Requesting Static IP change - possible?

Aaron · Dec 08, 2010, 17:29:26

I've been getting UDP floods from a user who doesn't like it when I take his nickname on Quakenet IRC (by using a automated script) when that nick goes offline, but it was also stupidity on my part for not hiding my hostmask on Quakenet. When I'm flooded my Internet activity goes dead for minutes.

FTL    2010-12-08T17:00:01Z    fw,fwmon    src=77.74.196.25 dst=*REMOVED* ipprot=17 sport=53953 dport=6952 UDP Port Scan Detected
ALR    2010-12-08T17:00:01Z    fw,fwmon    src=77.74.196.25 dst=*REMOVED* ipprot=17 sport=53953 dport=59111 UDP Flood Detected
INF    2010-12-08T17:00:59Z    fw,fwmon    UDP Flood Ended (occurrence: 2)

Now that my hostmask is hidden, it's still possible whoever is UDP flooding me still knows my IP, so would IDNet allow an IP change if requested?

Rik · Dec 08, 2010, 17:31:05

I really don't know, the problem is that your existing IP could not be recycled for some time at least. Give support a call and see what they can offer.

Rik · Dec 08, 2010, 17:55:38

Thought. Can you identify his IP address? If so, you could make an abuse complaint to his ISP.

Aaron · Dec 08, 2010, 18:01:54

No I can't, he's hidden his hostmask on Quakenet, plus he uses a bouncer. All I have is the source IP from the firewall logs (vps01.kazooki.com) which isn't much good I think.

Rik · Dec 08, 2010, 18:03:55

I had a feeling it wouldn't be that simple.

Niall · Dec 08, 2010, 18:03:59

Find out who supplies the bouncer and report the abuse to them. They'll kick him off it for misuse. If it's his own bouncer complain to the host of the server it's on.

Aaron · Dec 08, 2010, 18:08:59

Yeah problem is I don't have any evidence, I only put 2 and 2 together by seeing that my Internet access got disrupted 2 or 3 times this week and noticing that it only happened shortly after reclaiming the nickname on Quakenet

Going to email IDNet now

pctech · Dec 08, 2010, 18:49:12

I think that address is pretty much dead and there is another question here, why would you use his nickname?

Aaron · Dec 08, 2010, 19:26:28

Quote from: pctech on Dec 08, 2010, 18:49:12
there is another question here, why would you use his nickname?

Cos I'm fussy, I prefer to use aaron instead of aaron| or aaron_ and the like

Besides, there is no ownership of nicknames on Quakenet

pctech · Dec 08, 2010, 19:32:58

Quote from: Aaron on Dec 08, 2010, 19:26:28
Cos I'm fussy, I prefer to use aaron instead of aaron| or aaron_ and the like Besides, there is no ownership of nicknames on Quakenet

Ok fair enough but I think you may have to bite the bullet (excuse the pun) otherwise it is likely to occur again.

It'll be up to IDNet to decide whether they are happy to lose one of the IPs from their allocation

Niall · Dec 08, 2010, 20:26:49

I used to have the same problem with my name, and my nickname, so I just got a bot and renamed it, and a bouncer for my real name. That irritating Irish lad was a pest no more

Technical Ben · Dec 08, 2010, 20:38:09

Sometimes I'm glad their is only one of me.

I always find, if at all possible, it's best to just move on from the "internet" when it tries to attack. It's often got more people, resources and stubbornness than I could ever amount to stop it.
If it was a forum login/paypal/ebay or an imposter on facebook, I'd try and get it sorted though.
It's completely wrong that someone would try and do this to you. I hope they get bored or move on to something else soon.

Niall · Dec 08, 2010, 20:53:13

I was in a position years ago when I still actively used irc, etc to have a mate that hosted his own gaming servers. When people tried to knock users off the net in the previously mentioned way, he'd do it to them and much worse via a data centre

Shame he decided that the fuss of running servers wasn't worth it and went back to Uni. Dunno what happened to him actually, I haven't seen him for years now I think about it

esh · Dec 08, 2010, 22:14:27

Where are you blocking this? Is this router side or what (which would be best)? Is it a single IP or multiple that are targetting you? If it was a single one, I wouldn't imagine it could knock you offline unless it was some serious connection, or you're blocking it in the wrong place.

I've been on IRC for many a year, and while in days of yore the typical next step was to retaliate in a similar way I would not condone it

pctech · Dec 08, 2010, 22:21:37

Depends where in the world the person is and in the UK if they are using a LAN or Virgin cable they could make mincemeat of an ADSL connection.

esh · Dec 09, 2010, 13:11:00

If I'm thinking about this correctly, assuming the packets are being blackholed at the router end (ie. not using any upstream from the target end), it would require something in a excess of the ADSL downstream capacity to really cripple things. So 8M upwards. I guess that's feasible these days.

pctech · Dec 09, 2010, 16:33:03

If an attacker has access to enough upstream bandwidth they can sink any connection which is the thinking behind botnets and the reason companies such as Prolexic came into being, they allocate more and more bandwidth to soak up the traffic and blackhole the illegitimate PING and SYN packets while passing the genuine traffic to the customer servers.

Aaron · Dec 09, 2010, 17:46:23

They replied back and can't spare IP addresses to switch me to another. They did advise that I should make a firewall rule to drop/ignore packets, but to my knowledge this isn't effective is it? Because UDP floods are very much like DDOS'ing and there's no protection against that.

DorsetBoy · Dec 09, 2010, 17:53:00

Quote from: Aaron on Dec 09, 2010, 17:46:23
They replied back and can't spare IP addresses to switch me to another. They did advise that I should make a firewall rule to drop/ignore packets, but to my knowledge this isn't effective is it? Because UDP floods are very much like DDOS'ing and there's no protection against that.

My Draytek router has DDOS defence built in and UDP floods are part of that, packet size and timings can be altered to suit. Hosting companies tackle these issues everyday.

pctech · Dec 09, 2010, 17:57:03

If an attacker has enough upstream bandwidth though they can overcome any hardware/software DDOS defence.

esh · Dec 10, 2010, 10:56:43

Quote from: Aaron on Dec 09, 2010, 17:46:23
They replied back and can't spare IP addresses to switch me to another. They did advise that I should make a firewall rule to drop/ignore packets, but to my knowledge this isn't effective is it? Because UDP floods are very much like DDOS'ing and there's no protection against that.

As I was commenting (and pctech confirming), dropping the packets will at least help somewhat. It's just if they have a vast quantity of bandwidth coming your way that even the router cannot handle then things will fall over. You should always be blackholing packets anyway, in my opinion. Are you just directly connected to a modem with a software firewall? That could be a problem.

Edit: just to clarify, I think you are going offline because your upload gets saturated. If you are not blackholing packets, you have to respond to each one saying "no, this port is closed" by protocol. If you just drop them without response, then at least your upstream should not get swamped by sending these packets.