# DoS attacks.. what can I do about it?



## loading... (Sep 4, 2008)

About two months ago, I forwarded my ports and started a game server..
Bad idea... after that when people connected the found out my I.P. and of course had nothing else to do so went ahead a DoS my router..

Just today I complained about it on some website, and realized that websites posts my I.P. to the public... now they have my I.P. and know I can get DoS attacks..

This is my log..



> Fri Jan 23 22:56:58 2009 1 Blocked by DoS protection 76.108.183.76
> Fri Jan 23 22:57:00 2009 1 Blocked by DoS protection 73.12.240.1
> Fri Jan 23 22:57:01 2009 1 Blocked by DoS protection 71.251.221.198
> Fri Jan 23 22:57:04 2009 1 Blocked by DoS protection 76.108.183.76
> ...


Is it possible for me to ban an I.P. ?
What should I do.. My Belkin router has a firewall but that barely does crap.. It still probably replies, thus gives me no bandwidth..
Comcast is stupid and their [email protected] auto-reply can't tell the difference for a real report and spam. -.-


----------



## loading... (Sep 4, 2008)

I just changed my MAC address, so now I have a new I.P. now the only offender is 73.12.240.1 (the first offender)

I changed my mac address and I.P. again.. still hes onto me.


----------



## loading... (Sep 4, 2008)

A day later...


> Firewall log:
> Sat Jan 24 11:41:18 2009 1 Blocked by DoS protection 222.215.230.49
> Sat Jan 24 11:41:19 2009 1 Blocked by DoS protection 60.215.241.223
> Sat Jan 24 11:41:20 2009 1 Blocked by DoS protection 84.250.36.237
> ...


How can I find out where they're connecting to me from? Like a specific port.. I'm pretty sure my firewall has port filtering


----------



## loading... (Sep 4, 2008)

bump!!!


----------



## Nexxtech (Nov 29, 2008)

Here is some information that may help you. http://software.silicon.com/malware/0,3800003100,39351680,00.htm. Perhaps this service pack is out now I'm not sure. This program has an on line feature to explain your ports and list the malware related to it. Registration is required. http://www.hijackfree.com/en/


----------



## loading... (Sep 4, 2008)

Nexxtech said:


> Here is some information that may help you. http://software.silicon.com/malware/0,3800003100,39351680,00.htm. Perhaps this service pack is out now I'm not sure. This program has an on line feature to explain your ports and list the malware related to it. Registration is required. http://www.hijackfree.com/en/


Hmm.. if your talking about vita SP1.. I have it.. 
besides that the computer that is using the router directly (lan port)
is using XP.. unsure if ever updated to sp3. I'm getting ready to format and install windows 7.


----------



## loading... (Sep 4, 2008)

Well. I still have DoS problem.. Every so ofter about once or twice a day I need to reset my router. 

But I'm sure it's something that has to do w/ some port.. if only I knew which port to block..
Because VOIP and SSL work when the normal internet doesn't. 
I'm guessing it uses a different port? ehh..
idk..

Help would be thanked..


----------



## bilbus (Aug 29, 2006)

Do you have a dns name pointing to your ip?
Could you have a virus calling home on a computer on your network?
Perhaps your talking in irc or another system, where somone is getting your ip?

If you changed your ip, it should have stoped.
If they are just trying to knock your router offline, not much you can do .. even if you block the packets you are still having the bandwith used up. Only way to take care of it is to have it blocked at the upstreem provider .. something they wont do for you.

If it is just locking up your router .. upgrade the cheap box you have with a real firewall.


----------



## loading... (Sep 4, 2008)

bilbus said:


> Do you have a dns name pointing to your ip?
> Could you have a virus calling home on a computer on your network?
> Perhaps your talking in irc or another system, where somone is getting your ip?
> 
> ...


dns pointing to my .i.p? I don't think so, never set one up.. :/
Virus, very much doubt it.
I don't use IRC.
I just wana know how they get my i.p. back.. after I change it..


----------



## bilbus (Aug 29, 2006)

right, those are the easy ways i can think of, i would double check the virus thing.


----------



## loading... (Sep 4, 2008)

bilbus said:


> right, those are the easy ways i can think of, i would double check the virus thing.


By calling home, you probably mean that if any of the 5 computers have a virus and it's... trying to send information to it's creator's I.P. ?

Mmm.. Well one,two,three,four of our computers have the latest version of NOD32. (IMO best out there)

The other one which is hooked directly to the router LAN port has some crap anti-virus..

I'm thinking about creating a mini-itx linux based firewall.
I'm sure that company hide their I.P. somehow? Maybe using a proxy?
I'm unsure, I would like to start my server again, but I'm afraid they are going to be douches and DoS my server... -.-

... hmm. but you may be right w/ the virus thing, the computer that has direct connection (Not wifi) had a few Trojan.downloaders the other day... Problem is, I would really like to format that computer and put Windows 7... 

but that's another story.. Yeah.. well the conclusion has to be it's a virus.. else how could it re-gain my I.P. when I changed it..
It also got it's buddy's and now their all having fun w/ my router.

I'll just download NOD32 to it.. Thanks! 
Format should help, I'll have a hard time convincing my father.. lol.

Thanks allot xD


----------



## loading... (Sep 4, 2008)

Hmm.. well I deleted the two Win32.Trojans.. and one Win32.rootkit.. (Windows XP, vista wouldn't allow a rootkit UAC..)

Umm.. after that all the other i.p.s that had me DoS stopped.. that was before I even changed the I.P. ... so after I changed the I.P. 73.12.240.1 was the only offender, and still is...

Now, all the computers are off except for this computer.. and the windows xp.. computer..

Both have the latest version of NOD32.. (Smart Security) ..
Hmmm.. my father bought some stupid forex robot, that automatically 'knows' when to buy and sell.. I have uTorrent installed on this computer... but umm.. it's not online right now.. forex bot is what I think is doing it.. because it's always online.. I'm gonna try to disconnect this computer to see if it stops..


EDIT
I don't understand, I disabled my internet created a new mac address to change my I.P.. checked the log and it's still attacking..
THan I disabled the other computers interent created a new mac address, and went on this computer (Vista) to see the log and it's still attacking.. The only thing that always had internet is Vonage..

3 devices are connected (Windows XP), (VISTA) , (VONAGE)
..... I have no idea what to do.. NOD32 scan picked up the trojan and the root kit..
Even if their was something I disabled the internet.


----------



## bilbus (Aug 29, 2006)

perhaps the bit torrent connections are being seen as a dos?

Are these dos packets udp or tcp?

If you want a good firewall build a pfsense box, i love mine .. and you can troubleshoot all this stuff with ntop (a plugin for pfsense)


----------



## loading... (Sep 4, 2008)

bilbus said:


> perhaps the bit torrent connections are being seen as a dos?
> 
> Are these dos packets udp or tcp?
> 
> If you want a good firewall build a pfsense box, i love mine .. and you can troubleshoot all this stuff with ntop (a plugin for pfsense)


ehh.. I'll look into pfsense.. but I need to save my cash.. 

Really my firewall log is pretty basic..

doesn't tell me UDP or TCP.. or anything just tells me time, type, i.p.
but what I was saying was that I had disabled internet on the computer that was using uTorrent.. that way I could see if my computer or my dads computer was doing it..
but if i turned one computer internet.. and check the log on the other.. the DoS was still there..

sigh.. I'll just build a firewall. 

I changed my I.P. three times..


----------

