Jump to content

How do I check if my puny home connection is being DDOSed?

Basically past few days, my home internet would intermittenly stop responding or you could say, becomes super laggy with packet drops. Every website I clicked takes awhile to load or even fails with DNS_Probe error (I'm using google dns btw). At first I suspect it was a router/splitter issue, but changing my LAN port from the splitter to the router and the problem still persist.

 

So I checked my resource monitor and noticed that my TCP connections jumped to 100 instead of normal under 50. I opened cmd and netstat -a and found out that there are multiple connection going through port 58000 to 59000 to and fro of my PC. I am still baffled whether this is a DDOS attack or router issue or simply ISP issue. Is there a way I can check how many connection made through IP/IPs?

 

I ran multiple dedicated servers on multiple machines seperated from my network so I guess the motive to DDOS me is possible?

hRCocRF.png

How do I shoot web?

Link to comment
Share on other sites

Link to post
Share on other sites

Call your ISP. They can check for you, it'll be hard for you to tell from your end.

 

If you want to see where the packet loss is happening, run WinMTR to an outside website like Google and it'll show you where the packet loss is occurring.

-KuJoe

Link to comment
Share on other sites

Link to post
Share on other sites

Find everyone that has had access to your IP address.  Find out where they live and steal all their PCs.  Go home and try surfing a bit...

 

Seriously, if anyone has your IP address, simply call your ISP and tell them you need a new IP address.

Link to comment
Share on other sites

Link to post
Share on other sites

DDoS attacks usually involve sending a metric buttload of packets to the target. If your incoming packet count is ridiculous, you're getting DDoS'd. and you're going to have a bad time, mkay?

Remember kids, the only difference between screwing around and science is writing it down. - Adam Savage

 

PHOΞNIX Ryzen 5 1600 @ 3.75GHz | Corsair LPX 16Gb DDR4 @ 2933 | MSI B350 Tomahawk | Sapphire RX 480 Nitro+ 8Gb | Intel 535 120Gb | Western Digital WD5000AAKS x2 | Cooler Master HAF XB Evo | Corsair H80 + Corsair SP120 | Cooler Master 120mm AF | Corsair SP120 | Icy Box IB-172SK-B | OCZ CX500W | Acer GF246 24" + AOC <some model> 21.5" | Steelseries Apex 350 | Steelseries Diablo 3 | Steelseries Syberia RAW Prism | Corsair HS-1 | Akai AM-A1

D.VA coming soon™ xoxo

Sapphire Acer Aspire 1410 Celeron 743 | 3Gb DDR2-667 | 120Gb HDD | Windows 10 Home x32

Vault Tec Celeron 420 | 2Gb DDR2-667 | Storage pending | Open Media Vault

gh0st Asus K50IJ T3100 | 2Gb DDR2-667 | 40Gb HDD | Ubuntu 17.04

Diskord Apple MacBook A1181 Mid-2007 Core2Duo T7400 @2.16GHz | 4Gb DDR2-667 | 120Gb HDD | Windows 10 Pro x32

Firebird//Phoeniix FX-4320 | Gigabyte 990X-Gaming SLI | Asus GTS 450 | 16Gb DDR3-1600 | 2x Intel 535 250Gb | 4x 10Tb Western Digital Red | 600W Segotep custom refurb unit | Windows 10 Pro x64 // offisite backup and dad's PC

 

Saint Olms Apple iPhone 6 16Gb Gold

Archon Microsoft Lumia 640 LTE

Gulliver Nokia Lumia 1320

Werkfern Nokia Lumia 520

Hydromancer Acer Liquid Z220

Link to comment
Share on other sites

Link to post
Share on other sites

17 minutes ago, stconquest said:

Find everyone that has had access to your IP address.  Find out where they live and steal all their PCs.  Go home and try surfing a bit...

 

Seriously, if anyone has your IP address, simply call your ISP and tell them you need a new IP address.

With 99% of all ISP's all you have to do is unplug your modem for about 5 minutes and then plug it back in.

Please spend as much time writing your question, as you want me to spend responding to it.  Take some time, and explain your issue, please!

Spoiler

If you need to learn how to install Windows, check here:  http://linustechtips.com/main/topic/324871-guide-how-to-install-windows-the-right-way/

Event Viewer 101: https://youtu.be/GiF9N3fJbnE

 

Link to comment
Share on other sites

Link to post
Share on other sites

Well contacting my ISP is a bit of a heck to mess, I will do that a little bit later. WinMTR helps me with packet loss, is there a way to measure my packet count and no. of connections? 

How do I shoot web?

Link to comment
Share on other sites

Link to post
Share on other sites

If it's a DDOS attack, the majority of the packets will not make it to your router so you'll only see a small percentage of them.

-KuJoe

Link to comment
Share on other sites

Link to post
Share on other sites

14 minutes ago, blu4 said:

ISP- Internet Service Provider. This is the company you pay for the internet. Like Comcast or Virgin media.

Sorry, I quoted the wrong post.  :D

Link to comment
Share on other sites

Link to post
Share on other sites

Well you can check your router's logs, see if there's something suspicious going on in your router, you can also use software like Wireshark and scan your network (ethernet, wi-fi, etc.).

When you're being DoS'd you'll see 1 client making lots of request.

If you experience connection slowdown you should contact your ISP first, because there's a probability that they have connection issues at your area. If they say no, then there's something wrong with your network. Power cycle the modem and router and see if the problem is solved.

Where I hang out: The Garage - Car Enthusiast Club

My cars: 2006 Mazda RX-8 (MT) | 2014 Mazda 6 (AT) | 2009 Honda Jazz (AT)


PC Specs

Indonesia

CPU: i5-4690 | Motherboard: MSI B85-G43 | Memory: Corsair Vengeance 2x4GB | Power Supply: Corsair CX500 | Video Card: MSI GTX 970

Storage: Kingston V300 120GB & WD Blue 1TB | Network Card: ASUS PCE-AC56 | Peripherals: Microsoft Wired 600 & Logitech G29 + Shifter

 

Australia 

CPU: Ryzen 3 2200G | Motherboard: MSI - B450 Tomahawk | Memory: Mushkin - 8GB (1 x 8GB) | Storage: Mushkin 250GB & Western Digital - Caviar Blue 1TB
Video Card: GIGABYTE - RX 580 8GB | Case: Corsair - 100R ATX Mid Tower | Power Supply: Avolv 550W 80+ Gold

 

Link to comment
Share on other sites

Link to post
Share on other sites

7 hours ago, KuJoe said:

Call your ISP. They can check for you, it'll be hard for you to tell from your end.

 

If you want to see where the packet loss is happening, run WinMTR to an outside website like Google and it'll show you where the packet loss is occurring.

LOL. You have never worked for a ISP have you? They won't even know what DDOS is, nevermind be able to check it for you. You think they can see all inbound traffic?

Link to comment
Share on other sites

Link to post
Share on other sites

7 hours ago, stconquest said:

@JefferyD90

 

How's that work?  Dynamic IPs?

almost all ISPs use dynamicip addresses.

Please spend as much time writing your question, as you want me to spend responding to it.  Take some time, and explain your issue, please!

Spoiler

If you need to learn how to install Windows, check here:  http://linustechtips.com/main/topic/324871-guide-how-to-install-windows-the-right-way/

Event Viewer 101: https://youtu.be/GiF9N3fJbnE

 

Link to comment
Share on other sites

Link to post
Share on other sites

If you are being DDOS and are on a ISP such as comcast, you you will be able to tell by your monthly data usage skyrocketing.
None of the ISPs seem to log your data usage at the "last" mile. Instead they log in their core network, and packets dropped still count towards it.

 

For example, when I wanted to do a quick test of t-mobile's throttling when you go over your monthly cap.

Where my phone is, I could download at about 15mbits, though with a VPS that I was using (VPS + free teamspeak server is cheaper than going for a paid dedicated teamspeak specific host), I was able to flood and push my phone over its cap within about 15 seconds (had a little over 1GB left of my cap). They cap you to 128kbps but but ping times don't go up, so the experience is not as bad as dialup or ISDN.

 

When I used to play battlefield 2, and moderate a forum for the clan, we would have to immediately ban users who were putting 1x1 pixel signature pictures, because at the time, a common attach was a 1 pixel sig pic hosted on a server controlled by the attacker. then through the logs they could pull IPs of users who viewed their signature picture. They then went launched DOS attacks to others on the forum. the main issue was that there were a number of users in countries like Australia, and in he US, ISPs such as hughesnet which had very low data caps, thus a relatively short flood was all that was needed to take a user offline for the rest of the month.

 

Overall, usually when an individual user is getting DDOSed, it is likely because they are on a metered connection, ad even unrequested traffic counts towards your cap.

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

8 hours ago, Trikein said:

LOL. You have never worked for a ISP have you? They won't even know what DDOS is, nevermind be able to check it for you. You think they can see all inbound traffic?

Nope I haven't. I've only worked in data centers and running my own networks so I assumed that ISPs would have the same equipment in place as most data center or even small guys like myself. In my case, I just call up my upstream providers (basically my ISPs) and ask them about traffic on a port. I assumed ISPs work the same way except they have to get a lot more granular.

 

7 hours ago, JefferyD90 said:

almost all ISPs use dynamicip addresses.

In the US yes, in other countries they've begun using Carrier-grade NAT due to the IP shortage and lack of IPv6 connectivity so unplugging your modem won't help much.

-KuJoe

Link to comment
Share on other sites

Link to post
Share on other sites

17 hours ago, KuJoe said:

Nope I haven't. I've only worked in data centers and running my own networks so I assumed that ISPs would have the same equipment in place as most data center or even small guys like myself. In my case, I just call up my upstream providers (basically my ISPs) and ask them about traffic on a port. I assumed ISPs work the same way except they have to get a lot more granular.

I have worked in both, and I certainly prefer the NOC environment, even if not the particular company I worked for. I don't say this to brag, because both were only middle pay jobs. You can't easily bind a IP to a MAC in a DHCP environment. Also, many ISP use ARP cache to keep people from scanning and stealing your static IP (if you have one). Maybe it is different for other ISP, but it that was that way for Cox and Comcast. I only bring it up because I was the one others transferred people to for help with stuff like IP blocks, and I ended up getting yelled at because the customer was not informed enough to use their own router. There is a work around which involves removing the service from the modem and letting it lock with a internal IP then re-provisioning it for a new IP. However, this requires customer interaction, and if done wrong, can kill your internet until the broker resets. 

Link to comment
Share on other sites

Link to post
Share on other sites

17 hours ago, KuJoe said:

Nope I haven't. I've only worked in data centers and running my own networks so I assumed that ISPs would have the same equipment in place as most data center or even small guys like myself. In my case, I just call up my upstream providers (basically my ISPs) and ask them about traffic on a port. I assumed ISPs work the same way except they have to get a lot more granular.

 

In the US yes, in other countries they've begun using Carrier-grade NAT due to the IP shortage and lack of IPv6 connectivity so unplugging your modem won't help much.

well, those countries wrong... And I reject them all

Please spend as much time writing your question, as you want me to spend responding to it.  Take some time, and explain your issue, please!

Spoiler

If you need to learn how to install Windows, check here:  http://linustechtips.com/main/topic/324871-guide-how-to-install-windows-the-right-way/

Event Viewer 101: https://youtu.be/GiF9N3fJbnE

 

Link to comment
Share on other sites

Link to post
Share on other sites

Somehow I found the problem. My PC would intermittently establish connection up to 200 IPs at once. I use TCPView to monitor the connections and somehow System Process connects to these IPs suddenly. It happens when I'm playing some game, browsing youtube, or just idling. After awhile, these connections were dropped and resource monitor shows everything back to normal.

Below are the 2 pictures containing 4 sets of sudden TCP connection.

 

Untitled1.thumb.png.99b6fed6bac570595d7d

 

Untitled.thumb.png.0d04c258facca00f255d0

Untitled3.png

Untitled4.png

 

What is going on here?

How do I shoot web?

Link to comment
Share on other sites

Link to post
Share on other sites

From a elevated command prompt, type:

tasklist /svc /fi "imagename eq svchost.exe

Then look what service(s) are running for PID 1420. I think that is what is causing your problem. Also, the traffic is from AWS by Amazon. See here for more info. This further supported by the IP range 54.144.0.0 - 54.159.255.255 belonging to Amazon. Could be the cloud streaming that NVShield uses. That wouldn't explain why it starts when browsing. 

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×