I've been getting UDP floods from a user who doesn't like it when I take his nickname on Quakenet IRC (by using a automated script) when that nick goes offline, but it was also stupidity on my part for not hiding my hostmask on Quakenet. When I'm flooded my Internet activity goes dead for minutes.
FTL 2010-12-08T17:00:01Z fw,fwmon src=77.74.196.25 dst=*REMOVED* ipprot=17 sport=53953 dport=6952 UDP Port Scan Detected
ALR 2010-12-08T17:00:01Z fw,fwmon src=77.74.196.25 dst=*REMOVED* ipprot=17 sport=53953 dport=59111 UDP Flood Detected
INF 2010-12-08T17:00:59Z fw,fwmon UDP Flood Ended (occurrence: 2)
Now that my hostmask is hidden, it's still possible whoever is UDP flooding me still knows my IP, so would IDNet allow an IP change if requested?
I really don't know, the problem is that your existing IP could not be recycled for some time at least. Give support a call and see what they can offer.
Thought. Can you identify his IP address? If so, you could make an abuse complaint to his ISP.
No I can't, he's hidden his hostmask on Quakenet, plus he uses a bouncer. All I have is the source IP from the firewall logs (vps01.kazooki.com) which isn't much good I think.
I had a feeling it wouldn't be that simple. :(
Find out who supplies the bouncer and report the abuse to them. They'll kick him off it for misuse. If it's his own bouncer complain to the host of the server it's on.
Yeah problem is I don't have any evidence, I only put 2 and 2 together by seeing that my Internet access got disrupted 2 or 3 times this week and noticing that it only happened shortly after reclaiming the nickname on Quakenet :(
Going to email IDNet now
I think that address is pretty much dead and there is another question here, why would you use his nickname?
Quote from: pctech on Dec 08, 2010, 18:49:12
there is another question here, why would you use his nickname?
Cos I'm fussy, I prefer to use aaron instead of aaron| or aaron_ and the like :) Besides, there is no ownership of nicknames on Quakenet
Quote from: Aaron on Dec 08, 2010, 19:26:28
Cos I'm fussy, I prefer to use aaron instead of aaron| or aaron_ and the like :) Besides, there is no ownership of nicknames on Quakenet
Ok fair enough but I think you may have to bite the bullet (excuse the pun) otherwise it is likely to occur again.
It'll be up to IDNet to decide whether they are happy to lose one of the IPs from their allocation
I used to have the same problem with my name, and my nickname, so I just got a bot and renamed it, and a bouncer for my real name. That irritating Irish lad was a pest no more ;D
Sometimes I'm glad their is only one of me. :D
I always find, if at all possible, it's best to just move on from the "internet" when it tries to attack. It's often got more people, resources and stubbornness than I could ever amount to stop it.
If it was a forum login/paypal/ebay or an imposter on facebook, I'd try and get it sorted though.
It's completely wrong that someone would try and do this to you. I hope they get bored or move on to something else soon.
I was in a position years ago when I still actively used irc, etc to have a mate that hosted his own gaming servers. When people tried to knock users off the net in the previously mentioned way, he'd do it to them and much worse via a data centre :D
Shame he decided that the fuss of running servers wasn't worth it and went back to Uni. Dunno what happened to him actually, I haven't seen him for years now I think about it ;D
Where are you blocking this? Is this router side or what (which would be best)? Is it a single IP or multiple that are targetting you? If it was a single one, I wouldn't imagine it could knock you offline unless it was some serious connection, or you're blocking it in the wrong place.
I've been on IRC for many a year, and while in days of yore the typical next step was to retaliate in a similar way I would not condone it :)
Depends where in the world the person is and in the UK if they are using a LAN or Virgin cable they could make mincemeat of an ADSL connection.
If I'm thinking about this correctly, assuming the packets are being blackholed at the router end (ie. not using any upstream from the target end), it would require something in a excess of the ADSL downstream capacity to really cripple things. So 8M upwards. I guess that's feasible these days.
If an attacker has access to enough upstream bandwidth they can sink any connection which is the thinking behind botnets and the reason companies such as Prolexic came into being, they allocate more and more bandwidth to soak up the traffic and blackhole the illegitimate PING and SYN packets while passing the genuine traffic to the customer servers.
They replied back and can't spare IP addresses to switch me to another. They did advise that I should make a firewall rule to drop/ignore packets, but to my knowledge this isn't effective is it? Because UDP floods are very much like DDOS'ing and there's no protection against that.
Quote from: Aaron on Dec 09, 2010, 17:46:23
They replied back and can't spare IP addresses to switch me to another. They did advise that I should make a firewall rule to drop/ignore packets, but to my knowledge this isn't effective is it? Because UDP floods are very much like DDOS'ing and there's no protection against that.
My Draytek router has DDOS defence built in and UDP floods are part of that, packet size and timings can be altered to suit. Hosting companies tackle these issues everyday.
If an attacker has enough upstream bandwidth though they can overcome any hardware/software DDOS defence.
Quote from: Aaron on Dec 09, 2010, 17:46:23
They replied back and can't spare IP addresses to switch me to another. They did advise that I should make a firewall rule to drop/ignore packets, but to my knowledge this isn't effective is it? Because UDP floods are very much like DDOS'ing and there's no protection against that.
As I was commenting (and pctech confirming), dropping the packets will at least help somewhat. It's just if they have a vast quantity of bandwidth coming your way that even the router cannot handle then things will fall over. You should always be blackholing packets anyway, in my opinion. Are you just directly connected to a modem with a software firewall? That could be a problem.
Edit: just to clarify, I think you are going offline because your upload gets saturated. If you are not blackholing packets, you have to respond to each one saying "no, this port is closed" by protocol. If you just drop them without response, then at least your upstream should not get swamped by sending these packets.