What to do if i suspect a DoS attck?

jboydgolfer · Mar 19, 2018

Hello.

One of the kids came to me shortly ago, saying that someone on Xbox was ddos'ing them. I don't know how to really verify this other than going into my router logs and checking the activity and communication to my router. I looked and I saw nothing out of the ordinary, so I have a couple different questions .

1- how to confirm or deny?
2-how to stop?
3-how to report?
4- wouldnt other devices on the same network suffer interruptions?
Thanks in advance.

Also this is a 16 1/2-year-old kid , and he's pretty savvy with computers, so I'm inclined to believe him. He said that someone threatened to do it ,and then moments later he was booted off-line ,which happened more than once .

Any help would be appreciated

Solaris17 · Mar 19, 2018

Does he use skype, or another software to communicate with these people? Generally this can go pretty deep into router speed and throughput. Thankfully this is just xbox live and he is probably using LOIC or another similar tool too just boot you off long enough. Honestly. a firewall rule is something you would need to maintain. Since the match is over your kid will probably never see them again.

Honestly in this case the most effective option in case he is stilkl doing it for "the lols" is to just unplug your actual modem so the ISP issues you a new external IP address.

The heart of the problem is how he gets your connection info. Generally, this is via skype or similar. some voip tools to help with quality and lag time make direct connections to the target to improve audio. It is all too simple to see the active connections on your PC via command prompt.

Once an IP is had using a tool like LOIC or another DOS client will take the target down assuming the upload speed is higher then the targets download. Or the router is too weak for the simultaneous connections.

jboydgolfer · Mar 19, 2018

Solaris17 said:
Does he use skype, or another software to communicate with these people?

he said he was "kicked out of a party" ?

Edit
It was on Xbox live and it was an Xbox party

Solaris17 said:
Does he use skype, or another software to communicate with these people? Generally this can go pretty deep into router speed and throughput. Thankfully this is just xbox live and he is probably using LOIC or another similar tool too just boot you off long enough. Honestly. a firewall rule is something you would need to maintain. Since the match is over your kid will probably never see them again.

Honestly in this case the most effective option in case he is stilkl doing it for "the lols" is to just unplug your actual modem so the ISP issues you a new external IP address.

The heart of the problem is how he gets your connection info. Generally, this is via skype or similar. some voip tools to help with quality and lag time make direct connections to the target to improve audio. It is all too simple to see the active connections on your PC via command prompt.

Once an IP is had using a tool like LOIC or another DOS client will take the target down assuming the upload speed is higher then the targets download. Or the router is too weak for the simultaneous connections.

im guessing "dos protection" is of no use ?

Solaris17 · Mar 19, 2018

jboydgolfer said:
he said he was "kicked out of a party" ?

Edit
It was on Xbox live and it was an Xbox party

He is probably using a tool to track connections to his xbox then thus grabbing your sons IP. This is painfully easy. Tell your son to block him first and foremost. Then just unplug your modem (check your IP first with whatsmyip) for a few min so your ISP rotates it. Then check to see if it has changed.

jboydgolfer said:
im guessing "dos protection" is of no use ?

Not generally, withoutn getting way too deep the only real life DOS protection is having a better (faster) connection then your attacker or filtering on the ISP level. Things like router DOS protection are generally pretty bad. They "identify" "malicious or spam" packets and drop them. The issue with this is that the packets are STILL being delivered to your line thus saturating it, only now the router CPU is now more loaded (far more loaded depending on the attack freq) sometimes on weak routers this makes it far worse because they are under powered.

jboydgolfer · Mar 19, 2018

Solaris17 said:
He is probably using a tool to track connections to his xbox then thus grabbing your sons IP. This is painfully easy. Tell your son to block him first and foremost. Then just unplug your modem (check your IP first with whatsmyip) for a few min so your ISP rotates it. Then check to see if it has changed.

will do.

apparently its on "fornight" a game on xboxlive. He said it is only interrupted for a second or so, then he's right back, so basically an inconvenience at most. I told him to block the perosn, and i would update external IP

Thank you

Edit
I don't know if it makes it worse but I use a dynamic DNS client as well, is that something that I should disable? I run an AC66u , so the cpu is pretty weak, maybe killing dos protection would be best?

Solaris17 · Mar 19, 2018

Id probably disable it, it justs eats CPU cycles. DNS wont have anything to do with it. Thats only for internal clients looking OUT for something. Not the connects coming in so you can leave that as is if it does what you want/need it too.

jboydgolfer · Mar 19, 2018

Solaris17 said:
Id probably disable it, it justs eats CPU cycles. DNS wont have anything to do with it. Thats only for internal clients looking OUT for something. Not the connects coming in so you can leave that as is if it does what you want/need it too.

apparently updating the WAN ip isnt like it used to be. I used to be able to switch the MAC address of the Router, and id get a New IP, but i just tried it and nope, it recognized it was the same device and it left the same IP. Tried power cycling too, and nope, same WANIP. looks like it will keep this one.

flmatter · Mar 19, 2018

Xbox @jboydgolfer that link pretty much echo's @Solaris17 statements

jboydgolfer · Mar 19, 2018

flmatter said:
Xbox @jboydgolfer that link pretty much echo's @Solaris17 statements

Yeah, I trust him, I did everything he recommended , i told my nephew to block that user too.

Solaris17 · Mar 19, 2018

jboydgolfer said:
apparently updating the WAN ip isnt like it used to be. I used to be able to switch the MAC address of the Router, and id get a New IP, but i just tried it and nope, it recognized it was the same device and it left the same IP. Tried power cycling too, and nope, same WANIP. looks like it will keep this one.

It may need to be off for some time. It greatly depends on ISP but the lease time is generally per hour or per 24 hours (Generally on the :00 or at midnight). you can try having it unplugged just before the turn of an hour and after several minutes (think 10 past) be able to plug it back in by this time the ISP distribution routers will see that the lease has been broken and put that address back in the pool. When your router comes back online it will request an IP and the distribution router will issue a new one.

If this method doesnt work. there are two other instances.

You can either leave it unplugged over night. This will generally garuntee a re-issue.

Or finally. Its actually a pretty easy thing to do. Just call your ISP and tell them you would like to "break the lease" on your modem. the people will be like what? repeat it to the intern until they reset your box or hang up and call again and say the same thing. I have to do this when I change physical modems and replace ISP routers with 3rd party ones. Its a support request that takes just minutes and most phone reps are well versed in.

eidairaman1 · Mar 19, 2018

Restart your modem to get a fresh ip, then put the xbox on a vpn/time limit

Cerawy · Apr 25, 2018

First contact the hosting provider. If your organization hosts the network or Internet service that is under attack, first take measures to contain or dampen the attack. Next, call the service provider that provides Internet access for your network. Most hosting providers and ISPs post emergency contacts on their web sites and many include at least general contact numbers on bills.

If you only have a general contact number, explain that you are under attack and ask the customer care agent to escalate (forward) your call to operations staff with the ability and authority to investigate.

Traffic associated with a single DDoS attacks may originate from hundreds or thousands of attack sources. In many cases, your hosting provider or your Internet access provider should act on your behalf (and in self-interest).

jboydgolfer · Apr 25, 2018

It seems the issue is no longer a problem. I had him folow solaris' advice & since that night he's never complained again.

System Name	Americas cure is the death of Social Justice & Political Correctness
Processor	i7-11700K
Motherboard	Asrock Z590 Extreme wifi 6E
Cooling	Noctua NH-U12A
Memory	32GB Corsair RGB fancy boi 5000
Video Card(s)	RTX 3090 Reference
Storage	Samsung 970 Evo 1Tb + Samsung 970 Evo 500Gb
Display(s)	Dell - 27" LED QHD G-SYNC x2
Case	Fractal Design Meshify-C
Audio Device(s)	on board
Power Supply	Seasonic Focus+ Gold 1000 Watt
Mouse	Logitech G502 spectrum
Keyboard	AZIO MGK-1 RGB (Kaith Blue)
Software	Win 10 Professional 64 bit
Benchmark Scores	the MLGeesiest

System Name	Rocinante
Processor	I9 14900KS
Motherboard	EVGA z690 Dark KINGPIN (modded BIOS)
Cooling	EK-AIO Elite 360 D-RGB
Memory	64GB Gskill Trident Z5 DDR5 6000 @6400
Video Card(s)	MSI SUPRIM Liquid X 4090
Storage	1x 500GB 980 Pro \| 1x 1TB 980 Pro \| 1x 8TB Corsair MP400
Display(s)	Odyssey OLED G9 G95SC
Case	Lian Li o11 Evo Dynamic White
Audio Device(s)	Moondrop S8's on Schiit Hel 2e
Power Supply	Bequiet! Power Pro 12 1500w
Mouse	Lamzu Atlantis mini (White)
Keyboard	Monsgeek M3 Lavender, Akko Crystal Blues
VR HMD	Quest 3
Software	Windows 11
Benchmark Scores	I dont have time for that.

System Name	Americas cure is the death of Social Justice & Political Correctness
Processor	i7-11700K
Motherboard	Asrock Z590 Extreme wifi 6E
Cooling	Noctua NH-U12A
Memory	32GB Corsair RGB fancy boi 5000
Video Card(s)	RTX 3090 Reference
Storage	Samsung 970 Evo 1Tb + Samsung 970 Evo 500Gb
Display(s)	Dell - 27" LED QHD G-SYNC x2
Case	Fractal Design Meshify-C
Audio Device(s)	on board
Power Supply	Seasonic Focus+ Gold 1000 Watt
Mouse	Logitech G502 spectrum
Keyboard	AZIO MGK-1 RGB (Kaith Blue)
Software	Win 10 Professional 64 bit
Benchmark Scores	the MLGeesiest

System Name	Rocinante
Processor	I9 14900KS
Motherboard	EVGA z690 Dark KINGPIN (modded BIOS)
Cooling	EK-AIO Elite 360 D-RGB
Memory	64GB Gskill Trident Z5 DDR5 6000 @6400
Video Card(s)	MSI SUPRIM Liquid X 4090
Storage	1x 500GB 980 Pro \| 1x 1TB 980 Pro \| 1x 8TB Corsair MP400
Display(s)	Odyssey OLED G9 G95SC
Case	Lian Li o11 Evo Dynamic White
Audio Device(s)	Moondrop S8's on Schiit Hel 2e
Power Supply	Bequiet! Power Pro 12 1500w
Mouse	Lamzu Atlantis mini (White)
Keyboard	Monsgeek M3 Lavender, Akko Crystal Blues
VR HMD	Quest 3
Software	Windows 11
Benchmark Scores	I dont have time for that.

System Name	Americas cure is the death of Social Justice & Political Correctness
Processor	i7-11700K
Motherboard	Asrock Z590 Extreme wifi 6E
Cooling	Noctua NH-U12A
Memory	32GB Corsair RGB fancy boi 5000
Video Card(s)	RTX 3090 Reference
Storage	Samsung 970 Evo 1Tb + Samsung 970 Evo 500Gb
Display(s)	Dell - 27" LED QHD G-SYNC x2
Case	Fractal Design Meshify-C
Audio Device(s)	on board
Power Supply	Seasonic Focus+ Gold 1000 Watt
Mouse	Logitech G502 spectrum
Keyboard	AZIO MGK-1 RGB (Kaith Blue)
Software	Win 10 Professional 64 bit
Benchmark Scores	the MLGeesiest

What to do if i suspect a DoS attck?

jboydgolfer

Solaris17

Super Dainty Moderator

jboydgolfer

Solaris17

Super Dainty Moderator

jboydgolfer

Solaris17

Super Dainty Moderator

jboydgolfer

flmatter

jboydgolfer

Solaris17

Super Dainty Moderator

eidairaman1

The Exiled Airman

Cerawy

New Member

jboydgolfer

System Name	Matter's / Helios 300 Predator
Processor	Ryzen 7 2700 / i7 7700HQ
Motherboard	B450 Tomahawk / Acer Helios 300 Predator
Cooling	Arctic Freezer eSports Duo
Memory	Patriot Viper ddr4 32gb / 32gb gskill ddr4
Video Card(s)	MSI RTX 2080 Super Ventus OC / GTX 1060 6gb
Storage	Patriot Viper nvme M2, crucial MX300 275gb, Samsung 860 qvo 1tb
Display(s)	Acer 24" 1080p / 15.6 1080p HD
Case	Antec 300 / Acer Helios 300 Predator
Audio Device(s)	On Board - Steel Series Arctis Pro Wireless Cans
Power Supply	Antec 850watt high current pro
Mouse	Steel series Rival 600
Keyboard	Corsair K70 / Acer Helios 300 Predator
Software	Win 10 Pro / Win 10 Home

System Name	PCGOD
Processor	AMD FX 8350@ 5.0GHz
Motherboard	Asus TUF 990FX Sabertooth R2 2901 Bios
Cooling	Scythe Ashura, 2×BitFenix 230mm Spectre Pro LED (Blue,Green), 2x BitFenix 140mm Spectre Pro LED
Memory	16 GB Gskill Ripjaws X 2133 (2400 OC, 10-10-12-20-20, 1T, 1.65V)
Video Card(s)	AMD Radeon 290 Sapphire Vapor-X
Storage	Samsung 840 Pro 256GB, WD Velociraptor 1TB
Display(s)	NEC Multisync LCD 1700V (Display Port Adapter)
Case	AeroCool Xpredator Evil Blue Edition
Audio Device(s)	Creative Labs Sound Blaster ZxR
Power Supply	Seasonic 1250 XM2 Series (XP3)
Mouse	Roccat Kone XTD
Keyboard	Roccat Ryos MK Pro
Software	Windows 7 Pro 64