dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
51

OOLost
@optonline.net

OOLost to EliteData

Anon

to EliteData

Re: Need help configuring my Cisco871W with Optimum Static IP

I was running for a bit and now the connection is toast. I'm ready to cancel my business account. This router was configured eons ago and it worked just fine. Now, all of a sudden, I'm getting these issues and they've been getting progressively worse in the past two weeks. I've also changed out the routers. I have 2 Cisco 851s and one Cisco 871W. The problem occurs with all, so I'm convinced it is not my kit.

interface FastEthernet4
description WAN
ip address 24.xx.yy.26 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect MYFW out
ip nat outside
ip nat enable
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip nat enable
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 24.xx.yy.25

ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static 192.168.1.2 24.xx.yy.26
ip nat inside source static 192.168.1.4 24.xx.yy.28
ip nat inside source static 192.168.1.64 24.xx.yy.29
ip nat inside source static 192.168.1.7 24.xx.yy.30

That should be right, is it not???

jaa
Premium Member
join:2000-06-13

jaa

Premium Member

Do you still think it is a DoS attack on your IP?

I have no idea what a cisco configuration looks like, but to me it seems you are assigning the .26 address twice.

I think it is your router config - try a simpler config, perhaps for one attached device, and see if it works.

Or throw out the cisco equipment and spend $15 on a netgear.

OOLost
@optonline.net

OOLost

Anon

I had a "Cisco" guru give me the green-light on the configuration. The configuration of Fa4 is correct. Netgear? Toys.
efrem
join:2002-04-03
Westport, CT

efrem

Member

Just want to clarify that you are indeed using the correct subnet and IP addresses assigned to you by CV.

You say you have 5 addresses .... you really should have 7.

One is the subnet
One is the default gateway
Four are the addressable individual IP's
One is the broadcast address for the subnet.

It does not appear to me that you are using that scheme with the addresses you listed above.

You might want to double-check that.

OOLost
@optonline.net

OOLost

Anon

said by efrem:

Just want to clarify that you are indeed using the correct subnet and IP addresses assigned to you by CV.

You say you have 5 addresses .... you really should have 7.

One is the subnet
One is the default gateway
Four are the addressable individual IP's
One is the broadcast address for the subnet.

It does not appear to me that you are using that scheme with the addresses you listed above.

You might want to double-check that.

Really? Talk that over with the OOL folks then. I was told:

24.xx.yy.24/29
24.xx.yy.25 -- gateway
24.xx.yy.26 -- 1st assignable IP
24.xx.yy.27 -- 2nd assignable IP
24.xx.yy.28 -- 3rd assignable IP
24.xx.yy.29 -- 4th assignable IP
24.xx.yy.30 -- 5th assignable IP
24.xx.yy.31 -- broadcast
efrem
join:2002-04-03
Westport, CT

efrem

Member

My bad. For some reason I thought it was 4 usable addresses, but you are correct, they actually assign 5.

OOLost
@optonline.net

OOLost

Anon

Things have come back to normal.

After calling OOL yesterday, OOL did some testing and saw the packet loss to the DPQ3925. They rolled a technician who replaced the drop because he found that there was water and some corrosion in the connection at the pole. Also, there was a reset of the DPQ3925 earlier in the day which seemed to have cleared the issue of the incessant traffic to the router. A configuration change perhaps? I/you will never know as there's no way to view the configuration of the DPQ3925. I recovered my router's configuration from its ftp backup (easier than undoing all of the crazy things I tried to figure out what was banging on the router's interface) and all's well.

Also, it appears that OOL deleted my reverse-DNS. That'd explain a number of bizarre things like mail bouncing back and remote SQL query complaints. I'm waiting still for OOL to contact me about this particular issue.

I can now get back to working on a deadline project waylaid several days with this OOL debacle.
OOLost

OOLost

Anon

The holiday didn't last long.

I finally had enough and I put a old hub (10bT) between the DPQ3925 and my Cisco router interface. I then fired up Wireshark on a linux laptop on its wired ethernet interface and plug it into the hub so that it could see the traffic between the two.

Yup. It's a DDoS on DNS. I've presently gotten port 53 via an ACL on the Cisco disabled but I now have not DNS.

HOW DO I GET OOL TO UNDERSTAND THAT THIS IS HAPPENING?

I called them again yesterday and all they did was roll another cable tech out. That' NOT going to fix this problem. They need to intercede to stop this attack.

jaa
Premium Member
join:2000-06-13

1 edit

jaa

Premium Member

Does your Mac still work ok if you disconnect your router and connect directly to the OOL router?

Do you think it is a DDoS attack on all your IP addresses?

Have you asked OOL to assign you a different block of IP addresses?

I am skeptical of DDoS attack. Too coinciental that the attack started the same time OOL changed equipment, and that your Mac would work ok connected to the OOL equipment. I also do not recall anyone else posting about a DDoS attack on this forum in the past 10 years, but you could be the first.

OOLost
@optonline.net

OOLost

Anon

said by jaa:

Does your Mac still work ok if you disconnect your router and connect directly to the OOL router?

You think like an OOL tech.
said by jaa:

Do you think it is a DDoS attack on all your IP addresses?

Would you like that I post all 800000 Wireshark captures?
said by jaa:

Have you asked OOL to assign you a different block of IP addresses?

I was told when I called today that they don't do that but... that a Sr. tech would call me... Save for my PITA daughter and telemarketers, the phone has been silent.
cablewizzard
join:2009-06-14
Woodbury, NY

cablewizzard to OOLost

Member

to OOLost
One man's defective P-o-crap Belkin router generating a DNS flood is another man's DDoS. Can you be specific about the inbound traffic? Is it coming from a very large number of IP source addresses, and going to port 53/udp on one of your 5 static IPs?
Do you run a (registered) authoritative DNS server as a matter of regular business at the IP the traffic is going to?
How does this impact your service, specifically your outbound traffic (DNS, HTTP)? If you have nothing responding to that traffic, it should NOT be filling your upstream.

No, OOL will not do anti-DDoS filtering for static-IP, unless the DDoS becomes so great that other subscriber's service is impacted - this is not part of the service as described.

Also, your ACL'ing of such traffic is likely wrong: if DoS traffic is inbound to 53/udp, then that's all you should filter, not OUTBOUND TO 53/udp, cause that's your own, presumably legit DNS queries.

EliteData
EliteData
Premium Member
join:2003-07-06
Philippines

EliteData to OOLost

Premium Member

to OOLost
said by OOLost :

said by jaa:

Does your Mac still work ok if you disconnect your router and connect directly to the OOL router?

You think like an OOL tech.
said by jaa:

Do you think it is a DDoS attack on all your IP addresses?

Would you like that I post all 800000 Wireshark captures?
said by jaa:

Have you asked OOL to assign you a different block of IP addresses?

I was told when I called today that they don't do that but... that a Sr. tech would call me... Save for my PITA daughter and telemarketers, the phone has been silent.

can you post a small capture packet from wire shark ?

OOLost
@optonline.net

OOLost to cablewizzard

Anon

to cablewizzard
said by cablewizzard:

One man's defective P-o-crap Belkin router generating a DNS flood is another man's DDoS. Can you be specific about the inbound traffic? Is it coming from a very large number of IP source addresses, and going to port 53/udp on one of your 5 static IPs?

I've identified two networks which I've now denied in the ACL instead of killing off all port 53 traffic:

ip access-list extended Deny-DDoS-ACL
deny ip 72.8.128.0 0.0.63.255 any
deny ip 209.205.64.0 0.0.31.255 any
permit ip any any

This ACL is applied to the interface as:

ip access-group Deny-DDoS-ACL in

Yesterday, this ACL had been:

deny udp any any eq domain

The above was a temporary fix until I had the time today to sort out all of the IPs which were sourcing the flood.

I'll leave it to you to determine if the routers in these networks are "P-o-crap Belkins."
said by cablewizzard:

Do you run a (registered) authoritative DNS server as a matter of regular business at the IP the traffic is going to?

Yes.
said by cablewizzard:

How does this impact your service, specifically your outbound traffic (DNS, HTTP)? If you have nothing responding to that traffic, it should NOT be filling your upstream.

Since ACLing the offenders, it's not too too bad. There's still a load of crap banging away on the incoming WAN interface.
said by cablewizzard:

No, OOL will not do anti-DDoS filtering for static-IP, unless the DDoS becomes so great that other subscriber's service is impacted - this is not part of the service as described.

Also, your ACL'ing of such traffic is likely wrong: if DoS traffic is inbound to 53/udp, then that's all you should filter, not OUTBOUND TO 53/udp, cause that's your own, presumably legit DNS queries.

Right. Learn Cisco IOS.
ip access-group Deny-DDoS-ACL in
--------------------------------------^^

It's BEcause, not cause... learn English too.
Acronyms are suffixed with just the suffix sans the apostrophe.

Sorry but don't get acrimonious with me.
OOLost

OOLost to EliteData

Anon

to EliteData
said by EliteData:

can you post a small capture packet from wire shark ?

Here you go, on incoming from 72.8.190.97 doing a standard query of RIPE.NET ANY.

0000 00 1f 9e 03 36 c3 f4 5f d4 cf c2 03 08 00 45 00 ....6.._ ......E.
0010 00 42 03 85 40 00 75 11 0d e7 48 08 be 61 18 xx .B..@.u. ..H..a..
0020 yy 1a 00 35 00 35 00 2e 00 00 03 b8 01 00 00 01 ...5.5.. ........
0030 00 00 00 00 00 01 04 72 69 70 65 03 6e 65 74 00 .......r ipe.net.
0040 00 ff 00 01 00 00 29 10 00 00 00 80 00 00 00 00 ......). ........

EliteData
EliteData
Premium Member
join:2003-07-06
Philippines

EliteData

Premium Member

i meant to capture for about 5 seconds then "save as" in wireshark and attach it here or you can send it private message if you want)

OOLost
@optonline.net

OOLost

Anon

Save for different sources, they're all recursions for RIPE.NET ANY. Attempting to flood them out, no doubt.

The Cisco871W need was a red herring. I have several spare routers here but OOL "techs" suggested that all three of my 851s were bad so, to pander to them, I plugged in an 871W. It's the dumb things you have to do to appease idiots, I suppose. I wasn't about to go reconfigure an 1800 I have on the residential service to use on the biz connection. I use the 1800 only because it still has dual radios: 802.11a and 802.11b/g. The rest of the neighborhood has polluted the 2.4GHz band with their toy Linksys, Belkin and Netgear routers, wireless telephones and microwaves. Using spectrum analyzer, I only found a small 5GHz low power lobe making me about the only 5GHz consumer in the immediate vicinity.

Back to the issue at hand...

Why they're bothering me, I know not.

$ dig +recurs @OOLost.net ripe.net any

; > DiG 9.7.0-P1 > +recurs @OOLost.net ripe.net any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER- opcode: QUERY, status: REFUSED, id: 29129
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ripe.net. IN ANY

;; Query time: 20 msec
;; SERVER: 24.xx.yy.26#53(24.xx.yy.26)
;; WHEN: Wed Sep 26 15:10:39 2012
;; MSG SIZE rcvd: 26
root
join:2002-12-11

root to OOLost

Member

to OOLost

said by OOLost
It's BEcause, not cause... learn English too.
Acronyms are suffixed with just the suffix sans the apostrophe.

Sorry but don't get acrimonious with me.

It's pretty asinine to insult the only one helping you...just saying.

cabletecht
join:2012-06-08

cabletecht to OOLost

Member

to OOLost
said by OOLost :

said by cablewizzard:

One man's defective P-o-crap Belkin router generating a DNS flood is another man's DDoS. Can you be specific about the inbound traffic? Is it coming from a very large number of IP source addresses, and going to port 53/udp on one of your 5 static IPs?

I've identified two networks which I've now denied in the ACL instead of killing off all port 53 traffic:

ip access-list extended Deny-DDoS-ACL
deny ip 72.8.128.0 0.0.63.255 any
deny ip 209.205.64.0 0.0.31.255 any
permit ip any any

This ACL is applied to the interface as:

ip access-group Deny-DDoS-ACL in

Yesterday, this ACL had been:

deny udp any any eq domain

The above was a temporary fix until I had the time today to sort out all of the IPs which were sourcing the flood.

I'll leave it to you to determine if the routers in these networks are "P-o-crap Belkins."
said by cablewizzard:

Do you run a (registered) authoritative DNS server as a matter of regular business at the IP the traffic is going to?

Yes.
said by cablewizzard:

How does this impact your service, specifically your outbound traffic (DNS, HTTP)? If you have nothing responding to that traffic, it should NOT be filling your upstream.

Since ACLing the offenders, it's not too too bad. There's still a load of crap banging away on the incoming WAN interface.
said by cablewizzard:

No, OOL will not do anti-DDoS filtering for static-IP, unless the DDoS becomes so great that other subscriber's service is impacted - this is not part of the service as described.

Also, your ACL'ing of such traffic is likely wrong: if DoS traffic is inbound to 53/udp, then that's all you should filter, not OUTBOUND TO 53/udp, cause that's your own, presumably legit DNS queries.

Right. Learn Cisco IOS.
ip access-group Deny-DDoS-ACL in
--------------------------------------^^

It's BEcause, not cause... learn English too.
Acronyms are suffixed with just the suffix sans the apostrophe.

Sorry but don't get acrimonious with me.

isn't there a networking forum you can post this on? don't see how this issue is being caused by cablevisions services

OOLost
@optonline.net

OOLost to root

Anon

to root
said by root:

said by OOLost
It's BEcause, not cause... learn English too.
Acronyms are suffixed with just the suffix sans the apostrophe.

Sorry but don't get acrimonious with me.

It's pretty asinine to insult the only one helping you...just saying.

It was pretty asinine to insult the one who was looking for an answer too.
And the condescension was completely uncalled for in "One man's defective P-o-crap Belkin router generating a DNS flood is another man's DDoS."

FWIW, maybe all you so called "wizards" should learn to read and understand what I've experienced. »www.shortestpathfirst.ne ··· attacks/

On the positive side, the traffic has subsided once again. I'm leaving my ACLs in place though for now.

If you will look at the networks that I listed previously, they are owned by organizations which provide DDoS mitigation services or devices to mitigate DDoS attacks. Either way, they were the targets and chances are that the IP addresses which appeared as the sourcing addresses (their networks) were spoofed/feigned. My router, of course, doesn't know the difference but ACLing them off did mitigate the attack as AFAIAC. Whether or not the intended targets are seeing any mitigation in the attack is of no concern to me.

EliteData
EliteData
Premium Member
join:2003-07-06
Philippines

EliteData to root

Premium Member

to root
said by root:

said by OOLost
It's BEcause, not cause... learn English too.
Acronyms are suffixed with just the suffix sans the apostrophe.

Sorry but don't get acrimonious with me.

It's pretty asinine to insult the only one helping you...just saying.

and a few others providing assistance as well.

OOLost
@optonline.net

OOLost to cabletecht

Anon

to cabletecht
said by cabletecht:

isn't there a networking forum you can post this on? don't see how this issue is being caused by cablevisions services

Isn't this forum's title: Forums > US Cable Support > OptimumOnline ???

Nobody said it was "being CAUSED by cablevisions services." There WAS a problem with the service. I was getting no help with the problem from the service provider. The service provider failed to listen to the customer. The service provider wasted both party's time, money and resources because they wouldn't (or couldn't) listen. OOL treated the whole event like a loss of TV service issue. All the techs in the world (5 here in the past week) replacing the cable drops, connections and splitters would not/could not have mitigated the issue.

Well, it's clear now that Optimum Online is NOT a internet company; they're a TV service and continue to offer cable-TV support instead of internet support.

Is there a Forums > US Cable Support > OptimumOnline ? Business Service forum?

jaa
Premium Member
join:2000-06-13

jaa to OOLost

Premium Member

to OOLost
said by OOLost :

said by jaa:

Does your Mac still work ok if you disconnect your router and connect directly to the OOL router?

You think like an OOL tech.

You post like a politician.

Is that a yes or a no??

limegrass69
No Whammies
join:2008-05-28

limegrass69

Member

said by jaa:

said by OOLost :

said by jaa:

Does your Mac still work ok if you disconnect your router and connect directly to the OOL router?

You think like an OOL tech.

You post like a politician.

Is that a yes or a no??

That depends on what the definition of "is" is.

OOLost
@optonline.net

OOLost to jaa

Anon

to jaa
said by jaa:

said by OOLost :

said by jaa:

Does your Mac still work ok if you disconnect your router and connect directly to the OOL router?

You think like an OOL tech.

You post like a politician.

Is that a yes or a no??

Yeah, my Mac still works and my refrigerator still runs. How does that relate to this?
frdrizzt
join:2008-05-03
Ronkonkoma, NY

frdrizzt to OOLost

Member

to OOLost
said by OOLost :

said by cabletecht:

isn't there a networking forum you can post this on? don't see how this issue is being caused by cablevisions services

Isn't this forum's title: Forums > US Cable Support > OptimumOnline ???

Nobody said it was "being CAUSED by cablevisions services." There WAS a problem with the service. I was getting no help with the problem from the service provider. The service provider failed to listen to the customer. The service provider wasted both party's time, money and resources because they wouldn't (or couldn't) listen. OOL treated the whole event like a loss of TV service issue. All the techs in the world (5 here in the past week) replacing the cable drops, connections and splitters would not/could not have mitigated the issue.

Well, it's clear now that Optimum Online is NOT a internet company; they're a TV service and continue to offer cable-TV support instead of internet support.

Is there a Forums > US Cable Support > OptimumOnline ? Business Service forum?

Any company who provides advanced support for configuring your LAN setup/equipment is going to make you pay a premium for that. You just aren't going to find that with a $50 service (really no difference in the support you are requesting from standard BOOL & Boost/Ultra & STIP). Not to say the support is poor, just that it does not cover the area you are looking for. The end point of the support is the CV-provided equipment, not the chair at the connected computer that is being accessed.

jaa
Premium Member
join:2000-06-13

jaa to OOLost

Premium Member

to OOLost
So your Mac has no problem with a static IP connected to the CV router, but when your Cisco router is connected to the CV router you are experiencing a DDoS attack?

Seems odd to me, that is all.

And where is your refrigerator running to??

OOLost
@optonline.net

OOLost to frdrizzt

Anon

to frdrizzt
Whether OOL can not or simply will not assist with configuration of the company's LAN and kit past the interface OOL provides does not concern me. That's perfectly fine with me. However, they then, without having any knowledge thereof, tell their customer that IT IS configuration beyond that point that IS at fault. In this case, it was clearly NOT at fault; it was functioning perfectly and properly. The router(s) connected to the DPQ3925 was(were) properly configured. The incessant traffic -- due to a DNS DDoS -- was THIS issue. OOL could have easily taken a look at the traffic that was being sent to my subnet -- and much easier than I too -- and, at least, offered an explanation for it. This is simply NOT a business class service, regardless of how much or how little is paid for it.

The "level" of service provided smacks in the face at the claims made in all of the OOL advertisement upon the television and such. The latest claim is that they will not be one of those "life interruptions." Having one's business brought to a virtual halt isn't a "life interruption?"

I do hope that OOL "techs" have been reading this. My hope would be that OOL management might have been reading along too. Rolling out the wire jockeys costs OOL money and, in this case, needless costs. It keeps other customers waiting when they are deployed needlessly too.

FWIW, the DNS DDoS ceased sometime in the late afternoon yesterday and has not started up again. ACLing the 2 networks on the router interface had nothing to do with it. Either the source(s) of the attack was(were) discovered or the other machine(s) in the exploit was(where) finally secured.
root
join:2002-12-11

1 recommendation

root

Member

said by OOLost :

I do hope that OOL "techs" have been reading this. My hope would be that OOL management might have been reading along too. Rolling out the wire jockeys costs OOL money and, in this case, needless costs. It keeps other customers waiting when they are deployed needlessly too.

I'm sure some CV employees have read this...and while some may have even responded out of their own free will and desire to help, your complete lack of respect for people taking their own time to offer help probably made them not give a shit anymore.

jaa
Premium Member
join:2000-06-13

jaa to OOLost

Premium Member

to OOLost
I'm sure CV has closed out the ticket - "CPE Issue Resolved by Customer".

Glad you are up and running again.

OOLost
@optonline.net

OOLost

Anon

said by jaa:

I'm sure CV has closed out the ticket - "CPE Issue Resolved by Customer".

Glad you are up and running again.

But this was NOT a CPE issue! Is that how they sweep this under the rug?