Downed by a DDOS

Finally thought I'd got my recent connection issues sorted, had an issue yesterday where my router was syncing and not establishing PPP so I swapped the cable between the filter and the router from the ADSL nation one to the one supplied with the router which seemed to fit better in the socket.

Went to use my connection later and it was slow, checked the router logs and the firewall was being hammered by packets from several IP addresses.

In order to stop it I had to pull the power and leave it for an hour.

later, I ran a shields up test and found that while ports were declared closed the router was replying that they were closed.

I've referred the issue to Zoom Telephonics but does anyone know how to stealth the ports in their firmware vias Telnet?

Have found in the past setting the DMZ to an IP address you don't use on the LAN can help

Thanis for the tip, I decided to return this one and have bought a Netgear 300 which is now on my connection and syncs better than the old Netgear.

DDOS protection is enabled and I am now quite happily using my connection as the bots have not had a response to their probes so have moved on.

Router "DoS protection" is a waste of CPU power. Disable it and move on. If someone wants to keep you offline, they will. Proper DoS protection requires plenty of bandwidth and decent hardware.

I am aware that gernally the only defence is to throw bucketloads of bandwidth at the problem (hence why the likes of Prolexic and others are in business) but as the bots were receiving a response to the port probes they kept going even though the router responded that they were closed.

Surely its better for them not to receive a response at all which is what my current router is doing.

Saw a few port scans when I put it in last night but had nothing since so they've gone elsewhere.

Routing speed seems to be ok so don't think its taxing the router's CPU too much.

Edited by techguy (Sat 24-Mar-12 22:20:51)

The issue can be more to do with the substantial lack of outbound bandwidth compared to inbound, on most broadband connections. So if you are sent enough spurious packets downstream, which illicit a response by the router upstream (eg. a standard TCP SYN in, RST out connection request will do this), then, very rapidly, your connection is rendered unusable, not necessarily because the downstream is saturated, but because the upstream is saturated with your router trying to reply to all the requests.

Many years ago, I had a friend on Telewest (cable) who was being DDoS'd by some nasty script kiddie on IRC. He would just ping-timeout from the chat channel within minutes as soon as this guy started up with his bot-network. I developed some rules for Linux which I still use to this very day, which restrict the number of packets that Linux will reply to when faced with such an attack and I got him to place them on his Linux router to see how he got on. When it next happened, he managed to stay connected for at least 10-15 minutes longer during the attack, until the inbound data rate probably began to exceed his download rate instead. When that happens, it is game over for sure. It was nice watching though how these simple rules proved their effectiveness.

I still use them today on my own Linux router. They are very effective, and simple. Basically, the machine rate limits the number of TCP RST packets it sends, within 1 minute. So on the first few packets, I am nice and let the router reply with TCP RST packets (indicating the port is closed). But after 5 or so instances of that, it then just stops replying. Upsets NMAP no end, because the machine just plays mostly dead on all ports until the scan/attack is stopped, at which point it returns back to normal. I've applied the same rules onto the IPv6 stack also.

Edited by deleted (Sun 25-Mar-12 18:11:55)

Thanks for the explanation.

There's just a Windows machine, Xbox and Android phone connected by Wi-Fi on my network.

As I work in a software technical support role when I get home I tend to like to keep it simple so if the router doesn't reply at all that is obviously the best thing, how can they DDoS something they can't see.