11

I am domestic user and I am getting attacked regularly by a guy that hates me.

Here is the background story: that guy uses Skype resolvers (tools offered by paid DDoS services) to find out my IP based on my Skype ID. He does that because I have dynamic IP, so whenever I go online and sign in to Skype, he discovers my new IP using the Skype resolver. Now I know I could avoid this by creating a new Skype ID (which I did) or by using a proxy service for Skype (which is not always convenient), but I wonder how I could prevent the attacks if he discovered my IP through other means.

What I know for sure is that he is using 2-3 paid DDoS services, so he's not conducting the attack from his PC. I have 100 Mbps download and upload capabilities, my CPU is a Core i7-920 (2.7 GHz quad-core) and I am using the Jetico Personal Firewall, and I am on Window 7 x64. When I am getting attacked, there is not much bandwidth use, but the CPU gets stressed up to 50-60% and I am not able to access any internet resources (browsing doesn't work, chat clients go offline, etc.) The firewall does its best to reject the attacks (as you can see in the screen shot bellow), it doesn't crash or hang, but it is not enough. My Internet connection is bridged, so he's not attacking a router, all the packets hit my system directly. Either way, I don't think a router could do better.

enter image description here

As you can see, all the packets are incoming 40 bytes TCP packets, sent through port 1234 and hitting port 80 on my system (I do not have any service listening on that port, and even if I were, I wouldn't let it be accessed from the outside). I think that the source IPs are spoofed addresses as they come from all over the world. During an attack I get millions of such packets and the only way to stop the attack is by disconnecting from the internet and reconnecting (with a different IP).

My question: is there any way I can protect myself against such an attack without having to disconnect from the Internet and suffer major CPU stressing?

IneedHelp
  • 213
  • 1
  • 2
  • 5
  • 1
    Take him off your skype your contact list? – tylerl Oct 03 '12 at 05:26
  • He's not in my Skype contacts list, he just knows my Skype ID from a a gaming community. But it's not only Skype resolvers I am concerned about. I want to know if there is a way to block the attack efficiently regardless of how he gets my IP. – IneedHelp Oct 03 '12 at 05:27
  • 11
    There is not; not without your ISP doing the blocking. And for god's sake use a NAT router. Whatever utility you think you're getting by putting your Windows computer directly on the Internet, please understand that it isn't worth it. – tylerl Oct 03 '12 at 05:32
  • The reason I am not using a router is because I used one before and it did no good. Also, I am hosting lots of different servers with listening ports changing all the time and I hate doing port forwarding. But yeah, I understand that there is not much I can do. Thanks. – IneedHelp Oct 03 '12 at 05:46
  • 2
    There is a lot you can do - USE A ROUTER/FIREWALL! This will help a lot once configured. – Rory Alsop Oct 03 '12 at 12:19
  • Regardless of using a router or firewall, I still get kicked off from the Internet. – IneedHelp Oct 03 '12 at 16:20
  • @IneedHelp How about running skype 24/7 in the cheapest VPS you can find? It will divert the attack, while you can use another Skype account. – Luc Oct 04 '12 at 15:36
  • @Luc I'm already doing that using http://www.getukvpn.com/ Also, I used to have a mobile internet connection that was not vulnerable. Thing is I am looking for ways to efficiently block the attacks. It is said that the Skype team released a patch version which was supposed to fix the Skype resolver issue, but some resolvers are still able to discover the public IP of the client. – IneedHelp Oct 05 '12 at 01:03

3 Answers3

19

Have a dedicated router or firewall to do the filtering.

The reason your CPU is being stressed is that the software firewall on your system is attempting to handle way more packets that your system can tolerate.

Having a hardware router or firewall drop packets before they hit your computer should do the trick. Of course, there IS a limit even to dedicated routers or firewalls. So it really comes down to how much resources the attacker is willing to use to DDoS you.

Besides that, there is really nothing else you can do to stop an attacker, besides coordinating with your ISP to block the incoming packets or reporting the matter to law enforcement.

  • 1
    Unless you plan to spend a few hundred thousand dollars, this is probably your best option +1 – Lucas Kauffman Oct 03 '12 at 05:52
  • @LucasKauffman Spend a few hundred thousand dollars on what? – IneedHelp Oct 03 '12 at 06:04
  • 1
    There are services offered by certain companies specialized companies that can do massive filtering and mitigate Ddos attacks. But from what I heard it's very expensive. – Lucas Kauffman Oct 03 '12 at 06:08
  • 1
    Definitely use a choke router/hardware firewall. They cope much better with this sort of thing. Your windows firewall should be just a layer in your defences, after the high volume stuff has been dropped. Regarding anti-DDoS services, look at our other questions on that topic. – Rory Alsop Oct 03 '12 at 06:59
  • 2
    There's a nice white paper from Verisign (http://verisigninc.com/assets/whitepaper-ddos-costanalysis.pdf) with a cost analysis for some of the more robust options starting from $17K a month. – David Wachtfogel Oct 03 '12 at 07:33
7

In your current setup, the first thing you can do is to add rule to drop this specific traffic. I don't know firewall product you're using, so YMMV.

  • rule shall be based on layer 3 - layer 4 properties, i.e. src port 1234 and dst port 80
  • rule shall be placed on top of ruleset - that may help with CPU
  • rule shall silently drop the traffic (not reject), for two reasons:
    • sending resets eats your bandwidth and cpu
    • sending resets confirms that your host is active and asks for more

For this particular scenario - small, managed switch with access list(s)may do a brilliant job, i.e. something like Cisco 2960-C fanless, compact series.

lubas
  • 367
  • 1
  • 2
  • It's the Jetico Personal Firewall, and the rules to block the attack are already on top and well defined, still that doesn't prevent CPU stressing and inability to make new connections. – IneedHelp Oct 05 '12 at 01:05
  • 2
    "already on top and well defined" I could see in teh image the action taken was 'reject', not 'drop'. So, your rules were not well defined. – Parthian Shot Jul 12 '14 at 09:03
0

@LucasKauffman Sorry to disagree but no DDoS mitigation service I know of costs "few hundred thousand dollars"...

A reverse proxy PCI DDS compliant Web Application Firewall (talking about the best of it's kind) will only set you back a few dozen bucks a month and even full blown Network DDoS mitigation will usually cost under 1,000$ (unless you are trying to prevent a really heavy attack, but even then it will be few thousand dollars at the most).

In this case I think we are looking at a small Network DDoS, performed by one (or more) botnets.

Small attacks can be countered by router, like @Terry_Chia suggested. (+1 btw) But larger DDoS attacks will still hit you hard.

It would be very interesting and educational to learn more about this case.

@IneedHelp, How did you resolve this issue?

Igal Zeifman
  • 563
  • 3
  • 8
  • I couldn't do anything against it, so I decided not to use my primary Skype ID anymore (at least not if it's not masked by a VPN). – IneedHelp Oct 17 '12 at 16:28