How long will it take...

Started by andrue, Feb 07, 2014, 21:20:06

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

andrue

..for IDNet to block the IP address that is sending me continuous DNS requests at the cost of 1.5GB an hour? I first asked them to investigate on Thursday night (I didn't know what the problem was but hoped they could work it out) but didn't really get anywhere. Had to leave the router off all day today. Finally took matters into my own hands and attached my laptop to the modem. Turns out I'm getting loads of these:

4   0.845927   185.19.104.70   xx.xx.xx.xx   DNS   Standard query ANY pddos.com

So I called support at 7pm and pointed out the problem. I was told I'd get a callback. So I wonder how long it will take for that to happen? Would be nice to think they could block that address easily enough even if I'm not paying for 24/7 support. Only thing seemed a bit odd which I'll confirm tomorrow morning is that these packets were reaching me even before my laptop had logged on.

Steve

I hope you get an authoritative response soon!

Not sure whether this page makes any sense

http://dnsamplificationattacks.blogspot.co.uk/2014/01/domain-pddoscom.html
Steve
------------
This post reflects my own views, opinions and experience, not those of IDNet.

Simon

It might be an idea to also email IDNet.  They do sometimes pick up emails at the weekends. 
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

andrue

Quote from: Steve on Feb 07, 2014, 21:28:27
I hope you get an authoritative response soon!

Not sure whether this page makes any sense

http://dnsamplificationattacks.blogspot.co.uk/2014/01/domain-pddoscom.html
That's very interesting. A bit odd though as I don't have a DNS server.

There's not much I can for now anyway but it's a pain in the bum. I only just dealt with a security issue on my mail server and now this :(

Technical Ben

Reminds me of the times a wrong number gets printed and someone gets 100s of calls for the takeaway or a big company. :/
I use to have a signature, then it all changed to chip and pin.

Steve

The solution in the past has been to change your static IP address.
Steve
------------
This post reflects my own views, opinions and experience, not those of IDNet.

Gary

Quote from: Technical Ben on Feb 08, 2014, 00:38:54
Reminds me of the times a wrong number gets printed and someone gets 100s of calls for the takeaway or a big company. :/
Our home number had to be changed when somehow More than published it on Insurance claim documents, we were getting at one pint hundreds of calls a day and some quite abusive when I said look we are not "More Than" how it happened I do not know. We had our number changed and I managed to get a caller to contact More Than and explain the issue and give my name and show my number on his paper work, before that they refused to believe us, and said taped calls could be 'fraudulent'  ::) More Than coughed up £400 for publishing an ex directory number. How an 01243 code looked like an 0800 I will never know, let alone how it got into print.
Damned, if you do damned if you don't

colirv

We've been using TrueCall for a couple of years to eliminate nuisance and silent calls. If we ever found ourselves in the position described above I'd simply change the initial message to a short one of explanation.
Colin


Gary

Quote from: colirv on Feb 08, 2014, 09:21:53
We've been using TrueCall for a couple of years to eliminate nuisance and silent calls. If we ever found ourselves in the position described above I'd simply change the initial message to a short one of explanation.
I have a careline, trucall from memory interferes with that. At our new home we rarely get any cold calls, in fact I cant remember the last time we did now. Also with that many calls even truphone would have issues, also people don't believe you, so I doubt they would believe a message, they think the insurance comany were  pulling a 'fast one' as I discovered. It was stopping other people phoning in too like a landline DDoS.
Damned, if you do damned if you don't

Technical Ben

Possibly a copy/paste error? 01243 was from a diff customer, and the other numbers (usually random for anything not front customer facing sales, so claims etc are nothing special and not 400500 just 123456) were from the real MoreThan number.

In this case it could be either a hack attempt/DDOS for fun/grievance or a server somewhere set with the wrong ip. Even worse, if the server has 2, like with DNS lookups etc, I'd assume, as the second lookup would succeed, the failure of the first would go unnoticed for ages.

Or at the least, if the management don't notice the mistake, what motivation would the workers have to fix it? Though I'm sure we would do fine for motivation! :D
I use to have a signature, then it all changed to chip and pin.

andrue

Quote from: colirv on Feb 08, 2014, 09:21:53
We've been using TrueCall for a couple of years to eliminate nuisance and silent calls. If we ever found ourselves in the position described above I'd simply change the initial message to a short one of explanation.
Yah, I have a Truecall unit as well.

As for changing IP address that's an option. Originally I thought it was an attack on my mail server so assumed it would just follow me but this doesn't seem related. I have guests around today so can't just leave it unconnected. I've sent an email advising IDNet that it's ongoing and if necessary I'll dispute any overage charges. Being early in the month it ought to be possible to resolve it before that happens.

What I find puzzling is that it's still ongoing. Apparently my connection being dead for over 12 hours didn't deter it. When I connected using my laptop it was sending back 'port unreachable' and that didn't stop it either. The link earlier in the thread seems interesting but then why would my IP address be a target? I've never run a DNS server.

Technical Ben

That's a rather strange problem. Can you "mask/cloak" the ports/requests?
Theoretically, you should not get charged for incoming requests. But I guess as it's the internet, and we are charged for the "carrying" capacity or whatever of the line, anything that goes through, we get charged for, as it's "download"? Where as a phone/post junk mail is thankfully still "free" and only the sender gets charged.
I use to have a signature, then it all changed to chip and pin.

cavillas

andrue why not change your dns servers on your router to opendns ones, you can then block specific ip addresses as well as filtering whatever you want to stop.
------
Alf :)

Technical Ben

That's for outgoing only though? Or am I missing something?
I use to have a signature, then it all changed to chip and pin.

Bill

Quote from: Technical Ben on Feb 08, 2014, 11:48:34
Theoretically, you should not get charged for incoming requests.

Not so- you get charged for everything you download, and "download" means anything that arrives at your WAN port.

And every byte of it is included, even the ping packets from a BQM.
Bill
BQMs-  IPv4  IPv6

andrue

Quote from: cavillas on Feb 08, 2014, 12:32:46
andrue why not change your dns servers on your router to opendns ones, you can then block specific ip addresses as well as filtering whatever you want to stop.
You've misunderstood the problem. It isn't me initiating these requests. It's some third party who is sending requests to my IP address. For some unknown reason some machine somewhere on the planet (could possibly be multiple machines but unlikely given the relatively low bandwidth) is continuously firing DNS requests at my address. They get bounced or ignored by the router but by then they've eaten up some of my bandwidth and more worryingly they come out of my allowance (at 1.5GB an hour!).

It might possibly relate to my running a mail server. Maybe whichever of the miscreants has been trying to hack into it for the last many years has got so incensed by their failure that they've kicked off a lacklustre DOS attack. It sounds a bit unlikely since I've never fought back and only ensured that my mail server is configured to defend itself as best it can but who knows with these people? Perhaps somewhere in outer Mongolia there's a spotty oik seething at his own inadequacy who's decided to attempt a denial of service attack since he can't get control of my server.

Anyway I've been discussing this amongst friends and contacts and I've decided to call time on it. I'm going to temporarily give up on being clever and shut down my mail server. I'll use Googlemail instead. Thanks to my existing system I know that my current limited crop of contacts do not result in spam (everyone gets their own address at present so I can be sure of that). Anyway that being the case I don't need a business level ISP any longer so I can save some money by switching to a cheaper unlimited deal.

It kind of sucks but to be honest I've had other changes in my life over the last six months and if this is one more major change then so be it.

mervl

Sounds good Andrue. I think you've got the explanation. It costs a few quid a month, but I've always been satisfied with a business class e-mail service paid for through MS's small business services (onmicrosoft.com) linked to my own domain (originally free though now paid for), though I go the whole hog (one user only) with the on-line services. Totally reliable, kept up to date and never any problem. Links through to android apps too. Must admit I don't know why anyone as an individual now bothers with their own e-mail server, apart from egos! Once a port is kept open from outside someone you don't want will find a way in sooner or later.

Technical Ben

Wait, I think I've figured out how to get free money. Just going to buy some shares in bandwidth suppliers, and a mail server.... ;)
I use to have a signature, then it all changed to chip and pin.

Adrian

Quote from: colirv on Feb 08, 2014, 09:21:53
We've been using TrueCall for a couple of years to eliminate nuisance and silent calls. If we ever found ourselves in the position described above I'd simply change the initial message to a short one of explanation.
I can't recommend Truecall highly enough, money well spent IMHO. Ours has been installed for over a year and virtually no unwanted calls get through, The phone can be so quiet some days I wonder if I am still connected! It can be configured in so many ways that it can meet virtually any requirement.
Adrian

Gary

Quote from: Adrian on Feb 09, 2014, 13:06:53
I can't recommend Truecall highly enough, money well spent IMHO. Ours has been installed for over a year and virtually no unwanted calls get through, The phone can be so quiet some days I wonder if I am still connected! It can be configured in so many ways that it can meet virtually any requirement.
Great for those that get lots of cold calls. I don't though. Careline comes first too. I found with cold calls years back that if you ask to be removed from the callers list they did, now I get none. Also alot of calls do say if you dont wt your number put onto a marketing list tell the operator you are calling, so I always do.
Damned, if you do damned if you don't

Adrian

Quote from: Gary on Feb 09, 2014, 13:12:11
Great for those that get lots of cold calls. I don't though. Careline comes first too. I found with cold calls years back that if you ask to be removed from the callers list they did, now I get none. Also alot of calls do say if you dont wt your number put onto a marketing list tell the operator you are calling, so I always do.
Most of my cold calls were, and still are  "Out of Area", i.e. from overseas so asking them nicely not to call is unlikely to work, apart from which I don't feel inclined to ask nicely not to be pestered endlessly when they disturb my domestic bliss.
Adrian

andrue

For those who might be interested the attack seems to have stopped. I used whois to track down the owner of the IP address and sent an email to their abuse address. I haven't had a response and perhaps it's coincidence but unbeknownst to me it stopped Monday night at 8pm:

http://www.thinkbroadband.com/ping/share-thumb/761ab1edb00bdd58e26dab19ad80eda7-10-02-2014.png

Ignore the big blocks of red. That was me connecting 'on demand'. I left my connection on all yesterday and overnight and usage is almost nothing. Anyway my change of ISP is still going ahead. The new one is 'unlimited' and if it slows a bit during peak hours it won't bother me.

mervl

Quote from: andrue on Feb 13, 2014, 09:58:45
For those who might be interested the attack seems to have stopped. I used whois to track down the owner of the IP address and sent an email to their abuse address. I haven't had a response and perhaps it's coincidence but unbeknownst to me it stopped Monday night at 8pm:

Might well have been a compromised PC with an unknowing owner, perhaps? Who knows how many IDNet addresses are targeted as I assume they have "blocks" and would many users know/be aware unless they exceed data limits (and might not know why anyway)? As IDNet don't "monitor" traffic! I think we're going to have to get used to these attacks, my router supplier has just given an attack warning as their remote access service was hacked. Nice function, but unnecessary and unsafe. Router hack warnings seem to be becoming routine. I assume as broadband access and speeds increase internationally so will the misuse, expotentially. We seem to need a tin-foil hat mentality now.

Technical Ben

This might be relevant! : http://www.tomshardware.com/news/themoon-worm-linksys-infected-8080,26042.html
It would also make it hard to block without special "triggers" on some sort of warning/automated system. As that would be a lot of random IPs. I'd guess blocking the port only on an ISP level would be very counter productive.
I use to have a signature, then it all changed to chip and pin.

pctech

Why its not wise to run any type of server on a domestic connection and just to block all incoming connections.