How Do You Combat DoS Attacks?

  Border View 10:15 23 Jan 2007
Locked

Five days ago I didn’t even know what a DoS (Denial of Service) attack was. Looking at my wireless router’s log one night I noticed the following entries:

*SYN Flood to Host* 151.50.221.6, 25230 - >> xx.xx.xx.xx, 668 (from PVC1 Inbound)
*Smurf* 213.126.217.0, 25908 ->> xx.xx.xx.xx, 1026 (from PVC1 Inbound
*Smurf* 213.217.120.255, 26430 ->>xx.xx.xx.xx 1026 (from PVC1 Inbound)

Since then the following entries have shown up

*UDP Flood to Host* 204.16.209.159, 13364 ->> xx.xx.xx.xx, 1035 (from PVC1 Inbound)
2007.01.22 04:27:16 **Smurf** 213.100.54.255, 23567->> xx.xx.xx.xx, 1026 (from PVC1 Inbound)

The times of these entries were always about 3 to 4 in the morning.

So what you might ask. Extensive reading on lots of Forums and Google searches have shown these entries as DoS attacks.

I won’t repeat here the technical jargon of each type of attack. What they do mean is that a Zombie computer somewhere is using my ADSL bandwidth to transmit Denial of Service attack to other computers. So next time you see your speeds dropping don’t just put it down to internet traffic, time of day, doggie router, doggie BT line, congestion at the Exchange and all that other stuff. Look at your router log to see if you have entries like those mentioned above.

Now to the crux of the matter. There are stacks and stacks of write ups on what DoS attacks are. You are encouraged to report the “abuse” (after you have found out whose IP address sent the attack) to the sender by e-mail. You can log the attack and senders IP on a special web site.

But no where that I can find, and I have been looking since Friday night, is there any advice on how to prevent, stop, or combat these attacks.

I’ve thought about trying to get my IP changed.

I’ve thought about switching off my wireless router overnight. But then what would happen to my ADSL Max. If I switch off the router – when I reconnect will my sync speeds have to stabilize again and if I did it every night what then to my speeds.

My router has its own firewall. I run Kerio Personnal Firewall, Spybot S&D; A squared; Ad-Aware; Avast Antivirus and SpyBlaster. I have uninstalled Skype (clutching at straws). But still these attacks come.

So – Do you know how to prevent, stop, combat Denial of Service attacks.

Thank you for reading this, but I really do think people should be more aware of what might be happening to their bandwidth and thus speeds.

  GANDALF <|:-)> 10:35 23 Jan 2007

A home computer is unlikely to be the sxubject of DoS attacks, more like Steve Gibson who got well-hammered. Turn off your logs as they are next to useless and forget about these entries. Logs tend to interpret things in many strange ways.

G

  Border View 10:46 23 Jan 2007

They might not attack my computer but they are trying (if not succeeding) to use my bandwidth.

  Border View 10:48 23 Jan 2007

For a technical explanation of DoS attacks see click here

  gudgulf 11:08 23 Jan 2007

Have you thoroughly checked your pc for backdoor trojans etc?

The only way your bandwidth can be used is if your pc is part of the zombie botnet that is sending out the bogus connections to the target server.The inbound connections being instructions sent to your pc.

The other point,made by GANDALF <|:-)> is that your router is incorrectly identifying the nature of those inbound connections.

  Border View 11:19 23 Jan 2007

Hi - I've run checks with all of the protection software mentioned. I've deleted temp internet files and cookies. So far as I know everything is clear.

Can you expand on "The inbound connections being instructions sent to your pc". The three log entries refer to "from PVC1 inbound" The first IP address were located in Sweden, Italy, Germany, Netherlands and USA. the xx.xx IP address is mine. Are you saying that instructions were coming at my computer, the router firewall stopped them and if my computer had been switched on my firewall would have stopped them.

So are you saying that my router is receiving but not transmitting?

Sorry, but I am trying to get my head around this one.

  gudgulf 12:04 23 Jan 2007

"So are you saying that my router is receiving but not transmitting?"

Sort of....

....If your pc is switched off and not logged on to the router then it can't transmit or recieve anything over the internet.

Your router however is logged on the internet all the time, and whilst switched on, is able to accept and answer the usual pings and handshakes your ISP etc transmits.These are just checking if your connection is active.

It will also block any unusual requests or connection attempts it identifies as suspicious.

What it can't do by itself is use your internet bandwidth to send or receive any actual internet traffic.........there has to be a pc active and logged on to the network for that to happen.

The only way that could happen is if your wireless connection is not secured click here

If it isn't, someone within range of the routers wireless transmitter (like a neighbour) could log on to your network and use you internet connection for free.It that happens and they have a trojan or two onboard their pc,your internet connection could be used for nefarious purposes.

If your network is set up securely and your pc is switched off then you are safe.....no-0ne is using your connection and these are simply misleading alerts in the log.

If you have not set up your security then I strongly suggest you do so immediately.

  Border View 12:16 23 Jan 2007

Many thanks for that. When I first got my wireless router:

I changed the access password
I have the DHCP server on
My computer is the only one on the DHCP client list
The wireless networking is enabled
The SSID Broadcast is disabled
I have WEP enabled (when my download speeds return I shall download WPA encryption tool)
I have MAC address filtering enabled and there is only my address on the list
I am the only one on the MAC client list
I have just found that it is set to block ICMP Pings.

The only other wireless router nearby is my next door neighbour. His shows (and so does mine) as encrypted.

Cant think of anything else I can do. Again thank you for explaining this to me.

  Border View 12:23 23 Jan 2007

Dont know if there is any connection, but yesterday I uninstalled Sykpe. Looking at the log this morning there were no records of Smurf or anything else during the night.

  scotty 12:27 23 Jan 2007

I was interested to read your comments as my router log also reported that it had detected a DoS last week. Three events were logged, all around 06:00 when no computers were on. I have never noticed these events before. My ISP is eclipse.

  gudgulf 12:37 23 Jan 2007

I'd keep an eye on your log over the next few days and see it they remain clear...just for peace of mind(you could also reinstall Skype and see if they come back).

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Xiaomi Mi Mix 2 review

See mcbess's iconic style animated for Mercedes-Benz

iPhone X news: Release date, price, new features & specs

Black Friday 2017 : date, sites participants & bonnes affaires