dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2737
marcelm
join:2006-06-19
Ancaster, ON

marcelm

Member

[INTERNET] - What to do when you experience a DDoS attack?

I subscribe to Cogeco Business service (unlimited). Generally good bandwidth etc. I have 5 static IP addresses.

Last week I noticed some significant problems with VOIP service. Jitter was over 20 ms with lots of call breakups etc. Tracked the problem to a misconfigured router that was responding to a DDoS Attack. Reconfigured, everything is OK with VOIP

BUT still getting huge (1M pings an hour +/-) UDP packets from network starting with 108.162.0.0 to at least two of my static IPs.

I have contacted Cogeco tech support and network security asking them to 'turn off' the packets from further up the system. No effective response from Cogeco.

HELP! What do I do with this traffic? I have set up my computers not to respond to these UDP packets but is that it? I just have to ignore an obvious problem?

Oh great Cogeco guru's please help!

Bry
join:2008-12-31
Canada

Bry

Member

This is a normal part of Internet life, and you did the right thing by temporarily blocking the replies.

It's likely you weren't even the target, but may have been a unwilling participant in another form of attack, a so called reflected DoS.. where legitimate errors generated by your systems are used against someone else.

I don't know how you're supposed to go about coordinating with Cogeco during attacks, but they need better online presence.. I don't think they ever reply to emails.

In the mean time, you may want to look into implementing rate limiting.. if you haven't already.

-Bry.

urbanriot
Premium Member
join:2004-10-18
Canada

urbanriot to marcelm

Premium Member

to marcelm
You can always change your IP by changing your MAC address / network card. A Cogeco tech might be able to aid you with that as well, if you specifically ask them to... not sure, never done that.

nevertheless
Premium Member
join:2002-03-08
St Catharines, ON

nevertheless

Premium Member

said by urbanriot:

You can always change your IP by changing your MAC address / network card. A Cogeco tech might be able to aid you with that as well, if you specifically ask them to... not sure, never done that.

He's a static subscriber, his IPs are not assigned by DHCP.
nevertheless

nevertheless to marcelm

Premium Member

to marcelm
said by marcelm:

HELP! What do I do with this traffic? I have set up my computers not to respond to these UDP packets but is that it? I just have to ignore an obvious problem?

As has already been posted, chances are that this is a reflection attack that was using your devices rather than something targeted at you.

You mention pings and udp packets in the same sentence. Were they pings (ICMP) or were they UDP packets? Without packet captures it'll be difficult to say what the issue really was (is?), but I'd suspect that someone found that you'd answer requests and started using you as a reflector of their attack--possibly an amplifier as well.

Insofar as turning the packets off further up the network, that can be done if it warrants it, but unless this is actually a targeted attack it will go away on it's own after your packets are no longer useful to them.

RE: responses from Cogeco Security, they're usually quite responsive to actual problems but AFAICR the abuse process for static customers is a little different than for dynamically assigned subscribers. PM me one of your IP addresses you escalated and I'll take a look.
marcelm
join:2006-06-19
Ancaster, ON

marcelm

Member

My apologies for complicating matters by confusing PINGS (ICMPs) and UDP packets.

The problem is originating from 64 byte UDP packets originating from port 8 and targeting my Port 53 (DNS). Right now about 25 to 35 packets per second.
cog_biz_user
i ruin threads apparently
join:2011-04-19

cog_biz_user

Member

Are you running DNS? Sounds like you're getting a reflection attack. Those seem to be quite common unfortunately. You could block the spoofed destination on your side, it would reduce the amount of traffic going across your connection, but it's not a permanent solution, as they can change the destination at will.

I've tried talking to Cogeco about it in the past as well, but they didn't really do much about it then either. It would be nice if they would block anomalous traffic upstream, but I'm sure they have their reasons (money, staffing).

nevertheless
Premium Member
join:2002-03-08
St Catharines, ON

nevertheless to marcelm

Premium Member

to marcelm
FYI, marcelm See Profile is running an Open DNS Resolver at this time and is definitely being used as a DNS reflector.

Cogeco Abuse sent a warning him in mid-August about this behaviour and asked him to deal with it, but they never got a response.

If the attack continues at any pace after marcelm See Profile stops being an Open Resolver I'm sure that we can help with this traffic.
TechNut2
join:2010-05-17
canada

TechNut2

Member

said by nevertheless:

FYI, marcelm See Profile is running an Open DNS Resolver at this time and is definitely being used as a DNS reflector.

Cogeco Abuse sent a warning him in mid-August about this behaviour and asked him to deal with it, but they never got a response.

If the attack continues at any pace after marcelm See Profile stops being an Open Resolver I'm sure that we can help with this traffic.

I had a similar problem a few months ago. Cogeco seems to be a favourite target for DNS reflection attacks. When I corrected the issue, the packet rate dropped... it took about 2 or 3 weeks for the attempts to completely go away. I'm on static Business as well.

My only gripe is I wish Cogeco Abuse would call. I never use my Cogeco email address, and emailing me there is not good. At the very least, I wish they would update the billing system to support additional/alternative email address so when this happens you can be contacted.

Good thing Business is "unlimited" there where some days where it was 10-15GB of data being eaten by these attacks.

Cogeco_Asa
Ignorance is bliss
join:2005-08-17
Trois-Rivieres, QC

1 recommendation

Cogeco_Asa

Member

said by TechNut2:

Cogeco seems to be a favourite target for DNS reflection attacks.

Just out of curiosity, why do you think that Cogeco seems to be a favorite target for such attacks?

dillyhammer
START me up
Premium Member
join:2010-01-09
Scarborough, ON

dillyhammer

Premium Member

said by Cogeco_Asa:

Just out of curiosity, why do you think that Cogeco seems to be a favorite target for such attacks?

I'm curious too.

I didn't suffer any more unusual traffic while on Cogeco (twice) than I did while on @home, Magma, Rogers or TSI (twice).

The nature of the internet and networks in general result in that kind of traffic, it's wholly unpredictable, and sometimes it's really bad.

That's why metering and UBB should be illegal. Just sayin'.



Mike

kim
MVM,
join:2001-03-25
ON

kim to TechNut2

MVM,

to TechNut2
said by TechNut2:

My only gripe is I wish Cogeco Abuse would call. I never use my Cogeco email address, and emailing me there is not good. At the very least, I wish they would update the billing system to support additional/alternative email address so when this happens you can be contacted.

I've updated my email on the Cogeco Self Serve site as I don't use my cogeco email addy either.

I've never had a way to test that this will actually work though.

urbanriot
Premium Member
join:2004-10-18
Canada

urbanriot to dillyhammer

Premium Member

to dillyhammer
said by dillyhammer:

I didn't suffer any more unusual traffic while on Cogeco (twice) than I did while on @home, Magma, Rogers or TSI (twice).

In my many years of utilizing Cogeco's services, both residential or business, I've never experienced the effects of any kind of attack. I've logged plenty of brute force attempts with various services but I've never noticed adverse performance on home or business networks caused by anything outside my network.

Personally, I'd rather Cogeco doesn't attempt to affect incoming traffic and leave that up to me.
marcelm
join:2006-06-19
Ancaster, ON

1 recommendation

marcelm

Member

The conclusion:

Yes, I was running an Open DNS Server. My bad. I did not understand the concept of recursion. Hopefully I am now running a Closed DNS server for my domain names.

But: there is an inherent problem in Cogeco's only using the 'official' Cogeco email to communicate the problem to me. I understand there is a fix in process for this but it is curious in the multiple times that I called technical support they were not able to know I had received such notices as well.

All in all, yet another learning experience.

dillyhammer
START me up
Premium Member
join:2010-01-09
Scarborough, ON

dillyhammer

Premium Member

said by marcelm:

But: there is an inherent problem in Cogeco's only using the 'official' Cogeco email to communicate the problem to me.

It's beyond ridiculous really. Well beyond. I've never in all my life seen anything like it.

So now you know what EasyDNS puts up with.



Mike

urbanriot
Premium Member
join:2004-10-18
Canada

urbanriot to marcelm

Premium Member

to marcelm
said by marcelm:

But: there is an inherent problem in Cogeco's only using the 'official' Cogeco email to communicate the problem to me. I understand there is a fix in process for this but it is curious in the multiple times that I called technical support they were not able to know I had received such notices as well.

Personally, I feel it should be procedural to ask the customer if their primary email address will be their Cogeco email address or a pre-existing email address and if it's a pre-existing address, use that as the primary contact for all communications.
TechNut2
join:2010-05-17
canada

TechNut2 to Cogeco_Asa

Member

to Cogeco_Asa
Cable customers are well known targets. It's easy to look up the IP block for big cable co and probe for whom has a open relay. In my case, I had a bad firewall rule that was redirecting DNS requests to the wrong internal IP. The device that it was directed too has a known DNS vulnerability that cannot be fixed (it's old and not supported by the manufacturer anymore). So, given that cable networks tend to have big fast connections to home, and the variety of easy targets, makes Cogeco a logical choice. Rogers, as I understand it, when it detects the attacks blocks the traffic. While it does happen on DSL ISP's, it's far likely because the upload and latency tends to be higher. It's not really an effective attack, since you are trying to drown the victim packets. Slow upload is not really great for that.

It's really a question of how do you want to handle customer escalations. Do you block it, then customers complain that you did it to protect them? Or do you leave it open say it is happening but let it go indefinitely. In my case, the use of that old DNS device was on going for over 6 months. At what point does the ISP step in? It went undetected until whomever was doing the attacks increased the number of packets per second. I only happened to notice because VoIP was starting to get laggy. I then reached out to Abuse after checking with Marcer (once he confirmed it was not a node issue) to find that this was something Cogeco knew about for months. My downloads on the whole where just fine, and because on a Business account I'm not concerned about usage, I never check it. If I was paying for usage, and overages because of this, and Cogeco knew but did nothing to stop it, well, I'm not sure I would be impressed, even if the fact was I had a bad device. If the ISP sees a problem, they need to do something about it. They could have at least called, and sent the email....

I can see on Enterprise accounts where Cogeco just provides a circuit and transit, that they would do nothing. But for the SMB space, especially with all the cap crap, and the relative capacity constraints of local nodes, this would be in Cogeco's best interest to resolve quickly, not just send an email and forget it.

urbanriot
Premium Member
join:2004-10-18
Canada

urbanriot

Premium Member

said by TechNut2:

But for the SMB space

In the SMB space, the business' should have someone competent configure their DNS server that's responding to DNS requests rather than rely on the company that provides their connection to the internet.

What sort of equipment do you have between the internet and your DNS server?

dillyhammer
START me up
Premium Member
join:2010-01-09
Scarborough, ON

dillyhammer to TechNut2

Premium Member

to TechNut2
said by TechNut2:

But for the SMB space, especially with all the cap crap, and the relative capacity constraints of local nodes, this would be in Cogeco's best interest to resolve quickly, not just send an email and forget it.

Wait. Huh?

Cogeco, a government-sanctioned monopoly, takes action to benefit a customer and reduce net revenue as a result?

Am I reading that right or did I miss something?

Mike

urbanriot
Premium Member
join:2004-10-18
Canada

urbanriot

Premium Member

No, it sounds more more along the case of someone asking an internet service provider to do an IT service provider's job.
TechNut2
join:2010-05-17
canada

TechNut2 to urbanriot

Member

to urbanriot
said by urbanriot:

said by TechNut2:

But for the SMB space

In the SMB space, the business' should have someone competent configure their DNS server that's responding to DNS requests rather than rely on the company that provides their connection to the internet.

What sort of equipment do you have between the internet and your DNS server?

I'm not sure you know what "SMB" means. In general, most small businesses who are the SMB's who would use a business internet service provided by Cogeco would likely NOT have someone to help set them up. In an ideal world, sure, but most do not.

What I would expect on a SMB connection is if there is a on-going attack on a system, the right thing for the ISP to do is some kind of intervention.

If you must know, I have a old cranky Nortel VPN box that has DNS turned on. It's crashes when changing settings, but, the VPN clients connect just fine. It was deciding to reply as a open DNS relay. Yes, I could go buy something else, but, such is life. It was just a firewall rule pointing to the wrong IP. Otherwise, my other DNS servers do not have that issue, and it stopped once the IP address was changed