Really at a lost as to what to do

[Guest]

[Rickie]

So I would appreciate as much help as possible here, and keep it simple please.

basically, I am being "attacked" over the internet, someone causes my internet to slow down to the point where it does not load webpages, however SOME applications (e.g. MSN messenger) do not disconnect all the time, sometimes they do, sometimes not.

Im in the UK and use NTL (Cable) and have a 2 Mb connection, I am on a network using a wireless router.

If you need any other information please ask, How can I stop this person?

Thanks, Rich.

[pandlouk]

welcome to the forums

From your description seems that other(s) are using your internet connection.

Check this simple guide http://forums.comodo.com/index.php/topic,361.0.html for protecting your wifi network

[Rickie]

Thanks for the help, however I dont think its that, Basically this person lives in sweden and has a severe grudge against me and can mess up my internet connection, I know its him because he likes to gloat.

[Rotty]

What firewalls do you have between you and the internet?  Have you looked at the logs to see if their is ALLOT of traffic from one IP or a few IP's?

[Rickie]

Thats kinda the problem, I dont think I have one, I have comodo on THIS pc, but thats not much help I dont think as my Network is effected.

so, What network firewalls can I get?

Thanks for your time,

rich.

[panic]

Thanks for the help, however I dont think its that, Basically this person lives in sweden and has a severe grudge against me and can mess up my internet connection, I know its him because he likes to gloat.

Can you please post your logs here so we can work out exactly what is happening and how to stop. To save your logs, open CPF and click on ACTIVITY - LOGS. Do a rightclick somewhere inside the logs window and select "Export HTML". This will save the log as a HTML file. ZIP this HTML file up and post it back here as an attachment.

Cheers,
Ewen :-)

[Triplejolt]

Most likely this "Swede" is hammering your router/modem and not your computer directly. And if "he" is infact flooding your network, report the person to your ISP. Tell them you want to report an abuse and let them deal with it. Even though a local firewall will help prevent most attacks, flooding your network can still be achieved. Your ISP, if a serious company, will log and trace the abusers IP (even report the IP used to his own ISP). Your ISP can and will block the abusers IP until the "attack" stops. And if you're a bit lucky, the abuser will have to explain his activities to his own ISP.
Please remember to e-mail your friend telling: "what comes around, goes around"

Just out of curiosity, how did he get a hold of you IP(s)?

[panic]

Another thing you cold try would be to outline your problems to your ISP and ask if they can allocate another IP address to you. I have seen this done by several Australian ISPs in cases similar to this.

If the ISP won't do anything, your next recourse wouls be to an industry or Government body. In Australia, We could use the IIAA (Internet Industry Association of Australia) of the Communications Ombudsman. You should have similar bodies in the UK.

Cheers,
Ewen :-)

[Rickie]

Just out of curiosity, how did he get a hold of you IP(s)?

mIRC I think.

Im pretty sure triplejolt is right on what has happened, and today I have called NTL and they were, in a word, useless.

my firewall log is attached as well if that helps.

so there is nothing I can do myself to find his ip and block that connection?

[Triplejolt]

Well.... there are some steps you can do.
You should go over the logs and start making Block and Log rules containing the IP's that appears most frequently. That should protect you from any direct attack from those IP's.
Judging from the log you sent, the IP 65.208.83.114 appears unusually frequent. You could perhaps start with these two:
Block and Log IP in from IP 65.208.83.114 to IP [your hostname] where iproto is any
Block and Log IP out from IP [your hostname] to IP 65.208.83.114 where iproto is any
Remember to place these two line above the current Block and Log rule to be of any use.

NTL is obligated to help fix the problem, as long as the error is not on your computer. Ask them to trace your cabel/DSL, checking for parity/bit errors and that you are infact getting the speed-specification you are paying for. They should also investigate your complaint vigorously, if they don't want to open themselves up for a lawsuit. All ISP's are as far as I know, obligated by law to investigate and attempt to prevent Internet abuse. I know the US and UK are.

If you want to capture his IP address, you could use Ethereal/Wireshark to investigate packets_on_the_wire. This requires a little bit of knowledge and some skills. An easier way would probably be to use a 3rd party application designed to pick up mIRC IP addresses. I'm sure there are several around if you google a bit

[Rickie]

Well I blocked that IP and downloaded wireshark

I then looked at wireshark and my first thought was bleh?!!

its confusing to say the least, I shall read through it and try to work it out.

Thanks for the help guys, it's greatly appreciated.

[egemen]

Well I blocked that IP and downloaded wireshark

I then looked at wireshark and my first thought was bleh?!!

its confusing to say the least, I shall read through it and try to work it out.

Thanks for the help guys, it's greatly appreciated.

This issue seems to be an example of Distributed Denial of Service attack. The attacker may be trying to flood your network so that casual traffic is not allowed due to the lack of resources. He can not do this by using a simple PC though unless he has a bandwidth > 2mbit and assigns all resources to this attack. But he may be using bots.

Installing a firewall to your PC could protect PC but not the network. The network must be secured. By network, i do not necessarily mean your wireless network but the path from your router to the your ISP.

A solution is contacting your ISP and ask them to block that attacker if he is identifiable. In case of distributed DOS, this is may be very difficult. The only solution for you is to switch to a dynamic IP address instead of a static IP address.

As a footnote, WWW service providers do not have the chance to use dynamic IP addresses. So for them, there is practically no simple solution to circumvent a DOS attack.

[AOwL]

So it doesn't help if your router protects you from a DOS attack?

[panic]

So it doesn't help if your router protects you from a DOS attack?

If your router is spending all of its time and energy blocking the incoming, attempted DDOS attack, how much time do you reckon it has left to send data outwards?

Regardless of whether CPF or the routers hardware firewall is blocking the incoming data flood, the data flood is still there. If we are relying on the routers firewall to protect us, all we've done is move the block point one step further away from our PC. Our internet connection is still being flooded.

The only thing I'd recommend is to contact the ISP and ask if they can allocate a different IP and then use an anonymizer to access the sites that your "friend" knows you from.

Cheers,
Ewen :-)

[comicfan2000]

Darn Sweeds.     Just like    A OWL   attacking in the night. Next thing you know they will be moderators on Comodo.    See , us Polish people, we are safer, last time I was on the net, I got tangled in it. 
 I agree with Ewen though, contact the ISP. A college student did this to an instructor and the ISPs\authorities  in the area will no longer allow him to have internet access, not in his name anyway. He also faced jail time but got probation.  I believe it was Charter that tracked back to his pc. Either way if this is the case, I hope they get em'.

 Paul


 

[Tags:]