dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1630
share rss forum feed

DeLiver
Premium
join:2004-09-01
Cincinnatus, NY
Reviews:
·Frontier Communi..

[Internet] Anyone else suffering from a DNS DoS attack?

This has been going on for three weeks now. I'm on fixed IPs, and have changed those to try and avoid the asshats originating this. That worked for three days. 50-100 hits/second, at least 20% of my bandwidth chewed up with this noise. Yes, I can mitigate the problem with dropping the incoming requests at the firewall, but that doesn't get my service level back. I'm curious if the problem is limited to Frontier statics or if residential users are seeing this also. I'm on DSL, but putting this out to anyone else seeing this traffic in Frontier's network. Am I the unluckiest guy out here?


Ben J
Triple Play Architect
Premium
join:2011-09-16
Fort Wayne, IN
kudos:8
Do you have a small trace of the traffic you can post on a site somewhere?

DeLiver
Premium
join:2004-09-01
Cincinnatus, NY
Reviews:
·Frontier Communi..
Click for full size
A log snippet
A short snippet from the 5930 log...

IPs vary widely and cover the network subnet /30

No shame in sharing the IPs, it is near worthless at this point.


Ben J
Triple Play Architect
Premium
join:2011-09-16
Fort Wayne, IN
kudos:8
said by DeLiver:

IPs vary widely and cover the network subnet /30

Do you mean the source IPs vary widely and they are hitting all 4 destination IPs within your static /30? And you already re-IP'd through provisioning and the attack followed you to your new block?
--
Transparency Disclosure and Disclaimer: I am a Frontier employee posting in my own personal capacity. The opinions and positions expressed are my own and do not necessarily reflect those of Frontier.

DeLiver
Premium
join:2004-09-01
Cincinnatus, NY
Yes to both questions, and this is the fifth time I've tried to reply.

DeLiver
Premium
join:2004-09-01
Cincinnatus, NY
Reviews:
·Frontier Communi..
reply to Ben J
Click for full size
Another capture showing the subnet scan.

atigerman

join:2002-01-19
Tigerton, WI
reply to DeLiver
Have you contacted frontier about being DoS'ed?

DeLiver
Premium
join:2004-09-01
Cincinnatus, NY
Reviews:
·Frontier Communi..
said by atigerman:

Have you contacted frontier about being DoS'ed?

Yes, and followed their advice to change to different IPs. Days later, the attack found me again.


Hank
Searching for a new Frontier
Premium
join:2002-05-21
Burlington, WV
kudos:3
I would change again and if it continued I would then begin looking at my own network to determine if there is something going on there.

DeLiver
Premium
join:2004-09-01
Cincinnatus, NY
Reviews:
·Frontier Communi..
We are scheduled for another change tomorrow. What do you suggest I look at in my networks that might be inviting these attacks? Are you suggesting an infected machine phoning home or ? We have no exposed DNS servers so this attack seems pointless beyond being an annoyance.


Hank
Searching for a new Frontier
Premium
join:2002-05-21
Burlington, WV
kudos:3
Yes, I would look at what is going on in my network. I think you have to look at all possibilities before you can rule anything out.


NOYB
St. John 3.16
Premium
join:2005-12-15
Forest Grove, OR
kudos:1
reply to DeLiver
Before changing IP's again. First make sure ALL systems on your network are clean and free of virus and malware, etc. Clear browser caches and cookies first too for ALL systems. It may be related to a site that is being visited.
--
Be a Good Netizen - Read, Know & Complain About Overly Restrictive Tyrannical ISP ToS & AUP »comcast.net/terms/ »verizon.net/policies/
Say Thanks with a Tool Points Donation


Smith6612
Premium,MVM
join:2008-02-01
North Tonawanda, NY
kudos:24
Reviews:
·Verizon Online DSL
·Frontier Communi..
reply to DeLiver
I'd suspect Malware running somewhere in this case on a computer or some other device, phoning home. Take every system offline and run a bootable AV scanner, and then see if anything else turns up while booting the OS in safe mode, the standard quick security checks. Be on the lookout too for anything that works as a DNS Relay on your network, since traffic is pointing to port 53.

Another consideration, if you use a DNS provider to bind your IP address to a domain name, the traffic could be drawn from there.

DeLiver
Premium
join:2004-09-01
Cincinnatus, NY
Reviews:
·Frontier Communi..
reply to NOYB
said by NOYB:

It may be related to a site that is being visited.

Exactly. Every site that is visited has your IP. One click off Google and it is available.

FWIW, I've went through all the machines in the network prior to posting with a number of tools - nada. I see no reason to suspect something nefarious inside when things have been great for 11 years, with one infection. All users are locked down tight and we have always deployed a UTM device at the sites since day one.

And there are only 4.2 billion IPV4 addresses. Maybe I am just unlucky.

atigerman

join:2002-01-19
Tigerton, WI
reply to DeLiver
Just off hand, what are you using for a firewall?

DeLiver
Premium
join:2004-09-01
Cincinnatus, NY
Reviews:
·Frontier Communi..
reply to Smith6612
said by Smith6612:

Another consideration, if you use a DNS provider to bind your IP address to a domain name, the traffic could be drawn from there.

Yes, indeed. OpenDNS. I have since turned it off as a test. The next step is to turn off our PCI compliance scanner. There is a rat in the hen house somewhere.

DeLiver
Premium
join:2004-09-01
Cincinnatus, NY
Reviews:
·Frontier Communi..
reply to atigerman
Currently, Cisco ISA550, and the Frontier supplied Efficient 5930 - which I think is the source of the problem. Out of the box, Frontier configuration was to do a route to a /30, no NAT, no firewall, zip. I recently reset the routers to that configuration in anticipation of tomorrow's 'upgrade' to VDSL.. Did I shoot myself in the foot?

atigerman

join:2002-01-19
Tigerton, WI
reply to DeLiver
So you were using the 5930 as the modem/firewall? Then how was the ISA550 being used in your network setup?

DeLiver
Premium
join:2004-09-01
Cincinnatus, NY
The 5930 was used strictly as a modem/router. The firewalls in the 5930 were turned on in response to this attack. I'd be perfectly happy with a dumb bridge at this point vs maintaining two devices.

atigerman

join:2002-01-19
Tigerton, WI
reply to DeLiver
I'm a little confused on the layout of your network and how everything is hooked together.

But you said you were using the 5930 as a modem/router and you turned on the firewall in response to the attack, so you never had a firewall in the network to begin with?

I'm assuming all of this is for a business?

I personally wouldn't place a lot of trust in the 5930's firewall to protect my network against an attack. What i use in my home network is the frontier supplied modem/router, but set up in a dumb bridge mode. Then i have a mini-itx system i build using either Smoothwall or PfSense to take care of the firewall/router functions which feeds an access point for my wireless needs and a switch to connect all of my other wired pc's.

DeLiver
Premium
join:2004-09-01
Cincinnatus, NY
Reviews:
·Frontier Communi..
Sigh. Asked and answered. The 5930 firewall was turned on as the attack caused the router to 'panic' and lose all connectivity. There has ALWAYS been a UTM device behind said routers.

As no one else is experiencing the problem, I'll end the topic here.


Ben J
Triple Play Architect
Premium
join:2011-09-16
Fort Wayne, IN
kudos:8
Do you run a DNS server in your network? If not, you can ask to push a temporary filter upstream from you to at least keep the traffic off your link and get you back online.

FTR Tech

join:2013-02-12
reply to DeLiver
DeLiver, we have had incidents in the past where specific areas of the country saw the 5930 modems targeted. If you call tech support at 800-239-4430 and explain what's happening we will be happy to get a repair ticket opened to get a new modem brought out and set up. The new modem will not be vulnerable to this type of attack. We apologize for any inconvenience this has caused.

ShellMMG

join:2009-04-16
Grass Lake, MI
Reviews:
·Frontier Communi..
If you're "our" Frontier tech, I'm glad to see you. Don't worry, I'm happy with my services (DSL 6mbps, naked).

My son said there was an outage somewhere between Chicago and Las Vegas, but that was last week, indicated by tracer. We only had problems with DDoS for a couple of days.

DeLiver
Premium
join:2004-09-01
Cincinnatus, NY
Reviews:
·Frontier Communi..
reply to Ben J
said by Ben J:

Do you run a DNS server in your network? If not, you can ask to push a temporary filter upstream from you to at least keep the traffic off your link and get you back online.

What are the magic words needed to request this filter?

DeLiver
Premium
join:2004-09-01
Cincinnatus, NY
Reviews:
·Frontier Communi..
reply to FTR Tech
said by FTR Tech:

DeLiver, we have had incidents in the past where specific areas of the country saw the 5930 modems targeted. If you call tech support at 800-239-4430 and explain what's happening we will be happy to get a repair ticket opened to get a new modem brought out and set up. The new modem will not be vulnerable to this type of attack. We apologize for any inconvenience this has caused.

We've just upgraded to VDSL2 and now have the Actiontec V1000W. I wouldn't know if we are still under attack, this device doesn't seem to expose any advanced features I'd expect in a business class router. While the modem might not be affected directly, my bandwidth may still being used and I can't tell. Ignorance is bliss I guess.

DeLiver
Premium
join:2004-09-01
Cincinnatus, NY
Reviews:
·Frontier Communi..
reply to DeLiver
Just to complete the story - we upgraded to 20/3 VDSL2 service with the Actiontec V1000W routers/modems. With those bridged, we can now see the traffic and firewall data. No sign of any DNS requests incoming, so I think a change was made at the network level as suggested by Ben J. If so, thank you to whoever made that happen. In any case we are happy campers at the moment. Anyone needing help bridging one of these let me know and I can post what worked for me, its was not trivial.