dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
17
share rss forum feed


nevertheless
Premium,VIP
join:2002-03-08
St Catharines, ON
kudos:4
reply to marcelm

Re: [INTERNET] - What to do when you experience a DDoS attack?

FYI, marcelm See Profile is running an Open DNS Resolver at this time and is definitely being used as a DNS reflector.

Cogeco Abuse sent a warning him in mid-August about this behaviour and asked him to deal with it, but they never got a response.

If the attack continues at any pace after marcelm See Profile stops being an Open Resolver I'm sure that we can help with this traffic.
--
Some people think I'm an idiot. I disagree, but idiocy is subjective--so they may well be right. With this in mind, take everything I post with a grain of salt, eh?


TechNut2

join:2010-05-17
canada

said by nevertheless:

FYI, marcelm See Profile is running an Open DNS Resolver at this time and is definitely being used as a DNS reflector.

Cogeco Abuse sent a warning him in mid-August about this behaviour and asked him to deal with it, but they never got a response.

If the attack continues at any pace after marcelm See Profile stops being an Open Resolver I'm sure that we can help with this traffic.

I had a similar problem a few months ago. Cogeco seems to be a favourite target for DNS reflection attacks. When I corrected the issue, the packet rate dropped... it took about 2 or 3 weeks for the attempts to completely go away. I'm on static Business as well.

My only gripe is I wish Cogeco Abuse would call. I never use my Cogeco email address, and emailing me there is not good. At the very least, I wish they would update the billing system to support additional/alternative email address so when this happens you can be contacted.

Good thing Business is "unlimited" there where some days where it was 10-15GB of data being eaten by these attacks.


Asawulf
Ignorance is bliss
VIP
join:2005-08-17
Trois-Rivieres, QC
kudos:4

1 recommendation

said by TechNut2:

Cogeco seems to be a favourite target for DNS reflection attacks.

Just out of curiosity, why do you think that Cogeco seems to be a favorite target for such attacks?


dillyhammer
START me up
Premium,MVM
join:2010-01-09
Scarborough, ON
kudos:10
Reviews:
·WIND Mobile
·Start Communicat..

said by Asawulf:

Just out of curiosity, why do you think that Cogeco seems to be a favorite target for such attacks?

I'm curious too.

I didn't suffer any more unusual traffic while on Cogeco (twice) than I did while on @home, Magma, Rogers or TSI (twice).

The nature of the internet and networks in general result in that kind of traffic, it's wholly unpredictable, and sometimes it's really bad.

That's why metering and UBB should be illegal. Just sayin'.



Mike
--
Cogeco - The New UBB Devil -»[Burloak] Usage Based Billing Nightmare
Cogeco UBB, No Modem Required - »[Niagara] 40gb of "usage" while the modem is unplugged


kim
That Chick
Premium,Mod
join:2001-03-25
ON
kudos:7
Reviews:
·Cogeco Cable
reply to TechNut2

said by TechNut2:

My only gripe is I wish Cogeco Abuse would call. I never use my Cogeco email address, and emailing me there is not good. At the very least, I wish they would update the billing system to support additional/alternative email address so when this happens you can be contacted.

I've updated my email on the Cogeco Self Serve site as I don't use my cogeco email addy either.

I've never had a way to test that this will actually work though.
--
Fluent in 3 languages: English, Sarcasm and Sexual Innuendo.


urbanriot
Premium
join:2004-10-18
Canada
kudos:3
Reviews:
·Cogeco Cable
reply to dillyhammer

said by dillyhammer:

I didn't suffer any more unusual traffic while on Cogeco (twice) than I did while on @home, Magma, Rogers or TSI (twice).

In my many years of utilizing Cogeco's services, both residential or business, I've never experienced the effects of any kind of attack. I've logged plenty of brute force attempts with various services but I've never noticed adverse performance on home or business networks caused by anything outside my network.

Personally, I'd rather Cogeco doesn't attempt to affect incoming traffic and leave that up to me.

TechNut2

join:2010-05-17
canada
reply to Asawulf

Cable customers are well known targets. It's easy to look up the IP block for big cable co and probe for whom has a open relay. In my case, I had a bad firewall rule that was redirecting DNS requests to the wrong internal IP. The device that it was directed too has a known DNS vulnerability that cannot be fixed (it's old and not supported by the manufacturer anymore). So, given that cable networks tend to have big fast connections to home, and the variety of easy targets, makes Cogeco a logical choice. Rogers, as I understand it, when it detects the attacks blocks the traffic. While it does happen on DSL ISP's, it's far likely because the upload and latency tends to be higher. It's not really an effective attack, since you are trying to drown the victim packets. Slow upload is not really great for that.

It's really a question of how do you want to handle customer escalations. Do you block it, then customers complain that you did it to protect them? Or do you leave it open say it is happening but let it go indefinitely. In my case, the use of that old DNS device was on going for over 6 months. At what point does the ISP step in? It went undetected until whomever was doing the attacks increased the number of packets per second. I only happened to notice because VoIP was starting to get laggy. I then reached out to Abuse after checking with Marcer (once he confirmed it was not a node issue) to find that this was something Cogeco knew about for months. My downloads on the whole where just fine, and because on a Business account I'm not concerned about usage, I never check it. If I was paying for usage, and overages because of this, and Cogeco knew but did nothing to stop it, well, I'm not sure I would be impressed, even if the fact was I had a bad device. If the ISP sees a problem, they need to do something about it. They could have at least called, and sent the email....

I can see on Enterprise accounts where Cogeco just provides a circuit and transit, that they would do nothing. But for the SMB space, especially with all the cap crap, and the relative capacity constraints of local nodes, this would be in Cogeco's best interest to resolve quickly, not just send an email and forget it.



urbanriot
Premium
join:2004-10-18
Canada
kudos:3
Reviews:
·Cogeco Cable

said by TechNut2:

But for the SMB space

In the SMB space, the business' should have someone competent configure their DNS server that's responding to DNS requests rather than rely on the company that provides their connection to the internet.

What sort of equipment do you have between the internet and your DNS server?


dillyhammer
START me up
Premium,MVM
join:2010-01-09
Scarborough, ON
kudos:10
Reviews:
·WIND Mobile
·Start Communicat..
reply to TechNut2

said by TechNut2:

But for the SMB space, especially with all the cap crap, and the relative capacity constraints of local nodes, this would be in Cogeco's best interest to resolve quickly, not just send an email and forget it.

Wait. Huh?

Cogeco, a government-sanctioned monopoly, takes action to benefit a customer and reduce net revenue as a result?

Am I reading that right or did I miss something?

Mike
--
Cogeco - The New UBB Devil -»[Burloak] Usage Based Billing Nightmare
Cogeco UBB, No Modem Required - »[Niagara] 40gb of "usage" while the modem is unplugged


urbanriot
Premium
join:2004-10-18
Canada
kudos:3

No, it sounds more more along the case of someone asking an internet service provider to do an IT service provider's job.


TechNut2

join:2010-05-17
canada
reply to urbanriot

said by urbanriot:

said by TechNut2:

But for the SMB space

In the SMB space, the business' should have someone competent configure their DNS server that's responding to DNS requests rather than rely on the company that provides their connection to the internet.

What sort of equipment do you have between the internet and your DNS server?

I'm not sure you know what "SMB" means. In general, most small businesses who are the SMB's who would use a business internet service provided by Cogeco would likely NOT have someone to help set them up. In an ideal world, sure, but most do not.

What I would expect on a SMB connection is if there is a on-going attack on a system, the right thing for the ISP to do is some kind of intervention.

If you must know, I have a old cranky Nortel VPN box that has DNS turned on. It's crashes when changing settings, but, the VPN clients connect just fine. It was deciding to reply as a open DNS relay. Yes, I could go buy something else, but, such is life. It was just a firewall rule pointing to the wrong IP. Otherwise, my other DNS servers do not have that issue, and it stopped once the IP address was changed