Major DDOS attacks today

[rx8pilot]

Do you use Wireshark to monitor the inbound connection attempts?

Another approach is to rate-limit the connection attempts. Could be done per IP or network.

Can you do this with a consumer router? Do you need a more robust solution?

[madires]

Do you use Wireshark to monitor the inbound connection attempts?

Another approach is to rate-limit the connection attempts. Could be done per IP or network.

Can you do this with a consumer router? Do you need a more robust solution?

Yes, if your router is supported by OpenWrt. It's a feature of the linux netfilter Despite most consumer routers run linux, vendors don't enable those features.

[Cerebus]

The number of bots out there trying to compromise your stuff is crazy,  a few weeks ago I had a look in my logs and was surprised just how constantly IP's are trying to log into my personal home workstation via SSH (and failing naturally).

Just today 21 newcomers gave it a shot, mostly from China, a couple Vietnam.

I'm currently seeing ~30000 telnet or ssh attempts a day, mostly unique IPs. A few weeks back 2000-3000 a day was typical.

Another approach is to rate-limit the connection attempts. Could be done per IP or network.

The problem with the current spate is that it's coming from everywhere and anywhere. You won't see the same IP or even subnet more than once or twice in one day - it's already effectively rate limited at source.

In my case I'm just dropping any inbound telnet or ssh attempts at both firewalls (I have one inside another so that expoits, bugs and misconfigurations that get through one hopefully don't get through the other. The two are completely different hardware, OS, codebase etc.).

[madires]

The problem with the current spate is that it's coming from everywhere and anywhere. You won't see the same IP or even subnet more than once or twice in one day - it's already effectively rate limited at source.

From what I see, there are only a very few scanners trying to fly below the radar. Most are trying to run the dictionary attack as fast as possible or every few minutes over a few days.

EDIT: >50% of the source addresses are assigned to China. They got the Big Firewall, but most of the bots

[raptor1956]

I'm no IT guy so let me ask what are the options for monitoring the IP's looking to get access to your network?  If I have a cable modem that's connected to a wifi router which also has a LAN hub and I don't actually have a PC running at all times to do that kind of monitoring -- does the router log this stuff so a PC on the network can periodically look at the log?


Brian

[Cerebus]

I'm no IT guy so let me ask what are the options for monitoring the IP's looking to get access to your network?  If I have a cable modem that's connected to a wifi router which also has a LAN hub and I don't actually have a PC running at all times to do that kind of monitoring -- does the router log this stuff so a PC on the network can periodically look at the log?

For the vast majority of consumer level kit, no.

I have a, now relatively ancient, professional Cisco router that is also configured as a firewall. This is configured to log, via syslog, over the network to a server that runs 24/7. That server has two network cards and is also configured as a firewall (linux, ipfilter) which also does its own logging. Furthermore the server regularly polls the router, via SNMP, to get more statistical information from the router that's also stored and graphed on the server. It's all a bit of a pain in the butt to configure but that kind of thing used to be my day job.

Some consumer level kit is better than others and, with the right software, will provide quite useful monitoring; but most consumer level kit is, from this perspective, quite useless.

Whatever you're using, if you want monitoring and logging at the level that would record individual IPs for firewall logs you're going to need something turned on 24/7 to store the logs. Kind of obviously, if you're going this for security monitoring you want the device recording the logs to not be the same device recording the logs, so that if the latter fails or is compromised you still have the records stored on a working, uncompromised device.

Advice on how to do this is going to be, at least in part, dependent on the specific kit you're using and is often best found on forums dedicated to that kit. For consumer kit, your best bet is using user supported replacement firmware for the platform - things like OpenWRT.

[Cerebus]

The problem with the current spate is that it's coming from everywhere and anywhere. You won't see the same IP or even subnet more than once or twice in one day - it's already effectively rate limited at source.

From what I see there are only a very few scanners trying to fly below the radar. Most are trying to run the dictionary attack as fast as possible or every few minutes over a few days.

That certainly was the case but what I'm seeing recently looks much more like each compromised host is trying widely separated target IPs for each successive attempt.

So, I see an attempt from one source IP and then I don't see it again for hours or days. I haven't done any detailed analysis (and I'm not going to) but what it looks like to me seems to be confirmed by what I can see recorded at places like DShield.

Previously I'd see probes from a few tens, perhaps a few hundred, different source addresses a day, currently I'm seeing probes from tens of thousand different source addresses a day. Yesterday's logs show 36,582 telnet attempts from 23,431 different IP source addresses hitting 41 destination addresses - if those were scans as opposed to random probes I'd expect to see, on average, 41 attempts per source address but what I'm seeing is an average 1.56 attempts per source address.

[madires]

I'm no IT guy so let me ask what are the options for monitoring the IP's looking to get access to your network?  If I have a cable modem that's connected to a wifi router which also has a LAN hub and I don't actually have a PC running at all times to do that kind of monitoring -- does the router log this stuff so a PC on the network can periodically look at the log?

As Cerebus already said, the best option is a cheap consumer router, like TP-Link, supported by OpenWrt. But check https://wiki.openwrt.org/toh/start before you buy a new router. Possibly your current one is already supported. Or you can check the models you're interested in. In a professional environment logging is done via syslog to dedicated log servers. For home usage an USB stick connected to the router could be fine (with the security implications Cerebus hinted at). Or a small NAS might offer syslog too.

[madires]

From what I see there are only a very few scanners trying to fly below the radar. Most are trying to run the dictionary attack as fast as possible or every few minutes over a few days.

That certainly was the case but what I'm seeing recently looks much more like each compromised host is trying widely separated target IPs for each successive attempt.

Are you running sshd on port 22 or have you moved it to another port?

Previously I'd see probes from a few tens, perhaps a few hundred, different source addresses a day, currently I'm seeing probes from tens of thousand different source addresses a day. Yesterday's logs show 36,582 telnet attempts from 23,431 different IP source addresses hitting 41 destination addresses - if those were scans as opposed to random probes I'd expect to see, on average, 41 attempts per source address but what I'm seeing is an average 1.56 attempts per source address.

I see, you're talking about telnet. Does anyone run telnet, besides for a telnet BBS? I just had a quick look and I see both, distributed attemps under the radar, as-fast-as-possible attacks from single IP addresses and delayed attemps over several hours/days from single IP addresses. Sources are from around the globe, and no IPv6.

[C]

I'm no IT guy so let me ask what are the options for monitoring the IP's looking to get access to your network?  If I have a cable modem that's connected to a wifi router which also has a LAN hub and I don't actually have a PC running at all times to do that kind of monitoring -- does the router log this stuff so a PC on the network can periodically look at the log?

Adding Cerebus & madires stated,
Some brands & model routers come with OpenWrt pre-installed.

A log is just information, it might help or not in use to set firewall rules.

Think this thread started with a DDOS attack on DYN's DNS service. Very hard to do something in this case. The bad devices request could look like a good device request. The source IP address used could be a bad device, Google, business network or ISP making the request. And in some cases you can spoof the source IP address.

If you want remote access to your local network, you need a hole in firewall that lets you in while keeping others out. Your network has to survive others trying to get in through the hole and preventing it & let you in when you try.
One device on your network could talk to some Internet device. If the Internet device shares some information with another Internet device, it could get in. The device on your network created the hole in your firewall if firewall rules did not prevent it. The firewall would need a rule that a second ip address is not allowed in using first hole. 
Stated in simple terms, Access a web site, web site passes some information it now has to new guy, new guy enters.
A lot of programs that share files on your computer with a second computer somewhere use this to make the connection. If you want security while doing this use certificates at both ends of connection. 

[Cerebus]

Are you running sshd on port 22 or have you moved it to another port?

I'm just discussing ports as normally assigned, what I'm seeing hitting the outside of the firewall. Here nothing inbound gets beyond the firewall to even start handshaking unless it's essential - so mail gets in and DNS queries get in, beyond that it's tunnelled or strictly related to connections initiated from inside the firewall.

I see, you're talking about telnet. Does anyone run telnet, besides for a telnet BBS? I just had a quick look and I see both, distributed attemps under the radar, as-fast-as-possible attacks from single IP addresses and delayed attemps over several hours/days from single IP addresses. Sources are from around the globe, and no IPv6.

Telnet has suddenly got interesting again from the POV of malefactors as open telnet ports with default credentials on consumer routers and IoT kit provide easy starting points. I don't know why it's now and not six or twelve months ago but that's what's happening. It appears that these DDOS attacks are from malware that gets in initially via telnet.

I've seen an uptick in SSH attempts but nothing like the 10 to 20-fold increase in telnet I've seen over the same period.

Probably half of my legitimate traffic is IPv6. Similar to you I see almost no malicious IPv6 traffic - no doubt that will eventually change but it's been that way since I first started using IPv6 back in its experimental days.

[R005T3r]

The number of bots out there trying to compromise your stuff is crazy,  a few weeks ago I had a look in my logs and was surprised just how constantly IP's are trying to log into my personal home workstation via SSH (and failing naturally).

Just today 21 newcomers gave it a shot, mostly from China, a couple Vietnam.

Some nice almost sequential IP's too...

........

Tsk!
I've also noticed that there are a lot of events stated as "DoS attack" in my logs. However, I don't know if it's a router misspell or what... They too many to be true: one event happens every 10 seconds on average...
And, most of them are from the East.

[madires]

I've also noticed that there are a lot of events stated as "DoS attack" in my logs. However, I don't know if it's a router misspell or what... They too many to be true: one event happens every 10 seconds on average...
And, most of them are from the East.

This would be like calling ten cars on the highway a traffic jam.

[Cerebus]

And, most of them are from the East.

In attributing where attacks come from based on the geography of source IP addresses there are some rules:

1) If they mostly seem to be coming from Korea it's because Korea has such widespread fast access that it's just going to statistically appear more often. (This pattern is changing)

2) If none of the packets come from one country but every other country is represented then an amateur from that country is responsible for the attack.

3) If all the packets seem to come from one country targetted at another country that's a traditional adversary of the first country, someone is trying to make the first country look bad.

4) If they represent roughly the proportions of people with internet access then they are always going to appear to be from East Asia even when they are not and you can't actually tell anything about the origin.

[StillTrying]

An Internet of (millions of cheaply made) Things, what could possibly go wrong...

[metrologist]

So, what has apparently stopped the attack?

[madires]

Dyn's statement: http://hub.dyn.com/static/hub.dyn.com/dyn-blog/dyn-statement-on-10-21-2016-ddos-attack.html