Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#371322 - 16/10/2018 04:28 Inbound traffic analysis
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12341
Loc: Sterling, VA
Hi everybody. This is outside my experience so I'm coming to you brilliant folks. A family friend came to me with a problem that's been plaguing them for a while now. They have regular internet outages, and apparently their logs show repeated inbound traffic requests over short periods of time. I've looked at the logs but I honestly don't understand what I'm looking at. I also don't quite see anything extreme. The homeowners have received new routers from Verizon FiOS, have made sure they've received a new IP, but the problem keeps happening.

The husband apparently took his laptop to China so they're thinking it could be that. I have no idea. They also have a Savant AV and automation system in the house, but their support people say it's not their equipment.

Any advice on how to figure out what's happening? I could share the logs from the FiOS router that they sent me, but I'd prefer to private message.
_________________________
Matt

Top
#371323 - 16/10/2018 06:40 Re: Inbound traffic analysis [Re: Dignan]
Shonky
pooh-bah

Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
You'll need to define "repeated inbound traffic requests" a bit better most likely.

Any publicly routable IP on the internet will regularly get bots, crawlers, script kiddies etc looking for open systems. They'll try all the usual ports, usernames/passwords etc.

A huge majority of home internet connections simply use a NAT type device which in effect is also a basic firewall (yes, lots of people will say it's not a firewall) as it won't allow any connections in unless something like a port forward is created to an internal device or an internal device uses UPnP to create one.

So just make sure nothing is open on the internet side of the router, have decent virus/malware scanners on PCs and you should be pretty right. Make sure any web interfaces to the router are only accessible from the inside or have secure passwords and preferably secure (HTTPS/SSL type) connections
_________________________
Christian
#40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)

Top
#371325 - 16/10/2018 15:03 Re: Inbound traffic analysis [Re: Dignan]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
You’re looking for intrusion detection software.
https://en.wikipedia.org/wiki/Intrusion_detection_system

I haven’t looked into this market in several years, but before it was EOL’d I used Black Ice Defender. I don’t know if anyone else has made software to fill the gap it left behind: it was simple to use and understand even for non professionals, yet it still gave incredible detail of each intrusion attempt and took active steps to block them.
_________________________
Tony Fabris

Top
#371329 - 16/10/2018 20:53 Re: Inbound traffic analysis [Re: Dignan]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12341
Loc: Sterling, VA
Thanks guys.

Christian, everything you described is what I've always thought. From what these people are describing to me, they seem to think they have the equivalent of a DDOS. None of the incoming connections are getting through, but they seem to be shutting down the connection.

Tony, looks like Black Ice doesn't exist anymore. Any ideas what the current favorite is?


Edited by Dignan (16/10/2018 20:53)
_________________________
Matt

Top
#371331 - 16/10/2018 21:00 Re: Inbound traffic analysis [Re: Dignan]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14496
Loc: Canada
Wasn't there some BIG NEWS many months back about a common hack that nearly all consumer gateway gear (aka "modems") is vulnerable to, whereby they are easily subjected to DDOS attacks?

Or maybe it was only in such gear which uses a chipset from a specific manufacturer?

Top
#371335 - 17/10/2018 02:52 Re: Inbound traffic analysis [Re: Dignan]
Shonky
pooh-bah

Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
If they're truly getting DOSed (not necessarily DDOS) then a firewall is can't do all that much anyway. It needs to be handled by upstream devices.

Does their router have any ability to show current traffic in/out? Is it possible a device like the laptop is infected and creating large amounts of outgoing traffic (e.g. spam) which might present itself as the internet going down?
_________________________
Christian
#40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)

Top
#371337 - 17/10/2018 12:49 Re: Inbound traffic analysis [Re: Dignan]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14496
Loc: Canada
I seem to recall that the widespread DDOS vulnerability was due to too long of a "connection timeout" setting in the (Linux) firmware of those devices. If one has shell access, it is easily "fixed" until the next power cycle.

So.. not always needing an upstream fix, but, yeah.

Top