2 External IPs to prevent DDoS?

[thematr1x]

Hi everyone, hopefully someone will be able to help me with this one.

In my home network I currently have a Hitron cgnm-2250 acting as a modem/router combo with an IP Passthrough option enabled for a 2nd router connected to it (ddwrt nighthawk x6 r8000). I already have the 2 external IPs showing for each device, but my issue is getting ddos'ed offline.

I have my computer that I stream off of connected directly to the Hitron, and my gaming consoles connected to my nighthawk. People are obtaining the external IP address assigned to the nighthawk router and are ddosing that IP. The external IP assigned to the Hitron is safe from being ddosed as the players only see the IP of the nighthawk. I have the QoS setting on the nighthawk so it can use a max of 25% of my total bandwidth, this is theoretically to prevent all the bandwidth being used when I am being ddosed.

So my question is why are these ddos attacks bringing down the entire network? Shouldn't these attacks only affect/bring down my nighthawk because the Hitron shouldn't be handling any of that traffic? I theoretically should have even bandwidth leftover for the Hitron to run the stream and other applications. My end goal is to only have the consoles knocked offline and the computer stay connected.

Any solutions to this? I would prefer not to use a VPN to prevent these ddos attacks as my speeds take a huge hit.

Cheers

 

[Kewlx25]

" I have the QoS setting on the nighthawk so it can use a max of 25% of my total bandwidth, this is theoretically to prevent all the bandwidth being used when I am being ddosed. "

You can't stop the data, you're only ignoring it. If someone sends you 1,000 mails a day causing some of your real mail to not get delivered, just because you decide to not open all of the mail doesn't mean the mail doesn't keep coming.

 

[bill001g]

This is why when you make a living using your internet connection you don't host things in your house or connect to stuff you don't control.

2 ip solve only some form of ddos attack. If they were doing something like a common attack with half open sessions you could attempt to exceed a router/servers memory that type would kill just the single ip. The more common attack you hear of is brute force send too much traffic. Since both your ip share the same connection if 1 of the ip load the link to 100% both are blocked. As mentioned ignoring the traffic does not mean it did not actually come to your house and eat all the bandwidth.

The short answer is you can't prevent DoS attacks other than doing everything you can to not let them get your IP address.

The worst offender is skype, best option is to not use it because it many times activates on boot even before you can use some of the VPN solution used to hide your address.

You also never want to use even voice conference systems (like team speak) that you do not fully control. Whoever owns the server can see the ip address, they likely can capture all the data if they really wanted to.

Anything that forms direct connections to another persons house or really any server you can not trust is a risk. It is especially risky if you actually must allow incoming session to a server you place in your house. People who host certain game servers need to expose their ip address so you really must trust the person you allow access.

The best solution is to always host the servers that you need to expose the ip in a large hosting center. There firewalls can detect many of these and block them before they hit your server. They of course still receive the data but their connections tend to be so large nobody can realistically DoS the whole data center connection. This tends to be expensive but when you are impacting your method of making money it is a cost that must be considered if it is actually reasonable.

This would solve most the people who could get your IP address. You of course must be very careful what software you run and what sites you visit. Somebody who was really devious could have their own web server hosted and then try to get you to open something purely for the purpose of obtaining your IP.....not even doing worse like embed malware.

This would move the high risk things out of the house and leave the bandwidth for streaming....most of which passes though servers that do not allow the end users to see your ip. Some video conference platforms (ie skype and some others) do expose your ip.

The more common solution is vpn....which is a form of server hosting. The problem is you must force the ip to change quite often so the vpn service must offer it. It mostly works but some attacks will pass though the vpn. If for example you host a server in your house and the traffic goes to a vpn ip address and then runs over a vpn tunnel to your house the person will never see your actual ip. They still can send dos attacks to the vpn ip address and if the vpn vendors firewall does not detect it the traffic will still be sent to your house. You will be down until you take some action get the vpn to use a different ip at the vpn center.

I guess the good news is the vast majority of DoS attacks are run from illegal services that sell this for money so someone has to be really mad at you to spend money for long periods of time. You can not realistically send DoS attacks from your house. First almost all ISP prevent ip source spoofing on most of their connections so it will lead back to the attackers house. Second in most cases the upload speed is far less than the download speed of the person they are attacking. They would DoD their own upload speed before they could exceed your download.

I suppose someone with google fiber could do it since they have close to 1g upload speeds.....but who would risk getting a great connection like that canceled.