DoS attacks! Need your help as BT arent any...

bionic_dad

hi all

I am having a frustrating time with BT.
I have been subject to denial of service attacks every evening since about june (even when not online I can see the router activity light flashing madly!)
With each one I look up the IP in the logs check against whois/ripe.net etc & forward the logs and details (if they are a BT customer) to the BT Security team.
They take the form of smurf, syn flood and land.
I understand the smurf is hard to combat, the syn flood i think I have combatted with a registry edit.
The land ones are the most commonplace.
Unfortuneately with the nature of these BT have already suspended my account once as I looked to be the perpetrator (even tho I was the victim)!
Anyway I have spoken with BT a while ago when my account was suspended and they said as a private customer I should not be subject to these.
I dont even have a home network per se I just have 2 (Winxp) laptops sharing a wireless internet connection with a Belkin router (latest firmware etc).
BT advised me to keep submitting my security logs but as I tried to explain to them today they are spoofed ip's not the perpetrator, hence them suspending my account when they saw my IP in a log!
It could take forever to track them down surely?

The security team just have no technical savvy and can only recommend I sign up for their ppm tecnical support.
I dont think this is reasonable as I do not have the problem their infrastructure has the problem surely?

Or am I being naiive?

Seems to me the problem may be somethig like ingress filtering but is that not something in BT's remit?

Anyway if i could resolve the Land attacks that would be a step in the right direction .

I have all the latest patches, mac address filtering, ICMP ping block, hijack this, Nod32 scan, zone alarm firewall blah blah blah etc etc, think i've tried as much as I can?

Should I keep pursuing BT for some action?

Apologies for the long post just wanted to make sure i covered everything.

Any help or experience anyone can pass on would be really greatly appreciated?

Bionic desperate Dad

gomer

Silly question but have you considered leaving BT?

bionic_dad

gomer wrote: »

Silly question but have you considered leaving BT?

no thats a good question - well personally i dont see why i should leave and have all the inconvenience because they are incompetent, and all i hear is horror stories about Virgin et al (ok they are cable companies) also forgot to mention that i live with my inlaws and the account is in there name as when we moved in with them we couldnt transfer the account and we hope to move out in next 3 - 4 months.

So it has crossed my mind - but better the devil I guess...

Can you recommend a good alternative...?

Reluctant_spender

Just a thought - Are you sure your system is clean?

Have you tried MalwareBytes or running an ADS scan from within Hijack this?

aliEnRIK

Sounds to me like youve done all you can mate.
Have you tried peer guardian?
Are you sure the routers set right?

It sounds to me like someone local is attacking it! Try changing the ip address, wep key and router log ons etc.

bionic_dad

thanks guys trying all of those as we speak... appreciate the advice

I have reset the router and changed wep key, admin pwd, changed dns, router IP etc

checked all settings am running malwarebytes as i type just waiting for peerguardian to download but obv with the router running at full felt just to stay connected it may take some time?

d.edna

Change the WEP key, (Assuming you did secure the network)
Unplug the router for 15 minutes so BT release the IP into the pool of IPs and assign you another one, so the IP is one not being attacked

Go on the router and block all incoming requests, Also it does seem you have a dirty system, sometimes the free cleaners (For the exception of one maybe two) are crap for this sort of thing, Personally until this issue is resolved try using AVGs demo.

Your firmware might be outdated is it the official BT firmware or the Belkin one? Could you try another router (Generic none service connected one) and set it up for BT etc. Maybe the firmware could have a security loophole.

[Deleted User]

Do you have the option of using WPA instead of WEP, as WEP provides an extremely low and misleading illusion of security..

JOel_2

You would have probably had 3 or four different IP addresses assigned to that router, if not more, since June, so its strange that its still happening

I guess the logs look something like:
Thu Oct 21 19:23:06 2008 1 Blocked by DoS protection <ipaddress> ?

If they are showing up in the Belkin logs, its someing on the WAN side, not wireless, as there is only DoS protection on the WAN side.

I know some belkin routers have an over zelous approch to DoS filtering, and chew up tons of logs about this kind of stuff. Have you tried another router to see if the problem goes away. I know of several cases where Belkin routers have had this problem, when really, a lot of the traffic is general internet "noise" (Port Scans, DHCP broadcasts etc).

I'd try, in the following order:

1. Note down the current WAN IP of the router, power down the router overnight, or if possible, leave it off for a couple of days. Power it on, check the WAN IP, if the IP is different, and you still have a problem, I'd be pretty certain it isn't a DoS attack.

2. If 1. doesnt fix it, turn off the wireless on the router, plug straight in, and see if the problem is still there.

3. Make sure the router doesnt have a DMZ zone enabled, as this can sometimes be an issue on belkins.

3) Beg / steal / borrow another router and try it, or even just a plain old USB ADSL modem would do. Alternatively see if you can try it using a friends connection and set it up on that, and see if they have a problem.

Let us know how the case continues.

Joel

bionic_dad

hi all thanks for all the advice

just to answer a few things

sorry i do have WPA-Pre shared key enabled not WEP (sorry)

yes the firmware is Belkin latest release

the speed is still quoted as 54mbps when connected wirelessly but the actual browsing ability is very slow.

Malawarebytes picked up a Trojan error

DMZ option is disabled.

sample log

10/19/2008 22:40:55 **Smurf** 0.0.0.0->> 192.168.250.3, Type:3, Code:0 (from ATM1 Inbound)
10/19/2008 22:40:53 192.168.250.3 login success
10/19/2008 22:40:14 **LAND** 86.140.115.28, 4077->> 86.140.115.28, 32751 (from ATM1 Inbound)
10/19/2008 22:40:08 **LAND** 86.140.115.28, 4077->> 86.140.115.28, 32751 (from ATM1 Inbound)
10/19/2008 22:40:05 **LAND** 86.140.115.28, 4077->> 86.140.115.28, 32751 (from ATM1 Inbound)
10/19/2008 22:39:57 **LAND** 86.140.115.28, 4063->> 86.140.115.28, 32751 (from ATM1 Inbound)
10/19/2008 22:39:51 **LAND** 86.140.115.28, 4063->> 86.140.115.28, 32751 (from ATM1 Inbound)
10/19/2008 22:39:48 **LAND** 86.140.115.28, 4063->> 86.140.115.28, 32751 (from ATM1 Inbound)
10/19/2008 22:39:01 **Smurf** 0.0.0.0->> 192.168.250.3, Type:3, Code:0 (from ATM1 Inbound)
10/19/2008 22:38:55 **LAND** 86.140.115.28, 4020->> 86.140.115.28, 32751 (from ATM1 Inbound)


the LAND IP was my address (at the time) the packets are programmed by the perpetrator to have the same IP as the source & destination in the handshake so it tricks the machine into thinking its sent itself a message (this was the bit BT dont get!)

i will definitely try a different router I think I can borrow one - am at home today nursing poorly toddler so may not be top of the priorities for a day or so!

Will let you know how it all goes - many many thanks again for all the help

Conor_3

If you are securing your Wifi using WEP, it can be cracked in 30 seconds. Someone I know did this to get free internet.
Unless you're on a fixed IP or one of your PCs is infected, they're not going to get you all the time every time as your IP address changes when you reconnect the router.