dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
40

Cogeco_Asa
Ignorance is bliss
join:2005-08-17
Trois-Rivieres, QC

1 recommendation

Cogeco_Asa to TechNut2

Member

to TechNut2

Re: [INTERNET] - What to do when you experience a DDoS attack?

said by TechNut2:

Cogeco seems to be a favourite target for DNS reflection attacks.

Just out of curiosity, why do you think that Cogeco seems to be a favorite target for such attacks?

dillyhammer
START me up
Premium Member
join:2010-01-09
Scarborough, ON

dillyhammer

Premium Member

said by Cogeco_Asa:

Just out of curiosity, why do you think that Cogeco seems to be a favorite target for such attacks?

I'm curious too.

I didn't suffer any more unusual traffic while on Cogeco (twice) than I did while on @home, Magma, Rogers or TSI (twice).

The nature of the internet and networks in general result in that kind of traffic, it's wholly unpredictable, and sometimes it's really bad.

That's why metering and UBB should be illegal. Just sayin'.



Mike

urbanriot
Premium Member
join:2004-10-18
Canada

urbanriot

Premium Member

said by dillyhammer:

I didn't suffer any more unusual traffic while on Cogeco (twice) than I did while on @home, Magma, Rogers or TSI (twice).

In my many years of utilizing Cogeco's services, both residential or business, I've never experienced the effects of any kind of attack. I've logged plenty of brute force attempts with various services but I've never noticed adverse performance on home or business networks caused by anything outside my network.

Personally, I'd rather Cogeco doesn't attempt to affect incoming traffic and leave that up to me.
TechNut2
join:2010-05-17
canada

TechNut2 to Cogeco_Asa

Member

to Cogeco_Asa
Cable customers are well known targets. It's easy to look up the IP block for big cable co and probe for whom has a open relay. In my case, I had a bad firewall rule that was redirecting DNS requests to the wrong internal IP. The device that it was directed too has a known DNS vulnerability that cannot be fixed (it's old and not supported by the manufacturer anymore). So, given that cable networks tend to have big fast connections to home, and the variety of easy targets, makes Cogeco a logical choice. Rogers, as I understand it, when it detects the attacks blocks the traffic. While it does happen on DSL ISP's, it's far likely because the upload and latency tends to be higher. It's not really an effective attack, since you are trying to drown the victim packets. Slow upload is not really great for that.

It's really a question of how do you want to handle customer escalations. Do you block it, then customers complain that you did it to protect them? Or do you leave it open say it is happening but let it go indefinitely. In my case, the use of that old DNS device was on going for over 6 months. At what point does the ISP step in? It went undetected until whomever was doing the attacks increased the number of packets per second. I only happened to notice because VoIP was starting to get laggy. I then reached out to Abuse after checking with Marcer (once he confirmed it was not a node issue) to find that this was something Cogeco knew about for months. My downloads on the whole where just fine, and because on a Business account I'm not concerned about usage, I never check it. If I was paying for usage, and overages because of this, and Cogeco knew but did nothing to stop it, well, I'm not sure I would be impressed, even if the fact was I had a bad device. If the ISP sees a problem, they need to do something about it. They could have at least called, and sent the email....

I can see on Enterprise accounts where Cogeco just provides a circuit and transit, that they would do nothing. But for the SMB space, especially with all the cap crap, and the relative capacity constraints of local nodes, this would be in Cogeco's best interest to resolve quickly, not just send an email and forget it.

urbanriot
Premium Member
join:2004-10-18
Canada

urbanriot

Premium Member

said by TechNut2:

But for the SMB space

In the SMB space, the business' should have someone competent configure their DNS server that's responding to DNS requests rather than rely on the company that provides their connection to the internet.

What sort of equipment do you have between the internet and your DNS server?

dillyhammer
START me up
Premium Member
join:2010-01-09
Scarborough, ON

dillyhammer to TechNut2

Premium Member

to TechNut2
said by TechNut2:

But for the SMB space, especially with all the cap crap, and the relative capacity constraints of local nodes, this would be in Cogeco's best interest to resolve quickly, not just send an email and forget it.

Wait. Huh?

Cogeco, a government-sanctioned monopoly, takes action to benefit a customer and reduce net revenue as a result?

Am I reading that right or did I miss something?

Mike

urbanriot
Premium Member
join:2004-10-18
Canada

urbanriot

Premium Member

No, it sounds more more along the case of someone asking an internet service provider to do an IT service provider's job.
TechNut2
join:2010-05-17
canada

TechNut2 to urbanriot

Member

to urbanriot
said by urbanriot:

said by TechNut2:

But for the SMB space

In the SMB space, the business' should have someone competent configure their DNS server that's responding to DNS requests rather than rely on the company that provides their connection to the internet.

What sort of equipment do you have between the internet and your DNS server?

I'm not sure you know what "SMB" means. In general, most small businesses who are the SMB's who would use a business internet service provided by Cogeco would likely NOT have someone to help set them up. In an ideal world, sure, but most do not.

What I would expect on a SMB connection is if there is a on-going attack on a system, the right thing for the ISP to do is some kind of intervention.

If you must know, I have a old cranky Nortel VPN box that has DNS turned on. It's crashes when changing settings, but, the VPN clients connect just fine. It was deciding to reply as a open DNS relay. Yes, I could go buy something else, but, such is life. It was just a firewall rule pointing to the wrong IP. Otherwise, my other DNS servers do not have that issue, and it stopped once the IP address was changed