Help!! Does anyone Know how to block DDOS ATTACKS

[Mornincupofhate]

Just now, bgc341 said:

they are freezing and crashing im using comodo and malwarebytes to try and stop it from reaching my computer and my Android phone but it still has reached said devices

Yeah mate, malwarebytes is an anti-malware. It's not designed to drop these kinds of packets; or any packets at all.

 

If it's just crashing your computer and not your modem, then go into your modem's firewall and simply try blocking the address that's targeting you.

[bgc341]

Just now, Mornincupofhate said:

Yeah mate, malwarebytes is an anti-malware. It's not designed to drop these kinds of packets; or any packets at all.

 

If it's just crashing your computer and not your modem, then go into your modem's firewall and simply try blocking the address that's targeting you.

my modem doesn't give me that option

[Mornincupofhate]

Just now, bgc341 said:

my modem doesn't give me that option

Lol wtf comcast put in an IDS but not a firewall?

 

What options do you have?

[Lurick]

What model modem/router do you have?

[bgc341]

1 minute ago, Lurick said:

What model modem/router do you have?

netgear cable modem c3700

[Mornincupofhate]

https://kb.netgear.com/8219/How-to-setup-Inbound-Outbound-firewall-rules-on-NETGEAR-Modem-router-gateways

 

This should help you. 

[bgc341]

Just now, Mornincupofhate said:

https://kb.netgear.com/8219/How-to-setup-Inbound-Outbound-firewall-rules-on-NETGEAR-Modem-router-gateways

 

This should help you. 

thanks

[Lurick]

9 minutes ago, bgc341 said:

netgear cable modem c3700

Try this:

Log into the modem/router

Advanced > Setup > Internet Setup

Look around and see if there is any option to change the MAC address of the WAN port.

It might be under another menu but poke around and see.

If you see the option to set the MAC address, select it and then take the MAC address on the bottom of the router and put it in there but increment the last "digit" by 1.

Ex: If the MAC is 11:11:11:11:11:11 then change it to 11:11:11:11:11:12 or if it's 11:11:11:11:11:1A then 11:11:11:11:11:1B

 

That should get your a new IP address and you can see if the attack follows. You might get kicked off the network completely, depending on how Comcast has their stuff setup so if you do you can always change it back.

[bgc341]

2 minutes ago, Lurick said:

Try this:

Log into the modem/router

Advanced > Setup > Internet Setup

Look around and see if there is any option to change the MAC address of the WAN port.

It might be under another menu but poke around and see.

If you see the option to set the MAC address, select it and then take the MAC address on the bottom of the router and put it in there but increment the last "digit" by 1.

Ex: If the MAC is 11:11:11:11:11:11 then change it to 11:11:11:11:11:12

 

That should get your a new IP address and you can see if the attack follows.

 i only see domain name server and internet ip address

 

[Lurick]

Just now, bgc341 said:

 i only see domain name server and internet ip address

 

Alright, wasn't sure if it was in there or not.

I got some conflicting docs when I was searching but figured it was worth checking.

 

Try setting the firewall rule as @Mornincupofhate suggested and see if that helps.

[bgc341]

1 minute ago, Lurick said:

Alright, wasn't sure if it was in there or not.

I got some conflicting docs when I was searching but figured it was worth checking.

 

Try setting the firewall rule as @Mornincupofhate suggested and see if that helps.

there is also no firewall rules tab there is a block services and block sites but thats about it 

[bgc341]

7 minutes ago, bgc341 said:

there is also no firewall rules tab there is a block services and block sites but thats about it 

i finally found a rouge device  it was my ipod but i made a reserved ip address for it yet that wasn't that ip address that i assign for it

[Akolyte]

2 hours ago, bgc341 said:

i finally found a rouge device  it was my ipod but i made a reserved ip address for it yet that wasn't that ip address that i assign for it

That is so strange... ?

Comcast should do something about it.

You should record the call just to make sure, and ask to speak to a level 2 or higher technical person and tell them your issue.  

 

Are you using a static public IP address?  And have you allowed any ports through your firewall?  You should check the IDS logs and check to see if the attack changed when you set the firewall to drop pings.  

 

Unless you purchased a dedicated firewall there isn't really any way you can block this without Comcast's help, esspecially if you don't have the ability to block services on your modem router.  It should at least have flood protection. 

 

The truth about Comodo Firewall, is that in recent years it's downgraded majorly.  And I'd say you'd be better off with Windows Firewall. 

 

Before you call Comcast you should have all your logs ready so an experienced technician can understand what is happening.  Sorry I can't help you more.  Most of the victim-side DOS mitigation is using dedicated appliances because it's using protocols and algorythms for detecting dos 

[Donut417]

The OP does have one options if they dont want to talk to Comcast. Check to see when your Comcast supplied IP lease expires. Not sure where that will be displayed in your router. As my modem and router are owned by me. But, if you unplugged your modem until the lease expires, you might pull a new IP from the DHCP server. I wont lie it could take a day or two. Just checked the lease time on my IP and its 3 days out. 

 

Id also like to say Comcast has a security assurance department. Maybe talking to them would yield better results. You might also try the Comcast direct forums over at DSLreports.com, the forum is ran directly by the Comcast corp out of Philly. So you dont have to talk to the retards that work in your local area. 

[NZLaurence]

What is the iP subnet of your internal lan?

 

Please do

Traceroute 10.0.43.64

From a command prompt. 

[bgc341]

34 minutes ago, NZLaurence said:

What is the iP subnet of your internal lan?

 

Please do

Traceroute 10.0.43.64

From a command prompt. 

 

34 minutes ago, NZLaurence said:

What is the iP subnet of your internal lan?

 

Please do

Traceroute 10.0.43.64

From a command prompt. 

i did the traceroute and it said request timed out repeatedly

and the ip subnet is the same as the ip that comcast supplied me it seems the ip will expire in 2day 11hr

Edited July 27, 2017 by bgc341

[bgc341]

2 hours ago, Mike_The_B0ss said:

That is so strange... ?

Comcast should do something about it.

You should record the call just to make sure, and ask to speak to a level 2 or higher technical person and tell them your issue.  

 

Are you using a static public IP address?  And have you allowed any ports through your firewall?  You should check the IDS logs and check to see if the attack changed when you set the firewall to drop pings.  

 

Unless you purchased a dedicated firewall there isn't really any way you can block this without Comcast's help, esspecially if you don't have the ability to block services on your modem router.  It should at least have flood protection. 

 

The truth about Comodo Firewall, is that in recent years it's downgraded majorly.  And I'd say you'd be better off with Windows Firewall. 

 

Before you call Comcast you should have all your logs ready so an experienced technician can understand what is happening.  Sorry I can't help you more.  Most of the victim-side DOS mitigation is using dedicated appliances because it's using protocols and algorythms for detecting dos 

I did call them and they said to either purches there modems or wait the two day for the lease to expire so guess ill wait

[Neftex]

my wild guess before i try reading more into this: one of your devices is infected and is part of a botnet that is attacking some target

 

look at the last 2 columns, source of the attack is private address, target IP is Hewlett-Packard

 

@bgc341 can you post internal IP address of your PC, maybe look in the routers assigned addresses and post that

[mynameisjuan]

Thats not a DDoS nor is it malicious. Looks like Comcast is performing test or identifying their network. Its coming from an internal IP which would be on Comcast's side. 

 

This DDoS is on a private network but not on yours. DDoS prevention is only on the WAN interface so checking your internal devices is a waste of time. This is hitting from their equipment, most likely a SNMP or netflow server.

 

Also I dont know why everyone says the ISP has to stop it if it is a DDoS. The only time we intervene is when the load is so much it begins to affect core equipment (which I have seen before with a DNS reflection).  We build the road, I cant stop what cars are not allowed down that road.

[Neftex]

what google says about this

https://community.netgear.com/t5/Cable-Modems-Routers/DoS-attack-Teardrop-or-derivative-Ping-of-Death-strange-non-DHCP/m-p/1269833/highlight/true#M8078

read message 19

[brwainer]

1 hour ago, Neftex said:

what google says about this

https://community.netgear.com/t5/Cable-Modems-Routers/DoS-attack-Teardrop-or-derivative-Ping-of-Death-strange-non-DHCP/m-p/1269833/highlight/true#M8078

read message 19

very interesting find. So this implies that the OP should disable IPv6 on client devices since the router doesn't handle it properly. Amazing.

[Mornincupofhate]

8 hours ago, mynameisjuan said:

Thats not a DDoS nor is it malicious. Looks like Comcast is performing test or identifying their network. Its coming from an internal IP which would be on Comcast's side. 

 

This DDoS is on a private network but not on yours. DDoS prevention is only on the WAN interface so checking your internal devices is a waste of time. This is hitting from their equipment, most likely a SNMP or netflow server.

 

Also I dont know why everyone says the ISP has to stop it if it is a DDoS. The only time we intervene is when the load is so much it begins to affect core equipment (which I have seen before with a DNS reflection).  We build the road, I cant stop what cars are not allowed down that road.

This IS a ddos and it IS malicious. If you didn't read his original post, it said that the packets are crashing all the devices behind his network. The IDS is also identifying it as an attack. You forgot that people can spoof addresses from private subnets.

[Mornincupofhate]

8 hours ago, mynameisjuan said:

Also I dont know why everyone says the ISP has to stop it if it is a DDoS. The only time we intervene is when the load is so much it begins to affect core equipment (which I have seen before with a DNS reflection).  We build the road, I cant stop what cars are not allowed down that road.

Nobody saying the ISP has to stop it. I just think it would be nice if ISPs could start spending the cash they make from overcharging old grandmas and use it towards some decent filtering hardware for this type of event.

[brwainer]

1 hour ago, Mornincupofhate said:

This IS a ddos and it IS malicious. If you didn't read his original post, it said that the packets are crashing all the devices behind his network. The IDS is also identifying it as an attack. You forgot that people can spoof addresses from private subnets.

 

2 hours ago, Neftex said:

what google says about this

https://community.netgear.com/t5/Cable-Modems-Routers/DoS-attack-Teardrop-or-derivative-Ping-of-Death-strange-non-DHCP/m-p/1269833/highlight/true#M8078

read message 19

@Mornincupofhate This seems pretty spot-on for the problem to me - these reports are coming from the Modem/Router, not a fancy IDS. This would explain both the internal IP that's in a subnet the OP doesn't use, and why supposedly an HP IP address is being involved. I'm getting the feeling that the crashes are unrelated.

[mynameisjuan]

16 hours ago, Mornincupofhate said:

This IS a ddos and it IS malicious. If you didn't read his original post, it said that the packets are crashing all the devices behind his network. The IDS is also identifying it as an attack. You forgot that people can spoof addresses from private subnets.

 

lol no its not. 1 small burst in traffic from an private IP is seen all the time. If you look at the logs they are minutes apart with most being 1 attempt. A true DDoS would flood it for 15mins minimum even if the traffic is being denied. And dont say what I do and do not know, spoofing an address for this type of event is pointless and is most likely a legitimate IP from the ISP.

 

16 hours ago, Mornincupofhate said:

Nobody saying the ISP has to stop it. I just think it would be nice if ISPs could start spending the cash they make from overcharging old grandmas and use it towards some decent filtering hardware for this type of event.

At the edge of our network we have 3 devices that handle DDoS from entering our network. Each device is $300,000 and we had to purchase them because we had one serious attack in 10 years...1 attack in 10 years cost almost a million dollars, tell me how you could justify that? We have devices to handle this will all the "old lady money" you think they are raking in but you still dont realize the contract that ISP have. At least for us we cant touch traffic heading to and from your or his connection because its out of terms. Our job is to take your packet from one place and bring it to your place, after that its up to you to do what you want with that traffic.

 

DDoS is not a simple just throw money at it and make everyone happy. Traffic is traffic and routers and switches know no better and even equipment designed to handle it cannot be 100% certain. I suggest you look up how actual network traffic works and traverses before bashing at the ISPs.