Someone ping flooded my home modem/router yesterday, bringing it right down and half-bricking the unit.
Are people seriously this bored? And more to the point, are all home modems this vulnerable to attack?
Someone ping flooded my home modem/router yesterday, bringing it right down and half-bricking the unit.
Are people seriously this bored? And more to the point, are all home modems this vulnerable to attack?
Server: 2.2GHz Athlon 64; 4GB; 2TB; Debian 5 x64
LividEmperor: 3.3GHz i5 2500K; 8GB; 660GB; Ubuntu 10.10 x64 + Windows 7 x64
Netbook1: 1.6GHz Atom; 2GB; 160GB; Ubuntu 10.10 x86
Dogeatdog: 3GHz Phenom II; 3GB; 1TB; Windows 7 x64
Nope, it's a really shoddy Thomson one supplied with the O2 'broadband package'. The firewall section is more just a statement saying 'this router has standard security settings' - literally just that. No configuration, not even a feature list! So I guess it's a blessing in disguise that I'm forced to order a new and much better modem/router.
Server: 2.2GHz Athlon 64; 4GB; 2TB; Debian 5 x64
LividEmperor: 3.3GHz i5 2500K; 8GB; 660GB; Ubuntu 10.10 x64 + Windows 7 x64
Netbook1: 1.6GHz Atom; 2GB; 160GB; Ubuntu 10.10 x86
Dogeatdog: 3GHz Phenom II; 3GB; 1TB; Windows 7 x64
Edit: never mind. haqking beat me to it.
Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide
Tomorrow's an illusion and yesterday's a dream, today is a solution...
out of interest.
Why do you assume a DoS anyways ?
if the router is that shoddy then i assume it wont show you logs even ?
Backtrack - Giving machine guns to monkeys since 2006
Kali-Linux - Adding a grenade launcher to the machine guns since 2013
If the router is not shoddy and is running a linux variant, then it's possible to prevent abuse of ICMP:
Code:iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request \ -m limit --limit 1/s -i eth0 -j ACCEPT ## ## iptables -A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT iptables -A OUTPUT -p tcp -o eth0 -j ACCEPT iptables -A OUTPUT -p udp -o eth0 -j ACCEPT iptables -A OUTPUT -p icmp -o eth0 -j ACCEPT # Default policy can't use REJECT, so we add these at the end iptables -A INPUT -j REJECT; # hack for changing default policy iptables -A OUTPUT -j REJECT; # from DROP to REJECT iptables -A FORWARD -j REJECT; #
Whats the model?
do you keep a firewall log?
Does your router? are you sure it was a straight DoS?
maybe it was a bruteforce cracking tool?
A DoS sounds unlikely. but zombies sending out bruteforce cracking attempts occurs frequently.
Last edited by conradin; July 16th, 2011 at 05:42 PM. Reason: ?
~Conradin~
Yeah, it's an all in one. Although the one I've ordered is also all in one as I prefer to have as little transformers plugged in as possible
The reason they attacked is because I'm running some websites and hosting (for a friend of mine) a Minecraft server. People seem to like bringing down networks hosting game servers for some reason.
Well there aren't any logs as far as I could tell. Thing is, I reset the router and now I can't log in to it (won't accept anything), so I can't check the 'SuperUser' account (that o2 don't tell you about ).
It's definitely a DoS attack, it couldn't be anything else. I was refreshing the Tx and Rx and every second it would go up drastically. After about an hour 10.9GB of whatever garbage was being sent/requested to/from the modem had gone through.
This sort of configurability is why my dream is to have an ADSL card plugged into my Linux server and use that as a gateway
The new router that should come on tuesday runs Linux, so I shall see what sorts of tools it includes
It doesn't have a model / make on it, however according to Windows' network device detection it's a Thomson TG585v7.
The router was the only in-use firewall on the network, and sadly it either didn't log or the logs were somehow hidden.
I think it's most likely some script hack kiddie running a ready-made DoS attack tool - there's lots apparently. Fortunately I'm 99% sure it's not DDoS (which no one can really completely prevent aside from ultra parallel redundant hosting). The most frustrating thing is that I have literally no idea where it was coming from.
I somehow doubt it was a bruteforce hacking attempt as I'm pretty sure the modem doesn't accept any connections from the outside over port 80 or 23 (AFAIK the only ports on which services run that allow you to log in).
Server: 2.2GHz Athlon 64; 4GB; 2TB; Debian 5 x64
LividEmperor: 3.3GHz i5 2500K; 8GB; 660GB; Ubuntu 10.10 x64 + Windows 7 x64
Netbook1: 1.6GHz Atom; 2GB; 160GB; Ubuntu 10.10 x86
Dogeatdog: 3GHz Phenom II; 3GB; 1TB; Windows 7 x64
Bookmarks