US Cable Support > OptimumOnline > Need help configuring my Cisco871W with Optimum Static IP

reply to OOLost

Re: Need help configuring my Cisco871W with Optimum Static IP

I was running for a bit and now the connection is toast. I'm ready to cancel my business account. This router was configured eons ago and it worked just fine. Now, all of a sudden, I'm getting these issues and they've been getting progressively worse in the past two weeks. I've also changed out the routers. I have 2 Cisco 851s and one Cisco 871W. The problem occurs with all, so I'm convinced it is not my kit.

interface FastEthernet4
description WAN
ip address 24.xx.yy.26 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect MYFW out
ip nat outside
ip nat enable
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip nat enable
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 24.xx.yy.25

ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static 192.168.1.2 24.xx.yy.26
ip nat inside source static 192.168.1.4 24.xx.yy.28
ip nat inside source static 192.168.1.64 24.xx.yy.29
ip nat inside source static 192.168.1.7 24.xx.yy.30

That should be right, is it not???

reply to OOLost

Re: Need help configuring my Cisco871W with Optimum Static IP

I had a "Cisco" guru give me the green-light on the configuration. The configuration of Fa4 is correct. Netgear? Toys.

Just want to clarify that you are indeed using the correct subnet and IP addresses assigned to you by CV.

You say you have 5 addresses .... you really should have 7.

One is the subnet
One is the default gateway
Four are the addressable individual IP's
One is the broadcast address for the subnet.

It does not appear to me that you are using that scheme with the addresses you listed above.

You might want to double-check that.

My bad. For some reason I thought it was 4 usable addresses, but you are correct, they actually assign 5.

Things have come back to normal.

After calling OOL yesterday, OOL did some testing and saw the packet loss to the DPQ3925. They rolled a technician who replaced the drop because he found that there was water and some corrosion in the connection at the pole. Also, there was a reset of the DPQ3925 earlier in the day which seemed to have cleared the issue of the incessant traffic to the router. A configuration change perhaps? I/you will never know as there's no way to view the configuration of the DPQ3925. I recovered my router's configuration from its ftp backup (easier than undoing all of the crazy things I tried to figure out what was banging on the router's interface) and all's well.

Also, it appears that OOL deleted my reverse-DNS. That'd explain a number of bizarre things like mail bouncing back and remote SQL query complaints. I'm waiting still for OOL to contact me about this particular issue.

I can now get back to working on a deadline project waylaid several days with this OOL debacle.

The holiday didn't last long.

I finally had enough and I put a old hub (10bT) between the DPQ3925 and my Cisco router interface. I then fired up Wireshark on a linux laptop on its wired ethernet interface and plug it into the hub so that it could see the traffic between the two.

Yup. It's a DDoS on DNS. I've presently gotten port 53 via an ACL on the Cisco disabled but I now have not DNS.

HOW DO I GET OOL TO UNDERSTAND THAT THIS IS HAPPENING?

I called them again yesterday and all they did was roll another cable tech out. That' NOT going to fix this problem. They need to intercede to stop this attack.

Does your Mac still work ok if you disconnect your router and connect directly to the OOL router?

Do you think it is a DDoS attack on all your IP addresses?

Have you asked OOL to assign you a different block of IP addresses?

I am skeptical of DDoS attack. Too coinciental that the attack started the same time OOL changed equipment, and that your Mac would work ok connected to the OOL equipment. I also do not recall anyone else posting about a DDoS attack on this forum in the past 10 years, but you could be the first.

reply to OOLost
One man's defective P-o-crap Belkin router generating a DNS flood is another man's DDoS. Can you be specific about the inbound traffic? Is it coming from a very large number of IP source addresses, and going to port 53/udp on one of your 5 static IPs?
Do you run a (registered) authoritative DNS server as a matter of regular business at the IP the traffic is going to?
How does this impact your service, specifically your outbound traffic (DNS, HTTP)? If you have nothing responding to that traffic, it should NOT be filling your upstream.

No, OOL will not do anti-DDoS filtering for static-IP, unless the DDoS becomes so great that other subscriber's service is impacted - this is not part of the service as described.

Also, your ACL'ing of such traffic is likely wrong: if DoS traffic is inbound to 53/udp, then that's all you should filter, not OUTBOUND TO 53/udp, cause that's your own, presumably legit DNS queries.

reply to OOLost

said by OOLost :

said by jaa:

Does your Mac still work ok if you disconnect your router and connect directly to the OOL router?

You think like an OOL tech.

said by jaa:

Do you think it is a DDoS attack on all your IP addresses?

Would you like that I post all 800000 Wireshark captures?

said by jaa:

Have you asked OOL to assign you a different block of IP addresses?

I was told when I called today that they don't do that but... that a Sr. tech would call me... Save for my PITA daughter and telemarketers, the phone has been silent.

reply to cablewizzard

reply to IllIlIlllIll

i meant to capture for about 5 seconds then "save as" in wireshark and attach it here or you can send it private message if you want)
--
Suffolk County NY Police Feed - »www.scpdny.com
PS3 Gaming Feed - »www.livestream.com/elitedata

Save for different sources, they're all recursions for RIPE.NET ANY. Attempting to flood them out, no doubt.

The Cisco871W need was a red herring. I have several spare routers here but OOL "techs" suggested that all three of my 851s were bad so, to pander to them, I plugged in an 871W. It's the dumb things you have to do to appease idiots, I suppose. I wasn't about to go reconfigure an 1800 I have on the residential service to use on the biz connection. I use the 1800 only because it still has dual radios: 802.11a and 802.11b/g. The rest of the neighborhood has polluted the 2.4GHz band with their toy Linksys, Belkin and Netgear routers, wireless telephones and microwaves. Using spectrum analyzer, I only found a small 5GHz low power lobe making me about the only 5GHz consumer in the immediate vicinity.

Back to the issue at hand...

Why they're bothering me, I know not.

$ dig +recurs @OOLost.net ripe.net any

; > DiG 9.7.0-P1 > +recurs @OOLost.net ripe.net any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER- opcode: QUERY, status: REFUSED, id: 29129
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ripe.net. IN ANY

;; Query time: 20 msec
;; SERVER: 24.xx.yy.26#53(24.xx.yy.26)
;; WHEN: Wed Sep 26 15:10:39 2012
;; MSG SIZE rcvd: 26

reply to OOLost

It's pretty asinine to insult the only one helping you...just saying.

reply to OOLost