Requesting Static IP change - possible?

Started by Aaron, Dec 08, 2010, 17:29:26

Previous topic - Next topic

0 Members and 3 Guests are viewing this topic.

Aaron

I've been getting UDP floods from a user who doesn't like it when I take his nickname on Quakenet IRC (by using a automated script) when that nick goes offline, but it was also stupidity on my part for not hiding my hostmask on Quakenet. When I'm flooded my Internet activity goes dead for minutes.

FTL    2010-12-08T17:00:01Z    fw,fwmon    src=77.74.196.25 dst=*REMOVED* ipprot=17 sport=53953 dport=6952 UDP Port Scan Detected
ALR    2010-12-08T17:00:01Z    fw,fwmon    src=77.74.196.25 dst=*REMOVED* ipprot=17 sport=53953 dport=59111 UDP Flood Detected
INF    2010-12-08T17:00:59Z    fw,fwmon    UDP Flood Ended (occurrence: 2)

Now that my hostmask is hidden, it's still possible whoever is UDP flooding me still knows my IP, so would IDNet allow an IP change if requested?
IDNet Home Pro ADSL2+ 4Mbps | Billion BiPAC 7800N

Rik

I really don't know, the problem is that your existing IP could not be recycled for some time at least. Give support a call and see what they can offer.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Rik

Thought. Can you identify his IP address? If so, you could make an abuse complaint to his ISP.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Aaron

No I can't, he's hidden his hostmask on Quakenet, plus he uses a bouncer. All I have is the source IP from the firewall logs (vps01.kazooki.com) which isn't much good I think.
IDNet Home Pro ADSL2+ 4Mbps | Billion BiPAC 7800N

Rik

I had a feeling it wouldn't be that simple. :(
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Niall

Find out who supplies the bouncer and report the abuse to them. They'll kick him off it for misuse. If it's his own bouncer complain to the host of the server it's on.
Flickr Deviant art
Art is not a handicraft, it is the transmission of feeling the artist has experienced.
Leo Tolstoy

Aaron

Yeah problem is I don't have any evidence, I only put 2 and 2 together by seeing that my Internet access got disrupted 2 or 3 times this week and noticing that it only happened shortly after reclaiming the nickname on Quakenet :(

Going to email IDNet now
IDNet Home Pro ADSL2+ 4Mbps | Billion BiPAC 7800N

pctech

I think that address is pretty much dead and there is another question here, why would you use his nickname?


Aaron

Quote from: pctech on Dec 08, 2010, 18:49:12
there is another question here, why would you use his nickname?

Cos I'm fussy, I prefer to use aaron instead of aaron| or aaron_ and the like :) Besides, there is no ownership of nicknames on Quakenet
IDNet Home Pro ADSL2+ 4Mbps | Billion BiPAC 7800N

pctech

Quote from: Aaron on Dec 08, 2010, 19:26:28
Cos I'm fussy, I prefer to use aaron instead of aaron| or aaron_ and the like :) Besides, there is no ownership of nicknames on Quakenet

Ok fair enough but I think you may have to bite the bullet (excuse the pun) otherwise it is likely to occur again.

It'll be up to IDNet to decide whether they are happy to lose one of the IPs from their allocation

Niall

I used to have the same problem with my name, and my nickname, so I just got a bot and renamed it, and a bouncer for my real name. That irritating Irish lad was a pest no more ;D
Flickr Deviant art
Art is not a handicraft, it is the transmission of feeling the artist has experienced.
Leo Tolstoy

Technical Ben

Sometimes I'm glad their is only one of me. :D
I always find, if at all possible, it's best to just move on from the "internet" when it tries to attack. It's often got more people, resources and stubbornness than I could ever amount to stop it.
If it was a forum login/paypal/ebay or an imposter on facebook, I'd try and get it sorted though.
It's completely wrong that someone would try and do this to you. I hope they get bored or move on to something else soon.
I use to have a signature, then it all changed to chip and pin.

Niall

I was in a position years ago when I still actively used irc, etc to have a mate that hosted his own gaming servers. When people tried to knock users off the net in the previously mentioned way, he'd do it to them and much worse via a data centre :D

Shame he decided that the fuss of running servers wasn't worth it and went back to Uni. Dunno what happened to him actually, I haven't seen him for years now I think about it ;D
Flickr Deviant art
Art is not a handicraft, it is the transmission of feeling the artist has experienced.
Leo Tolstoy

esh

Where are you blocking this? Is this router side or what (which would be best)? Is it a single IP or multiple that are targetting you? If it was a single one, I wouldn't imagine it could knock you offline unless it was some serious connection, or you're blocking it in the wrong place.

I've been on IRC for many a year, and while in days of yore the typical next step was to retaliate in a similar way I would not condone it :)
CompuServe 28.8k/33.6k 1994-1998, BT 56k 1998-2001, NTL Cable 512k 2001-2004, 2x F2S 1M 2004-2008, IDNet 8M 2008 - LLU 11M 2011

pctech

Depends where in the world the person is and in the UK if they are using a LAN or Virgin cable they could make mincemeat of an ADSL connection.


esh

If I'm thinking about this correctly, assuming the packets are being blackholed at the router end (ie. not using any upstream from the target end), it would require something in a excess of the ADSL downstream capacity to really cripple things. So 8M upwards. I guess that's feasible these days.
CompuServe 28.8k/33.6k 1994-1998, BT 56k 1998-2001, NTL Cable 512k 2001-2004, 2x F2S 1M 2004-2008, IDNet 8M 2008 - LLU 11M 2011

pctech

If an attacker has access to enough upstream bandwidth they can sink any connection which is the thinking behind botnets and the reason companies such as Prolexic came into being, they allocate more and more bandwidth to soak up the traffic and blackhole the illegitimate PING and SYN packets while passing the genuine traffic to the customer servers.


Aaron

They replied back and can't spare IP addresses to switch me to another. They did advise that I should make a firewall rule to drop/ignore packets, but to my knowledge this isn't effective is it? Because UDP floods are very much like DDOS'ing and there's no protection against that.
IDNet Home Pro ADSL2+ 4Mbps | Billion BiPAC 7800N

DorsetBoy

Quote from: Aaron on Dec 09, 2010, 17:46:23
They replied back and can't spare IP addresses to switch me to another. They did advise that I should make a firewall rule to drop/ignore packets, but to my knowledge this isn't effective is it? Because UDP floods are very much like DDOS'ing and there's no protection against that.

My Draytek router has DDOS defence built in and UDP floods are part of that, packet size and timings can be altered to suit.  Hosting companies tackle these issues everyday.

pctech

If an attacker has enough upstream bandwidth though they can overcome any hardware/software DDOS defence.


esh

#20
Quote from: Aaron on Dec 09, 2010, 17:46:23
They replied back and can't spare IP addresses to switch me to another. They did advise that I should make a firewall rule to drop/ignore packets, but to my knowledge this isn't effective is it? Because UDP floods are very much like DDOS'ing and there's no protection against that.

As I was commenting (and pctech confirming), dropping the packets will at least help somewhat. It's just if they have a vast quantity of bandwidth coming your way that even the router cannot handle then things will fall over. You should always be blackholing packets anyway, in my opinion. Are you just directly connected to a modem with a software firewall? That could be a problem.


Edit: just to clarify, I think you are going offline because your upload gets saturated. If you are not blackholing packets, you have to respond to each one saying "no, this port is closed" by protocol. If you just drop them without response, then at least your upstream should not get swamped by sending these packets.
CompuServe 28.8k/33.6k 1994-1998, BT 56k 1998-2001, NTL Cable 512k 2001-2004, 2x F2S 1M 2004-2008, IDNet 8M 2008 - LLU 11M 2011