dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
32
cablewizzard
join:2009-06-14
Woodbury, NY

cablewizzard to OOLost

Member

to OOLost

Re: Need help configuring my Cisco871W with Optimum Static IP

One man's defective P-o-crap Belkin router generating a DNS flood is another man's DDoS. Can you be specific about the inbound traffic? Is it coming from a very large number of IP source addresses, and going to port 53/udp on one of your 5 static IPs?
Do you run a (registered) authoritative DNS server as a matter of regular business at the IP the traffic is going to?
How does this impact your service, specifically your outbound traffic (DNS, HTTP)? If you have nothing responding to that traffic, it should NOT be filling your upstream.

No, OOL will not do anti-DDoS filtering for static-IP, unless the DDoS becomes so great that other subscriber's service is impacted - this is not part of the service as described.

Also, your ACL'ing of such traffic is likely wrong: if DoS traffic is inbound to 53/udp, then that's all you should filter, not OUTBOUND TO 53/udp, cause that's your own, presumably legit DNS queries.

OOLost
@optonline.net

OOLost

Anon

said by cablewizzard:

One man's defective P-o-crap Belkin router generating a DNS flood is another man's DDoS. Can you be specific about the inbound traffic? Is it coming from a very large number of IP source addresses, and going to port 53/udp on one of your 5 static IPs?

I've identified two networks which I've now denied in the ACL instead of killing off all port 53 traffic:

ip access-list extended Deny-DDoS-ACL
deny ip 72.8.128.0 0.0.63.255 any
deny ip 209.205.64.0 0.0.31.255 any
permit ip any any

This ACL is applied to the interface as:

ip access-group Deny-DDoS-ACL in

Yesterday, this ACL had been:

deny udp any any eq domain

The above was a temporary fix until I had the time today to sort out all of the IPs which were sourcing the flood.

I'll leave it to you to determine if the routers in these networks are "P-o-crap Belkins."
said by cablewizzard:

Do you run a (registered) authoritative DNS server as a matter of regular business at the IP the traffic is going to?

Yes.
said by cablewizzard:

How does this impact your service, specifically your outbound traffic (DNS, HTTP)? If you have nothing responding to that traffic, it should NOT be filling your upstream.

Since ACLing the offenders, it's not too too bad. There's still a load of crap banging away on the incoming WAN interface.
said by cablewizzard:

No, OOL will not do anti-DDoS filtering for static-IP, unless the DDoS becomes so great that other subscriber's service is impacted - this is not part of the service as described.

Also, your ACL'ing of such traffic is likely wrong: if DoS traffic is inbound to 53/udp, then that's all you should filter, not OUTBOUND TO 53/udp, cause that's your own, presumably legit DNS queries.

Right. Learn Cisco IOS.
ip access-group Deny-DDoS-ACL in
--------------------------------------^^

It's BEcause, not cause... learn English too.
Acronyms are suffixed with just the suffix sans the apostrophe.

Sorry but don't get acrimonious with me.
root
join:2002-12-11

root

Member

said by OOLost
It's BEcause, not cause... learn English too.
Acronyms are suffixed with just the suffix sans the apostrophe.

Sorry but don't get acrimonious with me.

It's pretty asinine to insult the only one helping you...just saying.

cabletecht
join:2012-06-08

cabletecht to OOLost

Member

to OOLost
said by OOLost :

said by cablewizzard:

One man's defective P-o-crap Belkin router generating a DNS flood is another man's DDoS. Can you be specific about the inbound traffic? Is it coming from a very large number of IP source addresses, and going to port 53/udp on one of your 5 static IPs?

I've identified two networks which I've now denied in the ACL instead of killing off all port 53 traffic:

ip access-list extended Deny-DDoS-ACL
deny ip 72.8.128.0 0.0.63.255 any
deny ip 209.205.64.0 0.0.31.255 any
permit ip any any

This ACL is applied to the interface as:

ip access-group Deny-DDoS-ACL in

Yesterday, this ACL had been:

deny udp any any eq domain

The above was a temporary fix until I had the time today to sort out all of the IPs which were sourcing the flood.

I'll leave it to you to determine if the routers in these networks are "P-o-crap Belkins."
said by cablewizzard:

Do you run a (registered) authoritative DNS server as a matter of regular business at the IP the traffic is going to?

Yes.
said by cablewizzard:

How does this impact your service, specifically your outbound traffic (DNS, HTTP)? If you have nothing responding to that traffic, it should NOT be filling your upstream.

Since ACLing the offenders, it's not too too bad. There's still a load of crap banging away on the incoming WAN interface.
said by cablewizzard:

No, OOL will not do anti-DDoS filtering for static-IP, unless the DDoS becomes so great that other subscriber's service is impacted - this is not part of the service as described.

Also, your ACL'ing of such traffic is likely wrong: if DoS traffic is inbound to 53/udp, then that's all you should filter, not OUTBOUND TO 53/udp, cause that's your own, presumably legit DNS queries.

Right. Learn Cisco IOS.
ip access-group Deny-DDoS-ACL in
--------------------------------------^^

It's BEcause, not cause... learn English too.
Acronyms are suffixed with just the suffix sans the apostrophe.

Sorry but don't get acrimonious with me.

isn't there a networking forum you can post this on? don't see how this issue is being caused by cablevisions services

OOLost
@optonline.net

OOLost to root

Anon

to root
said by root:

said by OOLost
It's BEcause, not cause... learn English too.
Acronyms are suffixed with just the suffix sans the apostrophe.

Sorry but don't get acrimonious with me.

It's pretty asinine to insult the only one helping you...just saying.

It was pretty asinine to insult the one who was looking for an answer too.
And the condescension was completely uncalled for in "One man's defective P-o-crap Belkin router generating a DNS flood is another man's DDoS."

FWIW, maybe all you so called "wizards" should learn to read and understand what I've experienced. »www.shortestpathfirst.ne ··· attacks/

On the positive side, the traffic has subsided once again. I'm leaving my ACLs in place though for now.

If you will look at the networks that I listed previously, they are owned by organizations which provide DDoS mitigation services or devices to mitigate DDoS attacks. Either way, they were the targets and chances are that the IP addresses which appeared as the sourcing addresses (their networks) were spoofed/feigned. My router, of course, doesn't know the difference but ACLing them off did mitigate the attack as AFAIAC. Whether or not the intended targets are seeing any mitigation in the attack is of no concern to me.

EliteData
EliteData
Premium Member
join:2003-07-06
Philippines

EliteData to root

Premium Member

to root
said by root:

said by OOLost
It's BEcause, not cause... learn English too.
Acronyms are suffixed with just the suffix sans the apostrophe.

Sorry but don't get acrimonious with me.

It's pretty asinine to insult the only one helping you...just saying.

and a few others providing assistance as well.

OOLost
@optonline.net

OOLost to cabletecht

Anon

to cabletecht
said by cabletecht:

isn't there a networking forum you can post this on? don't see how this issue is being caused by cablevisions services

Isn't this forum's title: Forums > US Cable Support > OptimumOnline ???

Nobody said it was "being CAUSED by cablevisions services." There WAS a problem with the service. I was getting no help with the problem from the service provider. The service provider failed to listen to the customer. The service provider wasted both party's time, money and resources because they wouldn't (or couldn't) listen. OOL treated the whole event like a loss of TV service issue. All the techs in the world (5 here in the past week) replacing the cable drops, connections and splitters would not/could not have mitigated the issue.

Well, it's clear now that Optimum Online is NOT a internet company; they're a TV service and continue to offer cable-TV support instead of internet support.

Is there a Forums > US Cable Support > OptimumOnline ? Business Service forum?
frdrizzt
join:2008-05-03
Ronkonkoma, NY

frdrizzt

Member

said by OOLost :

said by cabletecht:

isn't there a networking forum you can post this on? don't see how this issue is being caused by cablevisions services

Isn't this forum's title: Forums > US Cable Support > OptimumOnline ???

Nobody said it was "being CAUSED by cablevisions services." There WAS a problem with the service. I was getting no help with the problem from the service provider. The service provider failed to listen to the customer. The service provider wasted both party's time, money and resources because they wouldn't (or couldn't) listen. OOL treated the whole event like a loss of TV service issue. All the techs in the world (5 here in the past week) replacing the cable drops, connections and splitters would not/could not have mitigated the issue.

Well, it's clear now that Optimum Online is NOT a internet company; they're a TV service and continue to offer cable-TV support instead of internet support.

Is there a Forums > US Cable Support > OptimumOnline ? Business Service forum?

Any company who provides advanced support for configuring your LAN setup/equipment is going to make you pay a premium for that. You just aren't going to find that with a $50 service (really no difference in the support you are requesting from standard BOOL & Boost/Ultra & STIP). Not to say the support is poor, just that it does not cover the area you are looking for. The end point of the support is the CV-provided equipment, not the chair at the connected computer that is being accessed.

OOLost
@optonline.net

OOLost

Anon

Whether OOL can not or simply will not assist with configuration of the company's LAN and kit past the interface OOL provides does not concern me. That's perfectly fine with me. However, they then, without having any knowledge thereof, tell their customer that IT IS configuration beyond that point that IS at fault. In this case, it was clearly NOT at fault; it was functioning perfectly and properly. The router(s) connected to the DPQ3925 was(were) properly configured. The incessant traffic -- due to a DNS DDoS -- was THIS issue. OOL could have easily taken a look at the traffic that was being sent to my subnet -- and much easier than I too -- and, at least, offered an explanation for it. This is simply NOT a business class service, regardless of how much or how little is paid for it.

The "level" of service provided smacks in the face at the claims made in all of the OOL advertisement upon the television and such. The latest claim is that they will not be one of those "life interruptions." Having one's business brought to a virtual halt isn't a "life interruption?"

I do hope that OOL "techs" have been reading this. My hope would be that OOL management might have been reading along too. Rolling out the wire jockeys costs OOL money and, in this case, needless costs. It keeps other customers waiting when they are deployed needlessly too.

FWIW, the DNS DDoS ceased sometime in the late afternoon yesterday and has not started up again. ACLing the 2 networks on the router interface had nothing to do with it. Either the source(s) of the attack was(were) discovered or the other machine(s) in the exploit was(where) finally secured.
root
join:2002-12-11

1 recommendation

root

Member

said by OOLost :

I do hope that OOL "techs" have been reading this. My hope would be that OOL management might have been reading along too. Rolling out the wire jockeys costs OOL money and, in this case, needless costs. It keeps other customers waiting when they are deployed needlessly too.

I'm sure some CV employees have read this...and while some may have even responded out of their own free will and desire to help, your complete lack of respect for people taking their own time to offer help probably made them not give a shit anymore.

jaa
Premium Member
join:2000-06-13

jaa to OOLost

Premium Member

to OOLost
I'm sure CV has closed out the ticket - "CPE Issue Resolved by Customer".

Glad you are up and running again.

OOLost
@optonline.net

OOLost

Anon

said by jaa:

I'm sure CV has closed out the ticket - "CPE Issue Resolved by Customer".

Glad you are up and running again.

But this was NOT a CPE issue! Is that how they sweep this under the rug?

jaa
Premium Member
join:2000-06-13

jaa

Premium Member

said by OOLost :

said by jaa:

I'm sure CV has closed out the ticket - "CPE Issue Resolved by Customer".

Glad you are up and running again.

But this was NOT a CPE issue! Is that how they sweep this under the rug?

Just telling you how they see it. Works with their laptop, your Mac - to them any other problem is CPE.