DoS attack

nowster · May 10, 2013, 15:28:27

Sigh! Some system in the USA is trying to password scan the SIP server on my parents' iDNet connection, sending about 200kbps of UDP traffic continuously. I've removed the SIP server software but the incoming traffic continues. At this rate they're going to go over quota in about 5 days.

Glenn · May 10, 2013, 15:54:36

Speak to support, they may be able block to the traffic type to the connection.

nowster · May 11, 2013, 11:53:53

Quote from: Glenn on May 10, 2013, 15:54:36
Speak to support, they may be able block to the traffic type to the connection.

An email to support has gone unanswered... Currently gobbling bandwidth allowance at about 2GB a day.

Simon · May 11, 2013, 12:43:36

Can't they disconnect the router?

nowster · May 11, 2013, 13:20:23

Quote from: Simon on May 11, 2013, 12:43:36
Can't they disconnect the router?

Well, they could, but that then doesn't allow them to access the Internet...

Simon · May 11, 2013, 13:24:10

But if they disconnected for, say, 30 minutes, then reconnected, would that not stop the DOS attack?

nowster · May 11, 2013, 13:37:40

Quote from: Simon on May 11, 2013, 13:24:10
But if they disconnected for, say, 30 minutes, then reconnected, would that not stop the DOS attack?

No, it's UDP based. The sender is blindly sending out packets and not looking at the return. I've had the "local" end: sending ICMP host unreachables, ICMP port unreachable (the default when there's nothing listening on that port), and finally nothing at all back. Nothing seems to stop it. I've reported the activity to the US hosting company... no response.

nowster · May 11, 2013, 17:15:19

I've now got my parents to switch off their modem for the weekend, only switching it back on if they really need a connection. Hopefully iDNet can do something on Monday.

Steve · May 11, 2013, 17:23:48

It does seem they've little choice.

nowster · May 13, 2013, 11:19:27

And support have written back suggesting my parents change their package.

Simon · May 13, 2013, 11:38:19

SimonM_IDNet · May 13, 2013, 11:57:03

Hi,

Apologies for the confusing reply from our support team.

I've taken a look at the issue. Since that IP is not on our network theres little we can do to put a stop to the DDOS attack. I have suggested in an email I just sent to you to see if we can change the IP address the line uses as this should stop the attack, although you might have to reconfigure any servers etc you use on that connection after an IP change.

Kind regards
Simon Mulliss
IDNet support

Simon · May 13, 2013, 12:00:34

Simon!

nowster · May 13, 2013, 12:03:12

Thanks. Changing IP is acceptable. Changing package is impossible – no ADSL2+.

http://www.samknows.com/broadband/exchange/WNADR

I'm still concerned that they're going to face a financial penalty for something that is outwith their control.

SimonM_IDNet · May 13, 2013, 12:17:13

Hi,

I have changed the IP for you. The package change you can ignore I believe my colleague sent that in error. I have forwarded your concerns about any charges on bandwidth to one of our management to get the right answer on this as it is an unusual situation.

Hope this helps,

Also Thanks Simon. Appears there are quite a few Simons associated with IDNet.

Simon · May 13, 2013, 12:33:48

Some might say too many!

nowster · May 13, 2013, 12:34:05

Quote from: SimonM_IDN on May 13, 2013, 12:17:13
Also Thanks Simon. Appears there are quite a few Simons associated with IDNet.

It happens. I know Zen had a "Dave Collective". And where I used to work (Zetnet) we had two Pauls and a Saul.

SimonM_IDNet · May 13, 2013, 12:40:42

Hi,

It does seem common, unfortunately for my self every major ISP I worked for all had a batch of Simon`s. I see per your email the issue now appears resolved hopefully the supplier in the US can put a stop to the DDOS attackers attempts.

Thanks
Simon Mulliss
IDNet support