US Cable Support > OptimumOnline > Need help configuring my Cisco871W with Optimum Static IP

reply to OOLost

Re: Need help configuring my Cisco871W with Optimum Static IP

Things have come back to normal.

After calling OOL yesterday, OOL did some testing and saw the packet loss to the DPQ3925. They rolled a technician who replaced the drop because he found that there was water and some corrosion in the connection at the pole. Also, there was a reset of the DPQ3925 earlier in the day which seemed to have cleared the issue of the incessant traffic to the router. A configuration change perhaps? I/you will never know as there's no way to view the configuration of the DPQ3925. I recovered my router's configuration from its ftp backup (easier than undoing all of the crazy things I tried to figure out what was banging on the router's interface) and all's well.

Also, it appears that OOL deleted my reverse-DNS. That'd explain a number of bizarre things like mail bouncing back and remote SQL query complaints. I'm waiting still for OOL to contact me about this particular issue.

I can now get back to working on a deadline project waylaid several days with this OOL debacle.

The holiday didn't last long.

I finally had enough and I put a old hub (10bT) between the DPQ3925 and my Cisco router interface. I then fired up Wireshark on a linux laptop on its wired ethernet interface and plug it into the hub so that it could see the traffic between the two.

Yup. It's a DDoS on DNS. I've presently gotten port 53 via an ACL on the Cisco disabled but I now have not DNS.

HOW DO I GET OOL TO UNDERSTAND THAT THIS IS HAPPENING?

I called them again yesterday and all they did was roll another cable tech out. That' NOT going to fix this problem. They need to intercede to stop this attack.

Does your Mac still work ok if you disconnect your router and connect directly to the OOL router?

Do you think it is a DDoS attack on all your IP addresses?

Have you asked OOL to assign you a different block of IP addresses?

I am skeptical of DDoS attack. Too coinciental that the attack started the same time OOL changed equipment, and that your Mac would work ok connected to the OOL equipment. I also do not recall anyone else posting about a DDoS attack on this forum in the past 10 years, but you could be the first.

reply to OOLost
One man's defective P-o-crap Belkin router generating a DNS flood is another man's DDoS. Can you be specific about the inbound traffic? Is it coming from a very large number of IP source addresses, and going to port 53/udp on one of your 5 static IPs?
Do you run a (registered) authoritative DNS server as a matter of regular business at the IP the traffic is going to?
How does this impact your service, specifically your outbound traffic (DNS, HTTP)? If you have nothing responding to that traffic, it should NOT be filling your upstream.

No, OOL will not do anti-DDoS filtering for static-IP, unless the DDoS becomes so great that other subscriber's service is impacted - this is not part of the service as described.

Also, your ACL'ing of such traffic is likely wrong: if DoS traffic is inbound to 53/udp, then that's all you should filter, not OUTBOUND TO 53/udp, cause that's your own, presumably legit DNS queries.

reply to OOLost

said by OOLost :

said by jaa:

Does your Mac still work ok if you disconnect your router and connect directly to the OOL router?

You think like an OOL tech.

said by jaa:

Do you think it is a DDoS attack on all your IP addresses?

Would you like that I post all 800000 Wireshark captures?

said by jaa:

Have you asked OOL to assign you a different block of IP addresses?

I was told when I called today that they don't do that but... that a Sr. tech would call me... Save for my PITA daughter and telemarketers, the phone has been silent.

reply to cablewizzard

reply to IllIlIlllIll

i meant to capture for about 5 seconds then "save as" in wireshark and attach it here or you can send it private message if you want)
--
Suffolk County NY Police Feed - »www.scpdny.com
PS3 Gaming Feed - »www.livestream.com/elitedata

Save for different sources, they're all recursions for RIPE.NET ANY. Attempting to flood them out, no doubt.

The Cisco871W need was a red herring. I have several spare routers here but OOL "techs" suggested that all three of my 851s were bad so, to pander to them, I plugged in an 871W. It's the dumb things you have to do to appease idiots, I suppose. I wasn't about to go reconfigure an 1800 I have on the residential service to use on the biz connection. I use the 1800 only because it still has dual radios: 802.11a and 802.11b/g. The rest of the neighborhood has polluted the 2.4GHz band with their toy Linksys, Belkin and Netgear routers, wireless telephones and microwaves. Using spectrum analyzer, I only found a small 5GHz low power lobe making me about the only 5GHz consumer in the immediate vicinity.

Back to the issue at hand...

Why they're bothering me, I know not.

$ dig +recurs @OOLost.net ripe.net any

; > DiG 9.7.0-P1 > +recurs @OOLost.net ripe.net any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER- opcode: QUERY, status: REFUSED, id: 29129
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ripe.net. IN ANY

;; Query time: 20 msec
;; SERVER: 24.xx.yy.26#53(24.xx.yy.26)
;; WHEN: Wed Sep 26 15:10:39 2012
;; MSG SIZE rcvd: 26

reply to OOLost

It's pretty asinine to insult the only one helping you...just saying.

reply to OOLost

reply to ShockTech

reply to ShockTech

reply to cabletecht

reply to OOLost

said by OOLost :

said by jaa:

Does your Mac still work ok if you disconnect your router and connect directly to the OOL router?

You think like an OOL tech.

reply to jaa

said by jaa:

said by OOLost :

said by jaa:

Does your Mac still work ok if you disconnect your router and connect directly to the OOL router?

You think like an OOL tech.

You post like a politician.

Is that a yes or a no??

reply to OOLost