DoS attack (just a question - don't panic)

Started by andrue, Sep 22, 2012, 19:23:28

Previous topic - Next topic

0 Members and 3 Guests are viewing this topic.

andrue

It occurs to me that with the high speeds of FTTC and relatively low allowances a DoS could be a financial pain to those of us with a static IP address. I can burn through 1GB in two minutes so left unchecked a DoS attack could cost me £30 an hour once my allowance has been burnt through (which would only take half an hour). Does IDNet have any kind of safeguard or policy in place for this scenario?

pctech

I would hope their network monitoring would notice such a burst of traffic and would notify someone but they may take the same line as my own ISP (my service has a hard cap and I don't run any servers over it) which is pretty much if you run a server over it and suffer a DOS we can't help you in any way even if it does exhaust your allowance as the domestic products aren't designed for server connectivity.

The possibility of a DOS is one of the reasons I pay to have my  mail hosted on firewalled servers to be honest.

I assume you've got a firewall appliance in between your server and the connection and its configured not to respond to pings?


andrue

Quote from: pctech on Sep 22, 2012, 19:51:35I assume you've got a firewall appliance in between your server and the connection and its configured not to respond to pings?
Firewall? Well there's the router which  has DoS detection. It does respond to pings though. I don't actually think I'm very likely to be targeted given that it's a personal email server. I doubt anyone goes around DoSing random targets for no reason.

pctech

People don't but bots do.

I really would disable respomd to ping on your router (though this will stop ThinkBroadband Quality Monitor from working but I personally think letting routers respond to a ping routinely is asking for trouble)


.Griff.

Quote from: pctech on Sep 23, 2012, 18:53:07
I personally think letting routers respond to a ping routinely is asking for trouble

Couldn't disagree more. The misinformation and paranoia on here is getting worse. Allowing a router to respond to ICMP echo requests is a really useful feature. The TBB QM being one good example.

For a start due to the coordinated nature and number of bots required for a successful DDOS attack I doubt resources would be wasted on your average joe bloggs. VISA, CIA, Paypal, Amazon etc.. Yes.. Maud at number 73... No.

Secondly and more importantly any rudimentary router will recognise floods of ICMP and ignore them for a start. Added to that any router in the last 10 years or so would equally not echo ICMP requests to a broadcast address.

As the number of IPv4 addresses all but dries up it's pretty much guaranteed that a machine will be on the other end of an IP whether the router responds to pings or not.



andrue

Quote from: .Griff. on Sep 24, 2012, 13:18:10For a start due to the coordinated nature and number of bots required for a successful DDOS attack I doubt resources would be wasted on your average joe bloggs. VISA, CIA, Paypal, Amazon etc.. Yes.. Maud at number 73... No.
My thoughts too.
QuoteSecondly and more importantly any rudimentary router will recognise floods of ICMP and ignore them for a start.
True but anything that makes it as far as the router has taken downstream bandwidth. Even if my router ignores everything it still gets counted against my allowance  :(

As you say disabling ping responses won't stop a DDoS. It may even make things worse since it looks like someone with something to hide - esp if the address is attached to a domain.

What would help alleviate this would be for IDNet to implement a warning email (or SMS might be even better) and a hard cap beyond which you get throttled until/unless you call and accept the charges. Kind of like a credit limit. It's a bit disturbing that I can't find anything on their web site explaining how the excess works. As far as I can tell you just get your bill and a nasty shock. It sounds dangerously like a blank cheque :eek4:

Rik

You'll receive a warning email if you're expected to exceed your monthly allowance.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

pctech

Quote from: .Griff. on Sep 24, 2012, 13:18:10
Couldn't disagree more. The misinformation and paranoia on here is getting worse. Allowing a router to respond to ICMP echo requests is a really useful feature. The TBB QM being one good example.

For a start due to the coordinated nature and number of bots required for a successful DDOS attack I doubt resources would be wasted on your average joe bloggs. VISA, CIA, Paypal, Amazon etc.. Yes.. Maud at number 73... No.

Secondly and more importantly any rudimentary router will recognise floods of ICMP and ignore them for a start. Added to that any router in the last 10 years or so would equally not echo ICMP requests to a broadcast address.

As the number of IPv4 addresses all but dries up it's pretty much guaranteed that a machine will be on the other end of an IP whether the router responds to pings or not.




Responding to a ping lets a port scanning process know something is attached to the IP so this validates it as a target.

In my own case it appears someone who used to have my own IP block either had bad surfing habits or really peed someone off because if I connect a router without the ability to stealth its ports I get knocked off the net within a matter of hours and the source addresses are normally in China.

Criminals rent out botnets for hire so it doesn't take a lot of knowledge these days.

As for TBBQM its ability to test your individual connection is questionable at best because it also indicates any latency or packet loss on the connection between the ISP and Netconnex who run thinkbroadband.

The more reliable way would be to place a device within the ISP network and let it monitor LCP packets (as a certain ISP do) this does not expose the connection.


andrue

#8
I had a reply from Simon at tech support which basically said we were responsible for all the traffic on our connection and that the charges just rack up automatically. The email also said they didn't recommend hosting services that could be seen outside the firewall although my understanding is that's no guarantee you wouldn't get a DDoS. You might be a more obvious target but if someone sticks your address into their bot you're going to get flooded no matter what your router or firewall does (unless someone knows differently).

If I'm right then any FTTC customer is at risk of a big bill. You could go to bed at 11pm then wake up at 7am and someone has run up over £200 on your behalf. If you head off to work without using your connection that could be another £300 before you get home and wonder why iPlayer is running slowly.

He did mention the RSS feed though so perhaps something can be done with that to trigger an alert.

My router does have an option to disconnect from the internet based on traffic usage. Unfortunately I'm not convinced that the WNR1000 is counting correctly.

pctech

My point is generally that if they don't get any sort of response they just move on, thus minimising the damage.

As far as IDNet is concerned traffic sent to you is traffic and they gave the response I thought they might, the lack of capping is the reason I don't use them for broadband as I'm always concerned I could run up a large bill (or have one run up in the event of a securuty issue, my connection is capped and so even in the worst case, bandwidth bills cannot be run up as once the allowance is hit, all I can navigate to is the ISP's homepage and customer portal.


andrue

Quote from: pctech on Sep 24, 2012, 19:50:07
My point is generally that if they don't get any sort of response they just move on, thus minimising the damage.

As far as IDNet is concerned traffic sent to you is traffic and they gave the response I thought they might, the lack of capping is the reason I don't use them for broadband as I'm always concerned I could run up a large bill (or have one run up in the event of a securuty issue, my connection is capped and so even in the worst case, bandwidth bills cannot be run up as once the allowance is hit, all I can navigate to is the ISP's homepage and customer portal.
That would be my concern as well so I've added it to my list of things I don't like about IDNet. It's not a long list and it's far from terminal but come May I will definitely be reviewing my options.

On the good side the problem with the router appears to be a display issue. I think that the HTML maintains its own count separate from the router software. If you navigate around and come back to traffic management the figures look a lot closer to what IDNet reckon.

.Griff.

#11
Quote from: andrue on Sep 24, 2012, 14:09:55
My thoughts too.True but anything that makes it as far as the router has taken downstream bandwidth. Even if my router ignores everything it still gets counted against my allowance  :(

And?

A successful ICMP echo request constitutes 84 bytes. Lets says you're flooded (DDOS'ed) with a million requests, which you're router would acknowledge and stop responding to anyway, the total bandwidth would be 84MB.

Worrying about DDOS and setting your router to ignore ICMP requests really is a waste of valuable time. It's like anything in life, you take the appropriate precautions. Does your house have the same level of security as your high street bank? Of course not and for obvious reasons. Even if you had sixteen locks on each door and window, removed yourself from every database in existence and camouflaged the house it still exists and could "potentially" become a target for someone. The same applies to your router. You can "hide it" but it still exists.

Common sense is the best defence and the chances of your becoming a DDOS victim are slim to virtually none.

Note - The above is meant in good faith and I don't mean to belittle anyone. I'm just tired of the paranoia and scare stories which can cause more harm than good. Andrue if in any doubt I'd ask on the Be forum or Be Usergroup which I know you still have access to. I'm sure they'll echo, no pun intended, all I've said above.

Steve

I would echo what Griff has said. IDNet the ISP may become the target of a DDOS attack but not the home user, a script bot is just as likely to carry on probing a particular IP address whether or not it receives a response from an attempt to ping the wan port of a router. The risk to the home user comes from use of the browser and related software and again the use of common sense goes along way to reducing the threat.
Steve
------------
This post reflects my own views, opinions and experience, not those of IDNet.

andrue

#13
Quote from: .Griff. on Sep 25, 2012, 00:06:23Note - The above is meant in good faith and I don't mean to belittle anyone. I'm just tired of the paranoia and scare stories which can cause more harm than good.
Perhaps you could direct it at other posters then. I asked a sensible question in a calm and considered way. Even the title says there's nothing to panic about. I'm not the one suggesting people stop responding to pings. Nor do I intend to stop hosting services on my network. I've been doing it for years now and never had a problem. I have told my router to disconnect if downstream traffic exceeds 20GB (I'm on the 15GB peak package at the moment) but since my monthly usage rarely goes above 7GB that seems reasonable to me.

But your analogy about bank security seems weak to me. Bricks and mortar banks sit on the highstreet with large writing on them stating that they are banks. Everyone knows and can see that there is money behind the wall. Clearly they need more security than a quiet residential property on a housing estate. On the internet however all addresses are created equal. There's no way to tell what lies behind my IP address - although the domain suggests it's unlikely to be important. Anyway it is possible for someone setting up a bot net to put the wrong address in and send the attack to poor ol' Mrs Pepperpot who only uses the internet to look for knitting patterns.

Your ping comment intrigues me from a technical point of view - why would the pings stop at a million? Whether my router stops responding or not there's no reason to think the pings would. I do agree that the risks are low (see - no panic here  ::) ) but they exist. A sensible person (especially one who has services exposed through his firewall 24/7) seeks to minimise risk using appropriate tools and techniques and that's all I'm trying to do.

pctech

My intent in responding to this post was to answer the question and avoid anyone incurring unnecessary cost.

.Griff.

Quote from: andrue on Sep 25, 2012, 07:58:54Your ping comment intrigues me from a technical point of view - why would the pings stop at a million?

It was an example. I assumed you could do the maths and extrapolate the numbers and appreciate what a pointless concern this is.


andrue

Quote from: .Griff. on Sep 25, 2012, 13:02:15
It was an example. I assumed you could do the maths and extrapolate the numbers and appreciate what a pointless concern this is.
Fair enough.

Going_Digital

I have to agree with .Griff. that the amount of misinformation on the internet is shocking, and the sad thing is people accept most of it without question. So how do you propose blocking ping, by blocking all ICMP traffic maybe, ooops now pmtu doesn't work so any service you are trying to connect to that travels over a link that can not handle the packet size you are using is now inaccessible. Oh ok then just block ICMP Ping packets, hmm so now if I want to see if you are there I just send a PMTU discovery packet.

Disabling ping is like removing the doorbell off your door, it doesn't add any security it just causes an inconvenience.

andrue

#18
Quote from: Going_Digital on Oct 03, 2012, 10:24:00
I have to agree with .Griff. that the amount of misinformation on the internet is shocking, and the sad thing is people accept most of it without question.
That's true. On the other hand when people do ask they don't always get  accurate advice :)

For example stating that a ping flood is irrelevant because they are only 84 bytes long isn't accurate and could mislead someone that doesn't know better. A ping can be extended up 64kB if the sender wants to and for maximum impact they probably would in the hope of killing the router. Anyway I would say that all it takes to drown an 80/20 connection is half a dozen other people on 80/20 working together. Even one person with an 80/20 connection can send around 1.5MB/s to someone and that means over 5GB an hour. 1.5MB/s coming down continuously could be rather nasty. Not enough to notice the difference but after 24 hours you've used up 130GB.

But..I do basically agree with what Griff is saying. It's a very low risk. I just don't really agree that it's a 'pointless concern' :)