DOS attack Black hole

[Bloodshed_x3d]

Some script kiddie is DOS attacking me and I've spoken to my ISP and they said they will Black hole the traffic. What does that mean? And is it an effective method?

[pbx2]

3 minutes ago, Benb96 said:

Some script kiddie is DOS attacking me and I've spoken to my ISP and they said they will Black hole the traffic. What does that mean? And is it an effective method?

Probably just stop it before it reaches you.

Basically nulling it.

[Bananasplit_00]

most likely sending all trafic through some sort of IP filter client or redirecting all the spam to one server that tanks the DDOS for you

[Bloodshed_x3d]

Oh okay. They asked if I had a FTIP? What's an FTIP?

[Windows7ge]

8 minutes ago, Benb96 said:

Oh okay. They asked if I had a FTIP? What's an FTIP?

FTP or FTIP? Never heard of FTIP and google isn't helping.

[brwainer]

agreed, google isn't helping me find out what FTIP might be. They could be asking if you have an FTP server running, if they are seeing a lot of traffic going to ports 20 or 21 at your address - the DOS attack may be directed at that port.

[Windows7ge]

I'm not familiar with the Black Hole terminology but I know when doing advanced networking you can set up routers with a null0 interface for either "all other" traffic or invalid traffic depending on how you set it up. Null0 could be considered a black hole because what happens when traffic is sent to it it just disappears. It's kind of like when a network drops packets for being invalid by serving the same purpose however I don't know the benefit of null0 over just setting up a ACL to reject unwanted traffic it may have to do with router performance. I don't know if this is what your ISP calls a black hole but it may perform a similar service.

[brwainer]

4 minutes ago, Windows7ge said:

I'm not familiar with the Black Hole terminology but I know when doing advanced networking you can set up routers with a null0 interface for either "all other" traffic or invalid traffic depending on how you set it up. Null0 could be considered a black hole because what happens when traffic is sent to it it just disappears. It's kind of like when a network drops packets for being invalid by serving the same purpose however I don't know the benefit of null0 over just setting up a ACL to reject unwanted traffic it may have to do with router performance. I don't know if this is what your ISP calls a black hole but it may perform a similar service.

yes when talking about DOS/DDOS handling, black hole means null routing - with a DDOS it is tricky because you usually have to cut off access from an entire continent's worth of IP addresses at the beginning. But if it's a normal DOS attack, then they can look at your traffic (once they have your permission via you calling about the issue) and just block the most egregious offender(s).

 

EDIT: And yes, routing to null is more performant than an ACL. The routers used in the core infrastructure are designed to just handle routing really really fast - they don't even handle BGP themselves, other devices figure out the BGP for them and basically add and remove static routing rules.

[Bloodshed_x3d]

She 100% FTIP or "f tip". She said with out it I won't be able to identify you. 

https://en.m.wikipedia.org/wiki/Migration_Authorisation_Code

[Bloodshed_x3d]

The DOS attack is coming from 151.80.18.57

 

it is a Datacenter which offers VPS. So I assume some kid has a VPS, or has let his VPS get hacked and someone is using it for malicious stuff

[Windows7ge]

1 hour ago, Benb96 said:

The DOS attack is coming from 151.80.18.57

 

it is a Datacenter which offers VPS. So I assume some kid has a VPS, or has let his VPS get hacked and someone is using it for malicious stuff

I imagine he's just using the VPS as a proxy. Instead of routing all DDOS traffic directly to you they're routing it through a VPS then to you so it's harder to trace the source. This kind of attack would reduce the intensity of the attack on you due to bandwidth restrictions but should still be enough to take down a little home network.

[brwainer]

1 minute ago, Windows7ge said:

I imagine he's just using the VPS as a proxy. Instead of routing all DDOS traffic directly to you they're routing it through a VPS then to you so it's harder to trace the source. This kind of attack would reduce the intensity of the attack on you due to bandwidth restrictions but should still be enough to take down a little home network.

Why would you use a VPS as a proxy instead of just originating the attack from the VPS? It seems to me that the VPS would have better internet connection than the attacker, assuming they have a similar home internet connection.

[Windows7ge]

3 minutes ago, brwainer said:

Why would you use a VPS as a proxy instead of just originating the attack from the VPS? It seems to me that the VPS would have better internet connection than the attacker, assuming they have a similar home internet connection.

If the VPS is a cluster of multiple server on multiple racks then yes it would be more powerful to use it as the source of the attack but as you are most likely aware a DDOS is usually a bot net comprised of 100's of 1000's of computers all demanding information from a single host/router. It seems unlikely a child could infect a VPS to use it as the source but to use it as a proxy so you can't originate the source makes more sense and within the capability of a very smart kid.

[brwainer]

5 minutes ago, Windows7ge said:

If the VPS is a cluster of multiple server on multiple racks then yes it would be more powerful to use it as the source of the attack but as you are most likely aware a DDOS is usually a bot net comprised of 100's of 1000's of computers all demanding information from a single host/router. It seems unlikely a child could infect a VPS to use it as the source but to use it as a proxy so you can't originate the source makes more sense and within the capability of a very smart kid.

true, but I would point out that the OP said it was a DOS attack - maybe it is a DDOS, but so far that hasn't been specified.

[Windows7ge]

42 minutes ago, brwainer said:

true, but I would point out that the OP said it was a DOS attack - maybe it is a DDOS, but so far that hasn't been specified.

I've never been DOS'd or DDOS'd so I can't save how bad 1 attacker could impact a network vs multiple. But I suppose if 1 person (the attacker) had a high upload speed and the person being attacked has lower internet speeds then a DOS attack could bring down a single network or at least make it very very slow.

[Teddy07]

Did you piss off or flame some people on the internet to target you? I mean why would anyone target a random person

[brwainer]

1 hour ago, Windows7ge said:

I've never been DOS'd or DDOS'd so I can't save how bad 1 attacker could impact a network vs multiple. But I suppose if 1 person (the attacker) had a high upload speed and the person being attacked has lower internet speeds then a DOS attack could bring down a single network or at least make it very very slow.

Right but that's exactly my point - let's say I have a 10Mbps upload speed at my home, and I want to DOS attack someone - If I were to attack them directly, or even through a proxy VPS, I can only sent 10Mbps to them, highly unlikely to knock them off. But with a VPS you can rent a connection of 100Mbps or higher, and if you just use it occasionally noone is going to ask questions about what you are doing with the VPS (I am not suggesting or condoning using a VPS for a DOS attack, this is necessary for my point). So all i'm saying is, if it's suspected as a DOS and not a DDOS, I would not expect someone to use a VPS as a prxy for the attack. Using a VPS as a proxy would be feasible if you are commanding a botnet. The fact that the ISP was able to isolate a single IP address for the attack means it wasn't a DDOS.

[Windows7ge]

17 minutes ago, brwainer said:

The fact that the ISP was able to isolate a single IP address for the attack means it wasn't a DDOS.

Fair enough point. This makes me wonder if they can figure out what exact VPS company it belongs to and see if they can determine which user is abusing the system and kick him out. Though I have to say if you have access to a terminal executing a DOS attack wouldn't be hard to do.

[brwainer]

29 minutes ago, Windows7ge said:

Fair enough point. This makes me wonder if they can figure out what exact VPS company it belongs to and see if they can determine which user is abusing the system and kick him out. Though I have to say if you have access to a terminal executing a DOS attack wouldn't be hard to do.

They may be able to do so, but that is outside the bounds of an ISP and more the purview of law enforcement.

[Windows7ge]

55 minutes ago, brwainer said:

They may be able to do so, but that is outside the bounds of an ISP and more the purview of law enforcement.

DOS'ing or DDOS'ing what is that in the US? misdemeanor? Felony? If the kids under 18 he'll probably get off with a slap on the wrists...or upside the back of their head.

[brwainer]

6 minutes ago, Windows7ge said:

DOS'ing or DDOS'ing what is that in the US? misdemeanor? Felony? If the kids under 18 he'll probably get off with a slap on the wrists...or upside the back of their head.

My point was that an ISP isn't going to go tracking that down

[Windows7ge]

37 minutes ago, brwainer said:

My point was that an ISP isn't going to go tracking that down

True but if the offense is great enough they'll go to the authorities.