DDOS... It's happening

[S4boost]

About 2 weeks ago a "friend of a friend" joined an xbox party I was in. My friends and I were in game chat (not party chat) and this person started counting down in messages 10,9,8 etc. He got to 1 and the next message said GAME OVER.

We all got booted. I came back online and rejoined the party and he was laughing about it and told me to chill it was just a minute cause he wanted us to come back to party chat.

Shortly after he started asking everyone "hey ______ do you live in xyz City/state"

I asked him what he was using he said CommView and was notating everyone's IPs.

He also mentioned he has "his own" botnet and its a real pain having to keep the bots happy. Also he can hit with 500GBs.

The following day I was in a party with him again and one of his friends joined, he said, "oh hey _____ let me make room in the party for you". My internet went down almost immediately for 7 hours.

At that point I contacted my ISP, Microsoft, Activision and Twitch. 3 days later i got a message from a random account and the message was a smiley face. I opened the profile for the account noticed it was a brand new account (no friends and no gamerscore) and the bio said "In remembrance of (the ddos'ers previous Microsoft account). Took them 9 years."

So, I gathered that microsoft had banned the Xbox account and he made a new one. Out of anger, he hit my internet again. This time for 9 hours.

I pulled up my Pace 5268 (AT&T) logs and saw 1800-2800 packets recieved every second and the firewall was catching about 20 packets every second to port 3074 (open on the modem) from all different ips. I searched a few of the ips in blacklist databases and each one was known as malicious.

So, with all this said, I have done 2 ATT gateway swaps, had a tech come out and spent at least 8 hours on the phone with tech support. They cannot force my WAN ip to change and their default is to just send a new gateway each time I call or offer a block of static IPs which can only be allocated to specific devices on the home network, meaning, I cannot allocate a static IP to broadband (wan) ip address.

The attacks have been going almost daily for 4-8 hours per day.

Currently, I have an AT&T fiber hub (switch) in my laundry room, a BGW-210 (AT&T gateway) with IP passthrough to the MAC address of my AC3100 with the most recent merlin firmware. I have also just purchased a vpn to prevent future attacks.

My issue is, ATT techs are adamant that they cannot force a WAN IP change... can this be true? Anyone have experience on how to handle this?

Also, I found out the person's identity. On the new account he had forgotten to hide his name. I googled the name and found that he lives in Manitoba Winnipeg, is not long out of highschool, and was given awards for his performance in a group called "cyber patrol" which is a youth competition for cyber defense.

 

[ColinTaylor]

I am not familiar with those AT&T devices, but assuming that they are just modems and not routers then your public IP address should be linked to the MAC address of your (Asus) router's WAN interface.

So to get a different public IP address you need to change the WAN MAC address on the router. That is why changing the AT&T equipment has no effect.

Log into the Asus and go to WAN > Internet Connection and enter a bogus MAC address under the "Special Requirement from ISP" section. I suggest you use your current WAN MAC address but increment the last but one hex digit by 1. So for example "18:31:BF:3A:31:80" would become "18:31:BF:3A:32:80".

Save the changes and then power off your router and modem. Wait 5 minutes before turning on the modem. Wait another 2 minutes and turn on the router. Hopefully you will now have a different public IP address.

 

[S4boost]

The gateway (modem router combo) is in IP passthrough mode which essentially prevents double NAT and firewalls on the Asus Mac address.

I am not familiar with those AT&T devices, but assuming that they are just modems and not routers then your public IP address should be linked to the MAC address of your (Asus) router's WAN interface.

So to get a different public IP address you need to change the WAN MAC address on the router. That is why changing the AT&T equipment has no effect.

Log into the Asus and go to WAN > Internet Connection and enter a bogus MAC address under the "Special Requirement from ISP" section. I suggest you use your current WAN MAC address but increment the last but one hex digit by 1. So "18:31:BF:3A:31:80" would become "18:31:BF:3A:32:80".

Save the changes and then power off your router and modem. Wait 5 minutes before turning on the modem. Wait another 2 minutes and turn on the router. Hopefully you will now have a different public IP address.

 

[L&LD]

@S4boost, have you tried to change the Asus Mac Address then for the WAN?

 

[System Error Message]

oh my, ditch those devices. Grab yourself a decent mikrotik and start using the firewall.

Some things you can do with the firewall.
- tarpit bad connections.
- forward the DDOS to that attacker (the packets will be very similar, so you can create a filter to identify those packets and forward it to him)
- report him to the police, make sure you gather as much evidence as you can.
- use QoS. Both TCP and UDP have tuning mechanisms so even for download you can restrict them to 1pp/s or if you must, restrict their bandwidth to 1KB/s. If he uses a protocol you dont use, you can outright tarpit if possible, if not use a blackhole.

Alternatively, contact your ISP to suspend the internet of the botnets, basically they consists of compromised hosts and the owners do not know that their hosts are compromised, so when their internet gets suspended, it'd force the owner to clean their network. If they can get a list of IPs and the time, it can be done, tell them if they dont do it you'll go public with how bad their DDOS handling is that they're letting illegitimate traffic take up everyones money for no good reason that they allow it on their network and allow it to cause a slow down for everyone else.

Make sure you get a powerful enough router. My CCR1036 was able to handle DDoS from amazon AWS back when it was filled with spammers and malicious users without breaking a sweat and causing any internet problems.

You can also do dual WAN, so you can have another WAN if you need so that you can redirect all the DDOS to it.

Consider setting up a linux based router like pfsense and utilise the IDS/IPS. You can also set up a IDS/IPS with mikrotik but it requires another device to run it.

 

[RMerlin]

If he is truly aiming a botnet DDOS at you then your ISP should take both legal and technical steps in resolving this. Provide them with all the info you have about the person doing these attacks. Legal authorities should be able to track him down fairly easily if he is also in the US.

 

[RMerlin]

Make sure you get a powerful enough router. My CCR1036 was able to handle DDoS from amazon AWS back when it was filled with spammers and malicious users without breaking a sweat and causing any internet problems.

That won't do you much good if he is aiming a botnet at you. While your router CPU might be able to handle it, your upstream/downstream will be so saturated with traffic, it will still leave your connection unusable because you have no control over your inbound traffic.

 

[coxhaus]

Once your pipe is saturated trying to redirect would be a bad idea. It would just compound your problem. You need help from your ISP. You are not going to beat him. Maybe try to play else where away from him.

 

[System Error Message]

That won't do you much good if he is aiming a botnet at you. While your router CPU might be able to handle it, your upstream/downstream will be so saturated with traffic, it will still leave your connection unusable because you have no control over your inbound traffic.

Once your pipe is saturated trying to redirect would be a bad idea. It would just compound your problem. You need help from your ISP. You are not going to beat him. Maybe try to play else where away from him.

yes you need help from your ISP, but consumer ISPs do not offer any help. If the attack uses TCP you can then use tarpit to significantly slow down the attack and increase CPU usage on the attacker's machine which will free up your internet pipe.

If you get dual WAN, you can use that to redirect attacks and legitimate traffic instead to use the 2nd WAN. If someone is just sending packets at you, they still have to go through the normal stack. If hes blasting packets at you, its going to consume your download but not upload which means you can do the same. Redirecting the DDOS traffic back to the source is something you can do albeit illegal so if lack of ISP and law enforcement help, go ahead and do it to take down their bots. Having powerful hardware for this helps if you can target their bots one by one to bring them down quickly, and if its a zombie network, then many of them will consist of consumer hardware which are susceptible to many flaws. I mean just plugging in my USB-C ethernet adapter brings down a tp link and dlink router, so it must be sending something that stops the router's PPPOE which perhaps you could try and exploit.

 

[RMerlin]

yes you need help from your ISP, but consumer ISPs do not offer any help. If the attack uses TCP you can then use tarpit to significantly slow down the attack and increase CPU usage on the attacker's machine which will free up your internet pipe.

That's one of the problems with botnet DDOS versus a traditional DOS - tarpits don't work too well. If you have 50,000 nodes sending SYN packets at you, it won't matter if you don't ACK back or you tarpit the ACK replies - you will still be receiving those 50,000 SYN packets within a very short period of time, flooding your downstream.

Those types of attacks can only be mitigated upstream. His only option is to move (i.e. get a new IP address, generally by changing his MAC address if he is using DOCSIS).

On an Asus router, this can be done by cloning the MAC on the WAN page, and then changing the last octets to something different. Then turning off the modem for 10 minutes, and turning it back on.

 

[AndreiV]

AiProtection is supposed to deal with DDOS and Botnets .......... the AC3100 has that on board .

Would be an interesting test to see how it performs.

 

[L&LD]

@AndreiV, not really.

If only a $300 router could stop them... what is taking out the giants then?

 

[ColinTaylor]

AiProtection is supposed to deal with DDOS and Botnets .......... the AC3100 has that on board .

DoS yes, DDoS no. They even say as much here (last paragraph).

 

[Joshuajackson]

About 2 weeks ago a "friend of a friend" joined an xbox party I was in. My friends and I were in game chat (not party chat) and this person started counting down in messages 10,9,8 etc. He got to 1 and the next message said GAME OVER.

We all got booted. I came back online and rejoined the party and he was laughing about it and told me to chill it was just a minute cause he wanted us to come back to party chat.

Shortly after he started asking everyone "hey ______ do you live in xyz City/state"

I asked him what he was using he said CommView and was notating everyone's IPs.

He also mentioned he has "his own" botnet and its a real pain having to keep the bots happy. Also he can hit with 500GBs.

The following day I was in a party with him again and one of his friends joined, he said, "oh hey _____ let me make room in the party for you". My internet went down almost immediately for 7 hours.

At that point I contacted my ISP, Microsoft, Activision and Twitch. 3 days later i got a message from a random account and the message was a smiley face. I opened the profile for the account noticed it was a brand new account (no friends and no gamerscore) and the bio said "In remembrance of (the ddos'ers previous Microsoft account). Took them 9 years."

So, I gathered that microsoft had banned the Xbox account and he made a new one. Out of anger, he hit my internet again. This time for 9 hours.

I pulled up my Pace 5268 (AT&T) logs and saw 1800-2800 packets recieved every second and the firewall was catching about 20 packets every second to port 3074 (open on the modem) from all different ips. I searched a few of the ips in blacklist databases and each one was known as malicious.

So, with all this said, I have done 2 ATT gateway swaps, had a tech come out and spent at least 8 hours on the phone with tech support. They cannot force my WAN ip to change and their default is to just send a new gateway each time I call or offer a block of static IPs which can only be allocated to specific devices on the home network, meaning, I cannot allocate a static IP to broadband (wan) ip address.

The attacks have been going almost daily for 4-8 hours per day.

Currently, I have an AT&T fiber hub (switch) in my laundry room, a BGW-210 (AT&T gateway) with IP passthrough to the MAC address of my AC3100 with the most recent merlin firmware. I have also just purchased a vpn to prevent future attacks.

My issue is, ATT techs are adamant that they cannot force a WAN IP change... can this be true? Anyone have experience on how to handle this?

Also, I found out the person's identity. On the new account he had forgotten to hide his name. I googled the name and found that he lives in Manitoba Winnipeg, is not long out of highschool, and was given awards for his performance in a group called "cyber patrol" which is a youth competition for cyber defense.

i actually live very close there

 

[podkaracz]

I had trouble with beeing ddosed. The only solution was to change ip because my isp was calling to me saying they have to shut down a line of few people because some1 is attacking them so heavly . Its botnet if you dont know personal info of attacker you wont know who do this and the isp usually blame you ( in my case the internet provider has terminated the contract ) because they did not want to change my ip adress and attacks are illegal but person who do this wont be punished because its impossible to track the source of attack. The best way to deal with this is to change ip if you have static or simply best ip is the one that changes whenever you reboot router (dynamic).