Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

DDOS Attack Help Needed

Hello All,

My internet connection has been slowing down over the past 2-3 weeks. I use Comcast Cable, so I wasn't surprised. It's gotten to the point that I cannot receive HTTP requests.

I used Ethereal/Wire Shark to look at packets and found packets were severly out of sequence. Message said 'previous packet not found or didn't arrive'. I ran 'debug ARP' on my PIX 501. I see thousands of ARP requests coming from my internet default gateway (next hop) at the ISP. Some requests come from other internet IPs.

I ran anti-virus on my systems and found nothing.

First, how can I be sure I'm not the problem? I removed the PIX and installed a Linksys router and got the same problem. I removed my "secured" Linksys wireless AP and got the same thing. I connected directly to the cable modem with my laptop and it's still slow.

Is there anything else I can do to troubleshoot this issue? The ISP router is probably spoofed. Most requests come from the ISP, but there are a few other address thrown in there.

My ARP table show only the next hop and my 3 internal hosts. No errors on interfaces.

With 'debug arp' I get:

request on Outside from 24.x.x.x for 24.x.x.x. The "request for" is almost always different and not all for my subnet. There are thousands per minute.

A tech is coming out to test signaling, but I'm not too confident this will help.

Thanks for any advise you can give,

Vince

3 REPLIES
Cisco Employee

Re: DDOS Attack Help Needed

Having the ISP router ARPing for everything on the segment is very common. Along with other people's misconfigured devices ARPing for... well just about anything...

It all depends on how many devices are on the Layer 2 subnet as to how many ARPs you will see. What mask is comcast giving you?

For your connection not working, I would setup a capture on the outside interface, and apply an ACL from your IP to the web site you are trying to access. Then access the web site, and then pull the capture off the 501 and see what it shows.

Also a "show conn" output may provide helpful. You can prove if the SYN goes out, but you are not getting a SYN+ACK back, then it is a comcast issue.

And you are right, fixing the signaling isn't going to help here.

Sincerely,

David.

Re: DDOS Attack Help Needed

This is normal behavior on a cable-modem network. The traffic you described in the sniffer has absolutly nothing to do with DOS or DDOS.

Cable-Modem networks are flat, layer 2, networks and every second you will see a lot of ARP resolution requests from all cable modems arround in that network.

Contact your ISP to check the cabling and ask them why it is so slow.

sincerely

Patrick

Community Member

Re: DDOS Attack Help Needed

The problem was electronics downstream were forcing voltages upstream. Signal strength was good going into my house. It was my booster amp on my broadcast HDTV antenna that was causing the problem. Funny thing is for months there was no problem.

I guess care should be taken when connecting eletronics to a cable modem system. The tech said that one house can actually distrupt signals at other homes near by when soemthing like this happens.

Lesson learned.

V~

227
Views
4
Helpful
3
Replies
CreatePlease to create content