be done upstream from your router.. Unless the attack is something very basic and just overloading your routers ability to drop packets and not coming anywhere close to filling up your pipe.

Your best bet if you truly believe your under attack is call your isp and give them your story, ask them to change your IP. Or check the traffic on your connection for any sort of attack.

Link to comment
Share on other sites

So I sometimes chat with old friends on AOL/AIM in certain chats on AOL, anyway I believe someone got my IP address via a AOL email header,  and certain AOL idiots think it's funny to ddoss people ... (claims he has a botnet).  I don't know much about this type of thing.... I even called my ISP who gave basic answers, reset modem/router etc... still happens   ....   someone said I could get info via wireshark, anyway I have good internet security, (AVG PRO )  But my question is are they really DDOSSing as they claim? Cause my internet went down for 10/15 mins and I unplugged router/modem then worked for a few mins then it goes off again.

I guess my question is How do I protect myself in the future, and are they really DDOSSing?

 

Are they directing a DOS/DDOS attack against you? Perhaps. I really don't think it's worth the time to try and prove it though. Let's focus on simply on removing yourself from the line of fire.

 

So, stop communicating with this person. Delete them from your address book(s) / friend lists.

 

Next, let's get your IP address changed. Go here to find out what your current public IP address is. Turn off your router. Wait a few minutes. Turn it back on again. Go back to the website and check if your IP address has changed. If it has, good. If it hasn't, try again but wait longer. If you're tried waiting more than say 15mins and it hasn't changed, it's perhaps likely that your ISP assigns you a static one (or you could just call and ask). If you have a static IP address you'll have to call them and ask them to assign you a different one.

 

You should hopefully now be in the clear because they shouldn't know your correct IP address anymore. If it happens again, either somehow you've got some piece of malware on your computer which is communicating with them (unlikely but possible), in which case you may need to wipe your computer and re-install things (backup your data first), or at least perform malware scans with reputable software to get rid of it, or you've gotten back in touch with this same person (perhaps they remembered your nick and re-friended you using a different account - in which case stop accepting friend requests from strangers!!).

 

I might have found an answer but my question is would this work? Because I thought an attack comes from multiple IPS?

 

Err no, that applies to much more sophisticated routers that those used by home users.

Link to comment
Share on other sites

 my screen shot is too big it will take up the whole page but here's the link http://imageshack.com/a/img823/2263/41bs.png

(couldn't find a way to resize) I use a modem , and a router  (ethernet from modem to router to computer) I will PM you Budman I don't think it has a way to do what you are saying.  

 
Are they directing a DOS/DDOS attack against you? Perhaps. I really don't think it's worth the time to try and prove it though. Let's focus on simply on removing yourself from the line of fire.
 
So, stop communicating with this person. Delete them from your address book(s) / friend lists.
 
Next, let's get your IP address changed. Go here to find out what your current public IP address is. Turn off your router. Wait a few minutes. Turn it back on again. Go back to the website and check if your IP address has changed. If it has, good. If it hasn't, try again but wait longer. If you're tried waiting more than say 15mins and it hasn't changed, it's perhaps likely that your ISP assigns you a static one (or you could just call and ask). If you have a static IP address you'll have to call them and ask them to assign you a different one.
 
You should hopefully now be in the clear because they shouldn't know your correct IP address anymore. If it happens again, either somehow you've got some piece of malware on your computer which is communicating with them (unlikely but possible), in which case you may need to wipe your computer and re-install things (backup your data first), or at least perform malware scans with reputable software to get rid of it, or you've gotten back in touch with this same person (perhaps they remembered your nick and re-friended you using a different account - in which case stop accepting friend requests from strangers!!).
 
 
Err no, that applies to much more sophisticated routers that those used by home users.

How'd you know my name was nick? I thought I changed my username to Anonymous persona? Thanks I will try that. I did try ipconfig/renew  ipconfig/release    I will try to talk to a real tech at my ISP though, just takes a while..

Link to comment
Share on other sites

lol :) (yes just kidding) anyway on a serious note I will try talking to my ISP, and also will ipconfig/release  /renew do anything  (hasn't seemed to do anything for me)

 

not-sure-if-joking-or-serious-thumb.jpg

Link to comment
Share on other sites

I don't think anyone is ddosing you I think you have some network issues.

Www.ipcicken.com will give you your outside ip. Do a before reset and after. If you're ip changes it is impossible for someone to know what it it's minutes after you change it unless a computer on your network has random software on it communicating to a server that tells the ddoser where you are at. if that is really the case you have serious problems you need to fix. And that would probably be a virus/malwatr causing your internet issues not some ddoser causing issues for you. Malware it's more than likely your issue.

Link to comment
Share on other sites

lol :) (yes just kidding) anyway on a serious note I will try talking to my ISP, and also will ipconfig/release  /renew do anything  (hasn't seemed to do anything for me)

 

the ipconfig stuff isn't going to do anything. These commands affect the local ip address assigned to your computer, unique within your LAN (your small private home network). What you need to change is your public (internet) IP address which your router is assigned by your ISP and everything on your LAN shares when communicating over the internet. It is this that you need to change. Read my earlier post for how.

Link to comment
Share on other sites

Yeah that E1000 is not going to show you anything about your wan interface usage or dropped packets, etc.

If this ddos is so bad, how exactly are you using neowin?

As mentioned doing anything your pc, as I also stated is not going to do anything.

Here is where you can enable, or disable clone mac.. If enabled disable it, if disabled enable it. Then reboot your cable modem (remove power) and when it resets reboot your e1000 router

post-14624-0-87482100-1390014385.png

As also mentioned before doing so use one of the many websites that will show you your public IP.. Or even on your router

post-14624-0-68019700-1390014495.png

After using clone mac or disable it if enabled already verify your IP changed.

Also for grins - this will tell us if your behind a double nat or not. The address your router shows you now.. It starts with what? If 10.x.x.x, 192.168.x.x or 172.16-31.x.x then your behind a double nat and would have to do something to what that e1000 is plugged into

Link to comment
Share on other sites

woah woah, hold on a second. unless OP was runnig his own email server, his IP would not have been leaked to anyone by email to begin with. It's possible that they got it via the chat I guess if it is p2p, but I don't know how AOL chat works. If it's routed through AOL servers then nobody got OP's IP address and he's just being paranoid.

Link to comment
Share on other sites

woah woah, hold on a second. unless OP was runnig his own email server, his IP would not have been leaked to anyone by email to begin with. It's possible that they got it via the chat I guess if it is p2p, but I don't know how AOL chat works. If it's routed through AOL servers then nobody got OP's IP address and he's just being paranoid.

 

That's not true, email headers can contain the IP address info of the sender, but some services in some circumstances strip it out for privacy reasons. To prove this, I have an email in my inbox right now from my mother, she sent in from her gmail account using thunderbird. If I look at the detailed header info, I can see not only the public IP address but also the private LAN IP address of her machine. I actually did a few small tests of this a while ago, sending emails between accounts of mine from different services and changing whether I was using thunderbird or the webpage. I only attempted a few tests, I didn't attempt anything thorough, and I don't think I came out with a clear picture of under which circumstances exactly services will strip this info out, but I'm pretty sure I found that in some cases it gets inserted and kept in when using the webpage, i.e. to be clear this is not a problem restricted to those using a desktop client such as thunderbird, but those using webpages also.

Link to comment
Share on other sites

^very true.. Depending on client used, service used sure you can see the IP address of the sender.

I could also just send you an email with picture in it that loads off a server I have access to the logs on and, bam there you go I got your IP.

Your pubic IP is not like your SS#, agreed its not something you should be making public on forums and such - you never know who reads them and might for fun do something, etc.

But the odds of him being ddos is really really quite slim, for starters if it really was one - how was he posting that he was under attack? Its more likely some script kiddy, prob 13 or so making threats and just coincidence his router/isp had an issue some time later. So this ddos lasted what all of a couple of minutes?

If you read over past threads of people thinking they are under some sort of attack, all just noise on the net.. 6 hits in your firewall in minute is not a ddos ;) heheeheh

Link to comment
Share on other sites

^very true.. Depending on client used, service used sure you can see the IP address of the sender.

I could also just send you an email with picture in it that loads off a server I have access to the logs on and, bam there you go I got your IP.

Your pubic IP is not like your SS#, agreed its not something you should be making public on forums and such - you never know who reads them and might for fun do something, etc.

But the odds of him being ddos is really really quite slim, for starters if it really was one - how was he posting that he was under attack? Its more likely some script kiddy, prob 13 or so making threats and just coincidence his router/isp had an issue some time later. So this ddos lasted what all of a couple of minutes?

If you read over past threads of people thinking they are under some sort of attack, all just noise on the net.. 6 hits in your firewall in minute is not a ddos ;) heheeheh

Remote images in an email <-- also a very good point. (Y)

In regards to whether or not a DOS/DDOS is being directed at the OP, while I understand and agree that a lot of people with little to no knowledge in such things easily and often get confused about what is actually happening, and I observe that in my opinion the OP is fairly young and the "I have a botnet" stuff from the supposed friend reeks of script kiddie ######, and also that the exact nature of and timeline of events is not entirely clear; the repeated disfunction of the OP's router after conversing with this individual is suspicious and it is entirely plausible that this individual has ahold of a DOS attack script kiddie type application/script. I wouldn't automatically dismiss a DOS attack here just on the basis that the OP is able to be here talking to us. Firstly the OP could be using another connection somewhere to do so and neglected to mention it, or equally simple, the "attacker" only directed the DOS attack at the OP for a short period of time because it was only to prove a point or perform a sort of prank, not perform a sustained attack such as where political/ideological motives come onto play. :)

Link to comment
Share on other sites

Agreed.. But without any logs to show the attack, is all just possible that his internet had a blip on its own, etc.

The OP has been given the info on how to change his public IP via changing his mac on his router or contacting his ISP, etc. and the info need to validate that his IP changed.. If for no other reason to help calm his nerves that his IP is no longer what the person that threatened him might of gotten.

As to using his phone other sort of access to post, now I would of mentioned such a thing in my post.. I don't know something along the lines like

I am under what I believe is a ddos/dos and can not currently access the internet using my normal connection and am limited to my phone/xxx connection -- please help

Link to comment
Share on other sites

Agreed.. But without any logs to show the attack, is all just possible that his internet had a blip on its own, etc.

The OP has been given the info on how to change his public IP via changing his mac on his router or contacting his ISP, etc. and the info need to validate that his IP changed.. If for no other reason to help calm his nerves that his IP is no longer what the person that threatened him might of gotten.

As to using his phone other sort of access to post, now I would of mentioned such a thing in my post.. I don't know something along the lines like

I am under what I believe is a ddos/dos and can not currently access the internet using my normal connection and am limited to my phone/xxx connection -- please help

 

Absolutely, I totally agree :)

Link to comment
Share on other sites

That's not true, email headers can contain the IP address info of the sender, but some services in some circumstances strip it out for privacy reasons. To prove this, I have an email in my inbox right now from my mother, she sent in from her gmail account using thunderbird. If I look at the detailed header info, I can see not only the public IP address but also the private LAN IP address of her machine. I actually did a few small tests of this a while ago, sending emails between accounts of mine from different services and changing whether I was using thunderbird or the webpage. I only attempted a few tests, I didn't attempt anything thorough, and I don't think I came out with a clear picture of under which circumstances exactly services will strip this info out, but I'm pretty sure I found that in some cases it gets inserted and kept in when using the webpage, i.e. to be clear this is not a problem restricted to those using a desktop client such as thunderbird, but those using webpages also.

^very true.. Depending on client used, service used sure you can see the IP address of the sender.

I could also just send you an email with picture in it that loads off a server I have access to the logs on and, bam there you go I got your IP.

Your pubic IP is not like your SS#, agreed its not something you should be making public on forums and such - you never know who reads them and might for fun do something, etc.

But the odds of him being ddos is really really quite slim, for starters if it really was one - how was he posting that he was under attack? Its more likely some script kiddy, prob 13 or so making threats and just coincidence his router/isp had an issue some time later. So this ddos lasted what all of a couple of minutes?

If you read over past threads of people thinking they are under some sort of attack, all just noise on the net.. 6 hits in your firewall in minute is not a ddos wink.png heheeheh

 

wow i had no idea some email clients embed the user IP in the header. that just sounds like awful design.

Link to comment
Share on other sites

Yahoo webmail does it.

post-14624-0-10105500-1390098662.png

Sent a test message to my gmaill account, and yup there you go right in the headers is my actual IP.

Why would it be a bad design.. That info should clearly be available -- if your going to send me a message.. Why should you be hiding your IP? Are you a spammer?

Your ip is not your SS# for gosh sake..

Link to comment
Share on other sites

Yahoo webmail does it.

attachicon.gifactualIP.png

Sent a test message to my gmaill account, and yup there you go right in the headers is my actual IP.

Why would it be a bad design.. That info should clearly be available -- if your going to send me a message.. Why should you be hiding your IP? Are you a spammer?

Your ip is not your SS# for gosh sake..

 

because the sender is the mailserver, where it's accessed from isn't particularly useful for much of anything.

Link to comment
Share on other sites

Says who, you send me an email that says your in Nigeria and a Nigerian prince locked in the embassy and you need to get your money out of the country. Why are you using an email server in Kazakhstan?? While the IP address you talked to the server with shows your in the US from an ISP for home users in North Dakota??

Email servers can be bounced off of by anyway quite often..

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.