Firewall and Speed
March 2, 2004 2:24 PM Subscribe
Geek Question: I took a look at my router's firewall. I'm getting a number of DDos attacks. Now, the firewall is acting all nice and blocking it...but, I'm sure this causing a slow down in my surfing/net use, etc.
Any ideas on how to make it stop?
Any ideas on how to make it stop?
You can't make it stop, unless somehow you got your ISP to firewall you on their end. Or you went around to everyone's computer in the world and upgraded them all with the latest security patches.
posted by zsazsa at 4:50 PM on March 2, 2004
posted by zsazsa at 4:50 PM on March 2, 2004
Agreed. I get about 6 Slammer attempts an hour...and I don't even have sql on this machine. The amount of port scanning and worm propagation is just insane...but I understand your frustration, as my firewalls are working overtime too.
posted by dejah420 at 8:00 PM on March 2, 2004
posted by dejah420 at 8:00 PM on March 2, 2004
Response by poster: Followup:
There isn't a way for me to trace back and either totally block the offending IP addresses or notify their ISP that their machines are infected?
posted by filmgeek at 9:27 PM on March 2, 2004
There isn't a way for me to trace back and either totally block the offending IP addresses or notify their ISP that their machines are infected?
posted by filmgeek at 9:27 PM on March 2, 2004
Best answer: There isn't a way for me to trace back and either totally block the offending IP addresses or notify their ISP that their machines are infected?
There is, but it's quite impractical.
1. Grab the IP address of the offending machine from your logs.
2. Plug the IP into ARIN whois to determine who owns the netblock. Sometimes, ARIN will provide an appropriate e-mail address (i.e. abuse@) in the domain record. Sometimes, you'll have to access the netblock owner's site to locate an appropriate way to contact them.
3. Draft a polite message explaining that one of their customers is either willingly or unknowingly launching an attack on your machine(s). You absolutely must include the following: Your IP address, the IP address of the machine attacking you, a sample of the malicious traffic from your log files, and the date/time the attack occurred.
4. If they're a large national or international company, you likely won't receive a reply beyond their standard autoresponder. If they're a smaller local ISP, you will likely hear from an actual human being, and they may request further information.
5. If, after a week, you still see traffic coming from the reported machine, you can attempt to send another e-mail, again politely explaining that you are still receiving attacks from this IP address. Hopefully, the problem will be resolved. Sometimes, particularly if the ISP is based in Asia, you'll be dismissed and no amount of complaint-filing will help.
Now, here's the fun part: repeat this procedure for every one of the thousands of IP addresses you will undoubtedly log over a given period of time. Unless you have a very small group of machines attacking you, or you tend toward masochism, this will grow tedious rather quickly.
posted by Danelope at 10:11 PM on March 2, 2004
There is, but it's quite impractical.
1. Grab the IP address of the offending machine from your logs.
2. Plug the IP into ARIN whois to determine who owns the netblock. Sometimes, ARIN will provide an appropriate e-mail address (i.e. abuse@) in the domain record. Sometimes, you'll have to access the netblock owner's site to locate an appropriate way to contact them.
3. Draft a polite message explaining that one of their customers is either willingly or unknowingly launching an attack on your machine(s). You absolutely must include the following: Your IP address, the IP address of the machine attacking you, a sample of the malicious traffic from your log files, and the date/time the attack occurred.
4. If they're a large national or international company, you likely won't receive a reply beyond their standard autoresponder. If they're a smaller local ISP, you will likely hear from an actual human being, and they may request further information.
5. If, after a week, you still see traffic coming from the reported machine, you can attempt to send another e-mail, again politely explaining that you are still receiving attacks from this IP address. Hopefully, the problem will be resolved. Sometimes, particularly if the ISP is based in Asia, you'll be dismissed and no amount of complaint-filing will help.
Now, here's the fun part: repeat this procedure for every one of the thousands of IP addresses you will undoubtedly log over a given period of time. Unless you have a very small group of machines attacking you, or you tend toward masochism, this will grow tedious rather quickly.
posted by Danelope at 10:11 PM on March 2, 2004
This thread is closed to new comments.
If you were actually under a distributed denial of service attack by more than a few machines, you can bet you wouldn't be getting to AskMe. What are you seeing in your logs?
If these are just attempts to exploit vulnerabilities in web servers, don't worry about it, they hit everything. It's just the background noise of the internet. Pat your firewall and give it a cookie for a job well done.
posted by malphigian at 2:59 PM on March 2, 2004