Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hello, I need some help against DDoS


  • Please log in to reply
20 replies to this topic

#1 Meephz

Meephz

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brazil
  • Local time:10:54 PM

Posted 28 September 2016 - 11:33 AM

Hello. I've been constantly receiving DDoS attacks on the past few days and I didn't know very well how to deal with it. So, I downloaded Glasswire and I figured out that it was really a DDoS attack, since when my connection drops I see a list with more than 500 ip addresses. Well, the weird part of this is that yesterday, minutes before the attacks start again, I could see a "friend" Ip address on this same process where all the other are shown. I would never imagine that he could do it, because he doesn't even have a reason for attack me, but when I looked at the old logs I saw one more Ip address from his city/house. Is there any chance of he being attacking me?

 

I already verified my computer with malwarebytes, roguekiller and other programs, and no virus was dettected. When the attacks started, Malwarebytes started to block a lot of websites. I don't download any programs of files from untrusted sources, so no chance of my PC being infected.

 

"Processo de host para serviços do windows" = host process for windows services or something like that.

Screenshots: http://imgur.com/a/h9H8H

 

 

Sorry for my bad english :D


Edited by Meephz, 28 September 2016 - 11:35 AM.


BC AdBot (Login to Remove)

 


#2 Viper_Security

Viper_Security

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:06:54 PM

Posted 28 September 2016 - 12:06 PM

To find out if one is really attacking you, download wireshark, and close all things interent and then run  wireshark, you should just see your router talking to the other machines on the network eg, who has..... Tell..

 

i'd also recommend finding the other devices on your network and turning them off or disconnecting them from your network to make sure it IS your machine and not any of the other devices. 


    IT Auditor & Security Professional

hQBT2G3.png


#3 Meephz

Meephz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brazil
  • Local time:10:54 PM

Posted 28 September 2016 - 03:37 PM

But how could I know which IP is sending attacks? Will it appear in red? I really don't know how WireShark work =/

 

I see few ips in glasswire firewall scan-03k.shadowserver.org, unassigned.psychz.net and blase-server.leasevps.com under tab "host process for windows services"

 

Also, my ISP use UTP(cat7a) and PPPoE for connection so it "normal" appears others computer on my "network"

 

again, sorry for my bad english.



#4 Viper_Security

Viper_Security

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:06:54 PM

Posted 28 September 2016 - 03:44 PM

No Worries!

 

That's where the time consuming part comes in, once you run wireshark for about 4-5 minutes (that should be enough if it is constant) 

you will need to check each IP (minus yours) to which one of them is really constant, normal your router will talk to the devices every 5 seconds roughly.

 

if someone is DDOSing you then the only IP that would show up would be the same one over and over and over again. ( basically, i do not want to go too into detail as to not confuse you. )


    IT Auditor & Security Professional

hQBT2G3.png


#5 Meephz

Meephz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brazil
  • Local time:10:54 PM

Posted 28 September 2016 - 04:01 PM

Ok, thanks for help me!

 

I'll wait and check when those attacks start again, thanks for all! I'll be back here soon as I get something.



#6 Viper_Security

Viper_Security

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:06:54 PM

Posted 28 September 2016 - 04:02 PM

No Problem, we will be here!


    IT Auditor & Security Professional

hQBT2G3.png


#7 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:09:54 PM

Posted 29 September 2016 - 02:22 PM

if someone is DDOSing you then the only IP that would show up would be the same one over and over and over again. ( basically, i do not want to go too into detail as to not confuse you. )

If it was a straight DoS (Denial of Service) attack, then only one IP would show up on wirewhark. But if it is a true DDoS (Distributed Denial of Service) attack, as the OP has specified, wireshark should show anywhere from 2+ IP sources.

 

Either way, as Viper has said you should be able to tell fairly easily as you will see the same IP(s) over and over again during the duration of the attack.


OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 AM

Posted 29 September 2016 - 02:40 PM

The OP will only see the packets of the (D)DoS if the computer has a public IP address, or if the router forwards ports to the computer.

If the computer has a private IP address, then it's most likely that the router is blocking all those incoming packets (and then that's where the congestion happens).

 

If the (D)DoS is done with UDP, ICMP packets or with TCP SYN packets, then the source IP address can easily be spoofed. In that case, different source IP addresses don't necessarily mean DDoS.

 

When in Wireshark, go to Statistics/Endpoints and select the IPv4 and IPv6 tabs and sort descending by number of packets.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:09:54 PM

Posted 29 September 2016 - 02:48 PM

Very true on all points there DS.


OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#10 Meephz

Meephz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brazil
  • Local time:10:54 PM

Posted 29 September 2016 - 03:18 PM

The Viper_Security is helping me by message, thank you all!

 

I will try to summarize what happened today, their technician came in the House and did some tests, said he could not fix and I would have to talk to the supervisor, but every time I go there it says it will send another technician here for check, basically are throwing the problem for each other!

 

Talking with the technician I said if you don't resolve this soon as I would get to redirect everything to them, so they would be forced to fix it.

My doubt now is the following, is that even possible? If I back this attack again, how do I redirect to my provider?

 

@Didie Stevens

Here?

Spoiler

 

Searching google I found a topic in a forum that featured a command to "stop" this, will it work?

The command I used is this: netsh firewall set icmpsetting 8 disable

 

Thank you very much to all who are helping me!


Edited by Meephz, 29 September 2016 - 03:22 PM.


#11 Viper_Security

Viper_Security

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:06:54 PM

Posted 29 September 2016 - 04:01 PM

he has sent me the wireshark capture file and it is a DOS type attack, if he is willing to send other people the file this is the filter you would need. 

 

 
tcp.flags.syn==1 && tcp.flags.ack==0

    IT Auditor & Security Professional

hQBT2G3.png


#12 technonymous

technonymous

  • Members
  • 2,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 PM

Posted 29 September 2016 - 04:23 PM

If you do a lot of p2p torrent file sharing or host games things like that you're going to see a lot of incoming traffic. Doing stuff like that it can take weeks even months to die down. There is so many hits coming in it acts like a DDOS. You can force a IP change your provider hands out to your router by enabling mac address cloning.



#13 Viper_Security

Viper_Security

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:06:54 PM

Posted 29 September 2016 - 04:39 PM

If you do a lot of p2p torrent file sharing or host games things like that you're going to see a lot of incoming traffic. Doing stuff like that it can take weeks even months to die down. There is so many hits coming in it acts like a DDOS. You can force a IP change your provider hands out to your router by enabling mac address cloning.

Agreed, but the same IP is sending anywhere from 1-214 packets per second.


    IT Auditor & Security Professional

hQBT2G3.png


#14 technonymous

technonymous

  • Members
  • 2,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 PM

Posted 30 September 2016 - 06:54 AM

 

If you do a lot of p2p torrent file sharing or host games things like that you're going to see a lot of incoming traffic. Doing stuff like that it can take weeks even months to die down. There is so many hits coming in it acts like a DDOS. You can force a IP change your provider hands out to your router by enabling mac address cloning.

Agreed, but the same IP is sending anywhere from 1-214 packets per second.

 

That IP is probably originating from one of the OP's game servers like Steam. Has anyone done a thorough whois search on the culprit IP? The OP clearly has Steam and other games as shown in the picture posted. If the OP has hosted a public server I am certain that's the cause.

 

If you host a game on Steam and you become a Public server hosting a popular game, then Steam will forward every time a person loads that game. I have seen this happen more than once. You never want to host a public popular game on your private network for this very reason alone. Instead buy/lease a game server rack.



#15 Viper_Security

Viper_Security

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:06:54 PM

Posted 30 September 2016 - 10:24 AM

yes i have. for about 6 hours yesterday i was looking through the wireshark log and checking IP's.

 

and it's his ISP that is Getting Dos'd from Shadowserver. 

 

either that or his ISP is doing it and not telling him, but the whois for the IP that showed up second most was his ISP, have other people in your city experience "boggieness"? 


Edited by Viper_Security, 30 September 2016 - 11:48 AM.

    IT Auditor & Security Professional

hQBT2G3.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users