How long will it take...

[andrue]

..for IDNet to block the IP address that is sending me continuous DNS requests at the cost of 1.5GB an hour? I first asked them to investigate on Thursday night (I didn't know what the problem was but hoped they could work it out) but didn't really get anywhere. Had to leave the router off all day today. Finally took matters into my own hands and attached my laptop to the modem. Turns out I'm getting loads of these:

4   0.845927   185.19.104.70   xx.xx.xx.xx   DNS   Standard query ANY pddos.com

So I called support at 7pm and pointed out the problem. I was told I'd get a callback. So I wonder how long it will take for that to happen? Would be nice to think they could block that address easily enough even if I'm not paying for 24/7 support. Only thing seemed a bit odd which I'll confirm tomorrow morning is that these packets were reaching me even before my laptop had logged on.

[Steve]

I hope you get an authoritative response soon!

Not sure whether this page makes any sense

http://dnsamplificationattacks.blogspot.co.uk/2014/01/domain-pddoscom.html

[Simon]

It might be an idea to also email IDNet.  They do sometimes pick up emails at the weekends. 

[andrue]

I hope you get an authoritative response soon!

Not sure whether this page makes any sense

http://dnsamplificationattacks.blogspot.co.uk/2014/01/domain-pddoscom.html

That's very interesting. A bit odd though as I don't have a DNS server.

There's not much I can for now anyway but it's a pain in the bum. I only just dealt with a security issue on my mail server and now this

[Technical Ben]

Reminds me of the times a wrong number gets printed and someone gets 100s of calls for the takeaway or a big company. :/

[Steve]

The solution in the past has been to change your static IP address.

[Gary]

Reminds me of the times a wrong number gets printed and someone gets 100s of calls for the takeaway or a big company. :/

Our home number had to be changed when somehow More than published it on Insurance claim documents, we were getting at one pint hundreds of calls a day and some quite abusive when I said look we are not "More Than" how it happened I do not know. We had our number changed and I managed to get a caller to contact More Than and explain the issue and give my name and show my number on his paper work, before that they refused to believe us, and said taped calls could be 'fraudulent'  More Than coughed up £400 for publishing an ex directory number. How an 01243 code looked like an 0800 I will never know, let alone how it got into print.

[colirv]

We've been using TrueCall for a couple of years to eliminate nuisance and silent calls. If we ever found ourselves in the position described above I'd simply change the initial message to a short one of explanation.

[Gary]

We've been using TrueCall for a couple of years to eliminate nuisance and silent calls. If we ever found ourselves in the position described above I'd simply change the initial message to a short one of explanation.

I have a careline, trucall from memory interferes with that. At our new home we rarely get any cold calls, in fact I cant remember the last time we did now. Also with that many calls even truphone would have issues, also people don't believe you, so I doubt they would believe a message, they think the insurance comany were  pulling a 'fast one' as I discovered. It was stopping other people phoning in too like a landline DDoS.

[Technical Ben]

Possibly a copy/paste error? 01243 was from a diff customer, and the other numbers (usually random for anything not front customer facing sales, so claims etc are nothing special and not 400500 just 123456) were from the real MoreThan number.

In this case it could be either a hack attempt/DDOS for fun/grievance or a server somewhere set with the wrong ip. Even worse, if the server has 2, like with DNS lookups etc, I'd assume, as the second lookup would succeed, the failure of the first would go unnoticed for ages.

Or at the least, if the management don't notice the mistake, what motivation would the workers have to fix it? Though I'm sure we would do fine for motivation!

[andrue]

We've been using TrueCall for a couple of years to eliminate nuisance and silent calls. If we ever found ourselves in the position described above I'd simply change the initial message to a short one of explanation.

Yah, I have a Truecall unit as well.

As for changing IP address that's an option. Originally I thought it was an attack on my mail server so assumed it would just follow me but this doesn't seem related. I have guests around today so can't just leave it unconnected. I've sent an email advising IDNet that it's ongoing and if necessary I'll dispute any overage charges. Being early in the month it ought to be possible to resolve it before that happens.

What I find puzzling is that it's still ongoing. Apparently my connection being dead for over 12 hours didn't deter it. When I connected using my laptop it was sending back 'port unreachable' and that didn't stop it either. The link earlier in the thread seems interesting but then why would my IP address be a target? I've never run a DNS server.

[Technical Ben]

That's a rather strange problem. Can you "mask/cloak" the ports/requests?
Theoretically, you should not get charged for incoming requests. But I guess as it's the internet, and we are charged for the "carrying" capacity or whatever of the line, anything that goes through, we get charged for, as it's "download"? Where as a phone/post junk mail is thankfully still "free" and only the sender gets charged.

[cavillas]

andrue why not change your dns servers on your router to opendns ones, you can then block specific ip addresses as well as filtering whatever you want to stop.

[Technical Ben]

That's for outgoing only though? Or am I missing something?

[Bill]

Theoretically, you should not get charged for incoming requests.

Not so- you get charged for everything you download, and "download" means anything that arrives at your WAN port.

And every byte of it is included, even the ping packets from a BQM.

[andrue]

andrue why not change your dns servers on your router to opendns ones, you can then block specific ip addresses as well as filtering whatever you want to stop.

You've misunderstood the problem. It isn't me initiating these requests. It's some third party who is sending requests to my IP address. For some unknown reason some machine somewhere on the planet (could possibly be multiple machines but unlikely given the relatively low bandwidth) is continuously firing DNS requests at my address. They get bounced or ignored by the router but by then they've eaten up some of my bandwidth and more worryingly they come out of my allowance (at 1.5GB an hour!).

It might possibly relate to my running a mail server. Maybe whichever of the miscreants has been trying to hack into it for the last many years has got so incensed by their failure that they've kicked off a lacklustre DOS attack. It sounds a bit unlikely since I've never fought back and only ensured that my mail server is configured to defend itself as best it can but who knows with these people? Perhaps somewhere in outer Mongolia there's a spotty oik seething at his own inadequacy who's decided to attempt a denial of service attack since he can't get control of my server.

Anyway I've been discussing this amongst friends and contacts and I've decided to call time on it. I'm going to temporarily give up on being clever and shut down my mail server. I'll use Googlemail instead. Thanks to my existing system I know that my current limited crop of contacts do not result in spam (everyone gets their own address at present so I can be sure of that). Anyway that being the case I don't need a business level ISP any longer so I can save some money by switching to a cheaper unlimited deal.

It kind of sucks but to be honest I've had other changes in my life over the last six months and if this is one more major change then so be it.

[mervl]

Sounds good Andrue. I think you've got the explanation. It costs a few quid a month, but I've always been satisfied with a business class e-mail service paid for through MS's small business services (onmicrosoft.com) linked to my own domain (originally free though now paid for), though I go the whole hog (one user only) with the on-line services. Totally reliable, kept up to date and never any problem. Links through to android apps too. Must admit I don't know why anyone as an individual now bothers with their own e-mail server, apart from egos! Once a port is kept open from outside someone you don't want will find a way in sooner or later.

[Technical Ben]

Wait, I think I've figured out how to get free money. Just going to buy some shares in bandwidth suppliers, and a mail server....

[Adrian]

We've been using TrueCall for a couple of years to eliminate nuisance and silent calls. If we ever found ourselves in the position described above I'd simply change the initial message to a short one of explanation.

I can't recommend Truecall highly enough, money well spent IMHO. Ours has been installed for over a year and virtually no unwanted calls get through, The phone can be so quiet some days I wonder if I am still connected! It can be configured in so many ways that it can meet virtually any requirement.

[Gary]

I can't recommend Truecall highly enough, money well spent IMHO. Ours has been installed for over a year and virtually no unwanted calls get through, The phone can be so quiet some days I wonder if I am still connected! It can be configured in so many ways that it can meet virtually any requirement.

Great for those that get lots of cold calls. I don't though. Careline comes first too. I found with cold calls years back that if you ask to be removed from the callers list they did, now I get none. Also alot of calls do say if you dont wt your number put onto a marketing list tell the operator you are calling, so I always do.

[Adrian]

Great for those that get lots of cold calls. I don't though. Careline comes first too. I found with cold calls years back that if you ask to be removed from the callers list they did, now I get none. Also alot of calls do say if you dont wt your number put onto a marketing list tell the operator you are calling, so I always do.

Most of my cold calls were, and still are  "Out of Area", i.e. from overseas so asking them nicely not to call is unlikely to work, apart from which I don't feel inclined to ask nicely not to be pestered endlessly when they disturb my domestic bliss.

[andrue]

For those who might be interested the attack seems to have stopped. I used whois to track down the owner of the IP address and sent an email to their abuse address. I haven't had a response and perhaps it's coincidence but unbeknownst to me it stopped Monday night at 8pm:

http://www.thinkbroadband.com/ping/share-thumb/761ab1edb00bdd58e26dab19ad80eda7-10-02-2014.png

Ignore the big blocks of red. That was me connecting 'on demand'. I left my connection on all yesterday and overnight and usage is almost nothing. Anyway my change of ISP is still going ahead. The new one is 'unlimited' and if it slows a bit during peak hours it won't bother me.

[mervl]

For those who might be interested the attack seems to have stopped. I used whois to track down the owner of the IP address and sent an email to their abuse address. I haven't had a response and perhaps it's coincidence but unbeknownst to me it stopped Monday night at 8pm:

Might well have been a compromised PC with an unknowing owner, perhaps? Who knows how many IDNet addresses are targeted as I assume they have "blocks" and would many users know/be aware unless they exceed data limits (and might not know why anyway)? As IDNet don't "monitor" traffic! I think we're going to have to get used to these attacks, my router supplier has just given an attack warning as their remote access service was hacked. Nice function, but unnecessary and unsafe. Router hack warnings seem to be becoming routine. I assume as broadband access and speeds increase internationally so will the misuse, expotentially. We seem to need a tin-foil hat mentality now.

[Technical Ben]

This might be relevant! : http://www.tomshardware.com/news/themoon-worm-linksys-infected-8080,26042.html
It would also make it hard to block without special "triggers" on some sort of warning/automated system. As that would be a lot of random IPs. I'd guess blocking the port only on an ISP level would be very counter productive.

[pctech]

Why its not wise to run any type of server on a domestic connection and just to block all incoming connections.