DDOS Attack Help Needed

Unanswered Question
Apr 5th, 2007

Hello All,

My internet connection has been slowing down over the past 2-3 weeks. I use Comcast Cable, so I wasn't surprised. It's gotten to the point that I cannot receive HTTP requests.

I used Ethereal/Wire Shark to look at packets and found packets were severly out of sequence. Message said 'previous packet not found or didn't arrive'. I ran 'debug ARP' on my PIX 501. I see thousands of ARP requests coming from my internet default gateway (next hop) at the ISP. Some requests come from other internet IPs.

I ran anti-virus on my systems and found nothing.

First, how can I be sure I'm not the problem? I removed the PIX and installed a Linksys router and got the same problem. I removed my "secured" Linksys wireless AP and got the same thing. I connected directly to the cable modem with my laptop and it's still slow.

Is there anything else I can do to troubleshoot this issue? The ISP router is probably spoofed. Most requests come from the ISP, but there are a few other address thrown in there.

My ARP table show only the next hop and my 3 internal hosts. No errors on interfaces.

With 'debug arp' I get:

request on Outside from 24.x.x.x for 24.x.x.x. The "request for" is almost always different and not all for my subnet. There are thousands per minute.

A tech is coming out to test signaling, but I'm not too confident this will help.

Thanks for any advise you can give,

Vince

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
David White Thu, 04/05/2007 - 07:33

Having the ISP router ARPing for everything on the segment is very common. Along with other people's misconfigured devices ARPing for... well just about anything...

It all depends on how many devices are on the Layer 2 subnet as to how many ARPs you will see. What mask is comcast giving you?

For your connection not working, I would setup a capture on the outside interface, and apply an ACL from your IP to the web site you are trying to access. Then access the web site, and then pull the capture off the 501 and see what it shows.

Also a "show conn" output may provide helpful. You can prove if the SYN goes out, but you are not getting a SYN+ACK back, then it is a comcast issue.

And you are right, fixing the signaling isn't going to help here.

Sincerely,

David.

Patrick Iseli Thu, 04/05/2007 - 07:36

This is normal behavior on a cable-modem network. The traffic you described in the sniffer has absolutly nothing to do with DOS or DDOS.

Cable-Modem networks are flat, layer 2, networks and every second you will see a lot of ARP resolution requests from all cable modems arround in that network.

Contact your ISP to check the cabling and ask them why it is so slow.

sincerely

Patrick

vdinenna71 Thu, 04/12/2007 - 05:10

The problem was electronics downstream were forcing voltages upstream. Signal strength was good going into my house. It was my booster amp on my broadcast HDTV antenna that was causing the problem. Funny thing is for months there was no problem.

I guess care should be taken when connecting eletronics to a cable modem system. The tech said that one house can actually distrupt signals at other homes near by when soemthing like this happens.

Lesson learned.

V~

Actions

This Discussion