[SOLVED] Help with DDoS Issues

[Treycen]

For the past few months I have repeatedly all the time gotten "ACK Scan Attack Packets from(random ip in the world)" or "FIN Scan Attack Packets from (random ip in the world)" but more common than those I usually get "ICMP Type B detected" every time any of this stuff happens I drop connection out of whatever i'm doing for a solid 30 seconds and then it comes back.

I have struggled with this for about a year now. Here is what I have done to try to help,

1. I tightened the security on my router, I changed all passwords and turned off almost everything we don't use.

2. I have gotten a program called "Anti-DDos Guardian" which didn't help.

3. I called my ISP and told them to change my IP which they did but even after changing it, no change at all. It still happened.

I also tried the reset your IP using the mac address. My IP changed but the attacks did not. I don't know how this keeps happening or how it even started happening in the first place. I am a frequent person who plays games so getting disconnected in the middle of them is very frustrating.

I also do not have a very public ISP like comcast or Spectrum I have a small internet company in my area that doesn't know that much about DDos attacks, all they know is how to give us the internet that we pay for. I am tired of this and I want it to stop. People have been doing this from China, Germany, France, Spain, I just don't understand how I could stop this, it's like I am just done with the internet in general because of this.

Please help me stop these DDos attacks, i'm at a loss here.

 

[bill001g]

Turn the messages off in your router is your best option....or just learn to ignore them.

In some ways it would be better to not have these messages to scare people who do not have the knowledge to understand them.

They are not actually DDOS attacks even though some routers call it that. I think again to scare people. A DDOS attack comes from many different IP at the same time and in most cases tries to overload your bandwidth with traffic.

These are more hacking type of attacks where they are looking for vulnerable machines. They do not send enough traffic to matter. It should have no impact on your router if it does maybe turn off the firewall or get different firmware because it is a bug.

The NAT function by itself blocks all this traffic all the firewall does is give you the messages. The traffic has already been set to be discarded by the nat before the firewall can even block it. So all these messages mean is someone tried to attack your machines but nothing got past the router.

Still real DDOS attacks can take down huge companies and they can do little about it. The main defense is a large internet connection. Since the upload speed on almost all internet connection will cap well before download it is impossible to DoS you from a single machine before they DoS themselves. If someone have control of hundreds of machines and wants to attack you there is nothing you can do.

There is no real way to avoid this they scan every possible address in existence. This is almost always someone trying to find a way to steal money. They gain nothing by actually killing your internet connection and when their simple scan finds nothing they move on.

 

[Treycen]

Turn the messages off in your router is your best option....or just learn to ignore them.

In some ways it would be better to not have these messages to scare people who do not have the knowledge to understand them.

They are not actually DDOS attacks even though some routers call it that. I think again to scare people. A DDOS attack comes from many different IP at the same time and in most cases tries to overload your bandwidth with traffic.

These are more hacking type of attacks where they are looking for vulnerable machines. They do not send enough traffic to matter. It should have no impact on your router if it does maybe turn off the firewall or get different firmware because it is a bug.

The NAT function by itself blocks all this traffic all the firewall does is give you the messages. The traffic has already been set to be discarded by the nat before the firewall can even block it. So all these messages mean is someone tried to attack your machines but nothing got past the router.

Still real DDOS attacks can take down huge companies and they can do little about it. The main defense is a large internet connection. Since the upload speed on almost all internet connection will cap well before download it is impossible to DoS you from a single machine before they DoS themselves. If someone have control of hundreds of machines and wants to attack you there is nothing you can do.

There is no real way to avoid this they scan every possible address in existence. This is almost always someone trying to find a way to steal money. They gain nothing by actually killing your internet connection and when their simple scan finds nothing they move on.

What exactly should I do about my connection dropouts when I get the ICMPs or the scans? My connection always drops out when any of these 3 things happen, i'm gonna disable those messages and stop worrying about them. Should I invest in a new router with better security? I currently have a 6+ year old router that this may be the cause. Thanks!

 

[bill001g]

Unless you have a extremely small internet connection like under 3mbps it is unlikely the traffic will have any effect. Most times the full scan is less than 1 second of traffic.

If it is actually dropping your connection it must be something else like the router has a issue. Not sure normally these cause no issues at all for people. I would check for a firmware update.

You need no extra security the cheapest router works as well as the most fancy. By default any router with NAT will not know which internal machine to send these scans to so it just discards them. There is no firewall that can do more than that.

 

[Treycen]

Just checked for a firmware update, nothing. I understand what the scans are now but what are the ICMP's? I have a netgear router. Is there a way for me to check if NAT is on?

 

[jsmithepa]

If your box is slowing down, is possible you are doing TOO MUCH LOGGING. Logging actually takes some horsepower, your router is probably running an atom type processor.

If there is a DDOS Guard setting on the router, turn it on, just drop (ignore) and don't do any logging see what happens.

^bill is right, sometimes is TMI, Too Much Information.

 

[bill001g]

This is why these messages cause more trouble than they are worth when the person reading has no clue what it means. ICMP is how ping commands are done. Hard to say what exactly what the message means since they do not document it.

NAT is how a router shares the single public IP address the router will not function if you were to find a way to turn it off.

 

[Treycen]

Thanks for the help everyone, after doing further investigation I believe it's my router. We will be picking up a new one in a few weeks and that should stop this issue. I will also contact my ISP and tell them what is happening even if they don't understand to see what they do. It's gonna be hard for me not to check my logs after connection drops because it's what I am used to after months of doing it but I believe I can stop.
~Treycen

 

[jsmithepa]

First thing I suspect any networking issue is congestion, caused by low bandwidth + how sharing bandwidth with housemates, with WIFI as a main culprit. So before I suspect DDOS, I would want to know what my latency is, does it peak? gamers seem to be very latency intolerant.

Honestly I don't know why gamers don't ask this question at gaming forums, because this question is asked everyday here and I personally am no gamer and can only answer in general terms what I observed of posters saying.

 

[Treycen]

If you are wondering, my latency is usually 10-25 with my PC and and about 2 phones connected to our wifi. We pay for 75 down and 10 up.

 

[jsmithepa]

If you are wondering, my latency is usually 10-25 with my PC and and about 2 phones connected to our wifi. We pay for 75 down and 10 up.

That information is for you. It looks decent. Be aware if ISP box is handling VOIP, those devices have priority by default (they are the ambulance, always make you slow down so they can go unimpeded.)

10-25 latency is actually excellent but what happens when it gets congested, what happens if your housemates suddenly turn on their utube/netflix etc? U can ignore this if you are the sole user in the house.

 

[Treycen]

That information is for you. It looks decent. Be aware if ISP box is handling VOIP, those devices have priority by default (they are the ambulance, always make you slow down so they can go unimpeded.)

10-25 latency is actually excellent but what happens when it gets congested, what happens if your housemates suddenly turn on their utube/netflix etc? U can ignore this if you are the sole user in the house.

If a family member starts to watch YouTube or Netflix my latency maybe rises to 20-35, it's not that much of a difference. That is of course if they are watching in 1080p.

 

[jsmithepa]

20-35,

That is very good. I would again suggest stopping the logging, and I don't just mean don't read them but actually configuring router to not even generate the messages, lets see what happens, don't jump ahead of ourselves too much.

 

[Treycen]

That is very good. I would again suggest stopping the logging, and I don't just mean don't read them but actually configuring router to not even generate the messages, lets see what happens, don't jump ahead of ourselves too much.

I don't know if that is even doing any good though, I can here to figure out why i'm dropping connections WHEN this stuff happens. Every time a scan happens my router goes down for 30 seconds and then comes back, same thing with the ICMP's. I'm buying a new router in a few weeks so i'm just hoping that this is a bug with my old router and hope that this will stop.

 

[Treycen]

Yet again, ICMP Type B detected and my internet goes off. This is so stupid.

 

[simahnet]

I'm not expert in the DDoS protection, however I do use so called remote anti-DDoS proxy from ddos-guard.net. I'm sure they have solutions not only for hosted projects as well as for the local networks. So you can check there.