27

Around 4 months ago, someone learned my IP, and is threatening to DDoS attack me if I am not his slave. He was breaking the Discord TOS with all kinds of stuff in my DMs. I blocked him, but one of his friends told me to friend him back, or he will DDoS me.

What should I do?

schroeder
  • 123,438
  • 55
  • 284
  • 319
ThePro501
  • 447
  • 1
  • 2
  • 10
  • 64
    Many internet service providers change your IP address every day, or when you reboot your router. Unless you have specifically ordered a static IP address from your ISP, a 4 month old address is probably irrelevant. A script-kiddie level DDoS attack against your home internet connection is also one of the least scary threats there could be. ISPs block various attacks every day. – amon Nov 13 '21 at 12:41
  • 31
    Why are you afraid of DDoS? – schroeder Nov 13 '21 at 14:09
  • 60
    Report the friends as being part of the harassment. – schroeder Nov 13 '21 at 14:11
  • 12
    @schroeder Given the jargon in the question, I believe the OP to be a video gamer; there have been DDoS attacks on them preventing them from playing. – John Deters Nov 13 '21 at 14:51
  • 4
    To add to @amon comment. If your router allows you to change the MAC address that will almost certainly change your WAN (internet) IP address. – Nathan Goings Nov 14 '21 at 00:20
  • 3
    It's also worth noting that, depending on the ISP, they may only have the last public NAT address for your network, and flooding traffic might just get dropped at the NAT layer, especially if it's an IPv4. For IPv6, rebooting your devices tends to randomize the IP address as well. – phyrfox Nov 14 '21 at 02:29
  • 6
    @JohnDeters yes, historically, this was an issue. I want to know from the OP what ***their*** concerns are. – schroeder Nov 14 '21 at 08:48
  • 1
    @NathanGoings Yes, I can change the MAC address, i'll try it if he actually does that... – ThePro501 Nov 14 '21 at 13:46
  • 3
    @amon That really, really varies between countries and ISPs. I've had a static IP for years without asking for one. – Mast Nov 14 '21 at 15:31
  • 3
    Block his friend too. – Jonathan Wood Nov 14 '21 at 16:16
  • @NathanGoings: changing your (=your PC? your router?) MAC will almost certainly **not** change your public IP. Old service providers relied on MAC addresses to allow you to access their network (so that it is not enough to just plug into the artisanal network) but that was irrelevant to the IP address. Modern ISPs will give you a box on which you have no control (MAC-wise), and even if you replace it with your own router (as I did), this has no incidence on the IP either (you identify by various means: a specific DHCP message, the serial of the SPF module, ...) – WoJ Nov 14 '21 at 18:07
  • 33
    "His friends told me to..." implies that you know who this person is. Report him to somebody. If you are both in school, report him to the school. If he sent these messages on a social network, report them to the network. If he is a child tell his parents. Tell his friends that you are doing all of this. This is "cyberbullying" and you should not put up with it. – DJClayworth Nov 14 '21 at 20:23
  • 3
    @DJClayworth Both of them are complete strangers from completely diffrent countries which I do not know even who are they in real life... – ThePro501 Nov 14 '21 at 21:08
  • 30
    Then they are probably just threatening random people in the hope of finding someone gullible enough to do what they want. – DJClayworth Nov 14 '21 at 21:48
  • 6
    Given that he's a stranger: his friend isn't really his friend. He just has multiple sockpuppet accounts to make himself seem more threatening. – Glenn Willen Nov 16 '21 at 07:09
  • 1
    @schroeder As a kid my entire home network, which the rest of my family relied on, was DDoSed because of a spat someone had with my younger brother over Minecraft, it's not a fun experience especially when you're powerless to change your IP until your ISP decides to give you a new one or the guy decides to lay off. It's understandable his concern is completely understandable. – 0x777C Nov 16 '21 at 09:28
  • 2
    @0x777C as I said, it's important to know why ***the OP*** is concerned ... – schroeder Nov 16 '21 at 10:12
  • Aren't most ISP connections NATted anyways? – Madhuchhanda Mandal Nov 16 '21 at 17:55
  • @MadhuchhandaMandal Yeah, but you can still DoS a residential IP. – forest Mar 25 '22 at 01:08

7 Answers7

83

ISP's have ways of dealing with DDoS attacks targeting one or more IP addresses on their network. See How can ISPs handle DDoS attacks? for some interesting reading on this subject.

What you are describing sounds more like online banter than a serious threat, and I would be surprised if your your adversary actually follows through with their threat (or even has the capability to do so). But, if he does attempt to mount a DDoS attack targeting the IP address that your ISP has assigned to you, and you are impacted by it - simply report it to your ISP and they can likely mitigate the problem using one of the methods in the above link.

mti2935
  • 19,868
  • 2
  • 45
  • 64
  • 2
    I do not feel the threat should be trivialised as 'online banter', although the attack may not be feasible the social manipulation involved suggests a malicious intent. – Baa Nov 16 '21 at 15:22
  • 1
    @Hugo That's a hard call, and we don't have all the info. In this case, the social manipulation is only possible _because_ the OP takes it seriously. And, depending on the context, pseudo-malicious intent could be prevalent among peers. – jpaugh Nov 16 '21 at 15:50
69

Nothing.

He's trying to scare you into doing what he wants, but he has no means of harming you by knowing your IP. Feel free to block him and disregard anything he says.

  • 23
    This answer is not helpful. Assuming the person is a semi-pro video gamer, YouTuber, TikToker, Twitch streamer, or other online personality, a DDoS attack would disrupt their ability to work, and deny them their livelihood. – John Deters Nov 13 '21 at 14:58
  • 49
    It is a helpful answer. – hft Nov 13 '21 at 22:05
  • 32
    @JohnDeters Except that that supposed "DDoS Attack" isn't real. It's a scare tactic, nothing more. –  Nov 14 '21 at 01:51
  • 24
    I don’t understand how you can proclaim it’s a scare tactic. DDOS as a Service remains widely available, despite the arrests of a few lowlife perpetrators. And it’s still a very cheap and effective tactic, especially if you only need to harass someone during a set timeframe, such as a video game tournament. – John Deters Nov 14 '21 at 05:25
  • 49
    Because 99.9% of the time it is. Just because it's technically possible doesn't mean the threat is credible. It is overwhelmingly more likely that it's just a guy with rudimentary tech knowledge trying to scare someone. –  Nov 14 '21 at 05:32
  • 5
    A friend of mine got DDoSed back in the early 2000s because someone wanted their domain name or something equally petty. It's a real tactic, and I would at least keep it in mind in case you have to contact the ISP. – l0b0 Nov 14 '21 at 06:07
  • 2
    I got attacked that way (I suppose) by a hacker who I was trying to throw out of a server he had gotten access to. It's pretty scary because you lose all connectivity, these days often including your "landline" and your "TV". (Sure, by now we all have mobile devices which I didn't back then, so we have at least a line to the ISP's support open.) I don't think needs that much to effectively shut down your home internet connection. – Peter - Reinstate Monica Nov 14 '21 at 22:20
  • 14
    @l0b0 believe it or not, ISPs have become a lot better over the last 20 years or so at mitigating the kind of attacks that any script kiddy can get their hands on. Also, a DDOS attack against a domain name (which is static) is one thing, the same attack against someones home IP address which has almost certainly changed several times in the last month is another. – Turksarama Nov 14 '21 at 22:50
  • @Turksarama Overall I expect they've become much better, but I expect it depends a lot on the ISP. Some are simply not interested in a single person's troubles. – l0b0 Nov 15 '21 at 00:03
  • 15
    @l0b0 It's actually in the interest of the ISP to prevent the attacks for their own sake, if not for the customer's. Allowing a flood of garbage requests to travel through their network to a customer is going to eat up resources on their equipment. – Logarr Nov 15 '21 at 03:56
  • 4
    Are you a professional gamer? Do you understand the not-insignificant monetary incentives to cheat? I disagree that we are in a position to simply dismiss the likelihood of this threat. – John Deters Nov 15 '21 at 20:48
  • 3
    @JohnDeters Weird. We've been ignoring this threat for a while now and OP hasn't complained about getting DDoS'd now. –  Nov 16 '21 at 04:39
  • 1
    "he has no means of harming you by knowing your IP" - in some competitive mmorpgs, getting the IP of your opponents and DDoSing them during war was a very real tactic, at least employed by [Tibia](https://www.tibia.com/mmorpg/free-multiplayer-online-role-playing-game.php) players on the [gameworld Saphira](https://tibia.fandom.com/wiki/Saphira) around 2006-2010. what you're saying here may not be true. – user1067003 Nov 16 '21 at 12:29
  • 1
    per [this fb post](https://www.facebook.com/tibia/posts/10154020880117364?) DDoS was still in use in the MMORPG Tibia as of 2017 (this is long after i personally stopped playing Tibia though, i retired around 2010) – user1067003 Nov 16 '21 at 14:46
  • 2
    @user1067003 Reminds me of a specific EVE Online battle, where there was going to be a decisive fight over a specific system that was incredibly important to a corp whose principals made their living off of 0.0 mining. They were able to discover the enemy FC's real life identity (not very hard, they were at a convention and made their identity known) and seriously considered and got very close to paying someone to cut the power to the enemy FC's home during the battle. Good luck with that DoS Attack. – Chuu Nov 16 '21 at 15:59
  • @MechMK1 Has OP even been online since then? Maybe he's being hit by a DDoS right now and can't get back online. – user Nov 16 '21 at 20:18
47

Contact your ISP’s security team and explain your situation. They should be able to help you change your IP to a new address.

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • 5
    This is the correct answer (+1). Provided that the threat even makes sense, an end user has absolutely no capacity to defend against a (real) DDoS. – WoJ Nov 14 '21 at 18:08
  • 3
    There is no need to contact the isp in order to get your ip changed, unless you are paying out the nose for a corporate account with a static ip; that would just waste time. Just unplug your modem and leave it that way for a while, and eventually when you plug it back in, they will likely have assigned you a new ip. – kloddant Nov 15 '21 at 18:29
  • 2
    @kloddant This is not always the case, some ISPs assign dynamic IPs across sessions for devices and you have to take your router down for hours or sometimes even days to get a new address assigned. It's useful to inform the ISP or just ignore the threat, since ISPs know to protect their network anyways. The attacker will likely lose money for nothing when DDoSing him. – Martin Braun Nov 16 '21 at 08:24
  • @kloddant I need to manually change my MAC address, or I keep my IP address for months at a time. Not everyone has a router that can change MAC addresses either. – user Nov 16 '21 at 20:20
  • True, let me clarify: I would first try changing my ip by unplugging the modem for a while and seeing if that does it, because that is much less of a hassle than calling up your isp, listening to a series of automated messages, and waiting on hold forever. It's a convenience thing. But yeah, if that doesn't work, then the OP might have to call them. – kloddant Nov 16 '21 at 21:02
27

Not enough information for a qualified answer. I will make some assumptions and spell them out. Basic assumption: You actually care about being DDoS'ed (you earn money doing live streams or something).

First, I assume he means a static server IP address, not your home IP. Most ISPs use dynamic pools to assign IPs and you will get a different IP from time to time - sometimes every day, sometimes whenever you reconnect, depends on your ISP. If he means your home IP, you are good, because in 4 months you most likely have a completely different IP now.

Then again, a static server IP makes no sense to "find out". They're public. All it takes to "find them out" is "ping domain.ext" and there it is. Which also means that changing the IP doesn't do squat.

Second, I assume that he actually has the capability to make a DDoS attack of sufficient strength to knock your server offline. Most likely that will trigger the anti-DDoS protection of your hosting provider. It is still likely that your server will go offline. It is not likely that it will stay offline for long, as your hosting provider will take action - they don't like DDoS traffic clogging up their network.

Third, I assume that he doesn't have sufficient capability to knock your hosting provider offline. People who sit on that kind of botnets don't generally use them to threaten random people into "re-friending" them, that's just ridiculous. You can make real money if you have a proper botnet. He'd rather do that.

Conclusion:

Possibility a) we're talking about a server and a person who has the actual capability to run a DDoS. Advise: ignore him - sure he can knock you offline for a bit, but it'll cost him more than you and it won't last.

Possibility b) we're talking about your home IP. Then either - b1) the guy is a troll who's trying to scare you and he actually hasn't half a clue about how things work. You've most likely changed IP since then. ignore him, he won't harm you. Or b2) he keeps track of your changing IP and actually is only half an idiot. He could DDoS you and disconnect you, which might be shit during a game or a live stream. If so, talk to your ISP and report him to the police (threatening negative, illegal consequences if you don't comply with a demand is a crime). Also report his friend as an accomplice. Note that, depending on your jurisdiction, two people collaborating to commit a crime is sometimes enough to qualify the deed as organized crime - I'm not kidding. Once these people get involved, the shit hits the fan. Do not inform them that you've reported them. That could be construed as interfering with a police investigation.

Involving the police might seem harsh. I don't know the circumstances of your case. If you think "wait, no, that's not what I meant" then my basic assumption may be wrong and you will not be seriously affected by a potential DDoS. If the whole thing is mostly inconvenient and just scares you a bit, then ignore him and if he does eventually DDoS you, disconnect, read a book for an hour, come back and you probably got a new IP from your ISP and are online again. If not, call the ISP technical department and complain about a service outage. They'll figure it out, filter the DDoS traffic and put you online again.

Tom
  • 10,124
  • 18
  • 51
  • 7
    I don't think reporting some dumb kid to the cops is the right thing to do. It's not like he's threatening to kill OP. Sending armed men with legal immunity and a power complex to some idiot who threatened to slow down someone's internet is way overkill. It's a good way to get someone shot. – forest Nov 14 '21 at 06:40
  • 1
    +1 for pointing out your private IP address changes occasionally with most ISP. – Baumflaum Nov 14 '21 at 09:22
  • 14
    Involving the police is not harsh. If you believe somebody is doing anything illegal you should absolutely report it. Nobody is forcing this person to do this (the denial of service attack I mean) – Neil Meyer Nov 14 '21 at 12:45
  • 11
    @forest In the UK at least, there's a sub-branch of the police force dedicated to dealing with script kiddies and 1337 haxxors. They rarely even get a criminal record for a first offence; just a “here's why this is a crime, here's how many years you'd get, don't do it again” letter (or visit – unarmed, obviously –, if the police aren't too busy). In the US, this is probably bad advice, but in many countries it's good advice. – wizzwizz4 Nov 14 '21 at 19:12
  • 3
    @forest like I said, not enough information. It might be a dumb kid messing with another scared kid. Or it could be a verified asshole threatening someone who relies on the income from streaming to pay his bills. Let the asker decide how serious the situation actually is to him. – Tom Nov 15 '21 at 07:56
15

The worst this person can do is interfere with your internet speed. They won't be able to "hack you" or do anything to your computer, nor will they be able to obtain any sensitive information from you just because they know your IP. Don't worry about any serious consequences. Of course, if you're a competitive gamer, losing a match because someone is attacking your IP can be frustrating.

You have three options: comply, refuse, or protect yourself. Complying and becoming this person's "slave", as you put it, is probably not what you want. Given that this is their demand, it's very possible that they're bluffing anyway. It's not like they're blackmailing you with life-destroying secrets. Refusing may result in your internet speeds being decreased or you even being temporarily disconnected from the internet, but that's all. Finally, protecting yourself is most easily accomplished by changing your IP. If you have a dynamic IP, then rebooting your router or simply waiting for a new IP to be assigned to you is sufficient. Otherwise, you'll want to contact your ISP and explain the situation to them. Simply tell them that someone is threatening to DDoS you. They may change your IP for you.

Although ISPs do have ways to protect from DDoS attacks, they can only do so much, and often their last resort is IP blackholing, which protects them (and their other customers) at the expense of the attacker's target (you). Unfortunately, many people can still perform DDoS attacks sufficient to knock someone off the internet for a short time despite mitigations than modern ISPs often use.

forest
  • 64,616
  • 20
  • 206
  • 257
  • 2
    You might need to leave the cable modem off for its lease period - often (but not always) 24 hours. The modem's status pages might give the lease period, or if can telnet/ssh into it, you can often find it that way. Or simply ask your ISP for the public IP's lease period. – CSM Nov 15 '21 at 13:15
7
  1. Figure out how this person found your IP address. Do you share any P2P (Peer-to-Peer) applications with this person? Fix this.
  2. Change your IP address

Discord is not P2P, so they didn't get your IP address from Discord, unless you clicked a link. This is where the HTTP proxy configured within your default browser will help. Generally, assuming you're a gamer, VPNs encapsulating your entire connection can negatively affect your ping/MS in game, which isn't great for gaming.

Furthermore, you can report this person to Discord here: https://support.discord.com/hc/en-us/requests/new

Poppy
  • 183
  • 5
  • 12
    I clicked on a link, as I did not know that it was an IP logger... I tried rebooting my router, but it did not change anything... – ThePro501 Nov 13 '21 at 17:44
  • 1
    @ThePro501 sometimes you have to keep your router off for a longer time. You should unplug it over night if possible, next day you should get a new IP assigned. If this isn't possible, simply contact your ISP. Also make sure to not open any URLs you got from the person who threats you again. I hope you didn't execute any files he or your friend sent you, it could be the case that he claims DDoS, but it's rather a virus infection on your system that can cause any trouble. – Martin Braun Nov 16 '21 at 08:27
  • 1
    @ThePro501 That's worse as a carelessly opened link might provide them with quite a bit of info. Still, sounds like script kiddies who miiight've been able to get their hands on something like DDoS as a service. I'd ignore them because they obviously hope to blackmail you the easy way, so the more you respond the more gullible you appear. Blacklist, report, done. If you end up actually experiencing the DDoS, just contact the ISP. Still beats wasting time dwelling on it daily. That time&effort is lot better spent reading about cyber hygiene. And these kinds of lessons are important in life. – Lodinn Nov 16 '21 at 12:17
  • @Lodinn Well, at that time I did not know what an ip logger was :/ – ThePro501 Nov 17 '21 at 19:05
6

Consider the potential of another person having your IP:

  1. Your IP address is not like a passport. It isn't confined to you, has no connection to your physical presence (unless you choose to, for instance, post it online or run a home server and serve websites on port 80/443 stating that such website is hosted within your house), and is one out of 4,294,967,296 (assuming you use IPv4). Attempting to "dox" someone with just a username and IP address is virtually impossible, and if that's the route that your Black Mirror-esque script kiddies want to go, let them take that route.
  2. DoS attacks have been around at least since 1996 with Panix being hit by what is now known as a SYN flood attack. It is reasonable to assume your ISP and/or router has DoS/DDoS protection.

The distinction should be made at this point at DDoS vs DoS. Simply put, the extra D implies distributed, which means that your regular garden variety DoS attack application is distributed across multiple computers. Those computers are still attacking the same target, but the extra computers add a greater level of effectiveness. I would assume that the person that contacted you over Discord would use a DDoS attack.

If you are hit with a DDoS attack:

The first step is to unplug your router and plug it back in. Depending on how your IP address is assigned, that may change your public-facing IP address. ISPs will usually use DHCP to assign an IP address to you, but won't change it if your router's MAC address doesn't change.

The second step is to call your ISP and explain the situation. From here, your ISP will use certain techniques such as local filtering.

Depending on your router, it may be possible to block incoming connections. For ASUS routers, this is possible via Merlin and user scripts, which allows you to define an iptables filter. For NETGEAR routers, this isn't possible. This also requires you to know the IP address of the person(s) attempting to DDoS you.

Once the attacker is unable to mount any more attacks on your network, you should immediately report them, as well as any of their known associates, to Discord. This ensures that their account will be dealt with. It might be beneficial to show proof that a DDoS attack was performed on your network. Legally, DDoS/DoS attacks are a federal crime in the United States and should also be reported if you feel the DDoS is serious enough to warrant an investigation.

He was breaking the Discord TOS with all kinds of stuff in my DMs. I blocked him, but one of his friends told me to friend him back, or he will DDoS me.

Report the user's messages that broke Discord's ToS in addition to what I just mentioned.

For a bit of a postmortem:

It seems more likely, however, that the user you're talking to has no proper experience with network security and is probably unaware of how the Internet works at a greater scale; most likely making threats in order to fear monger and control the narrative. I can't make exact assumptions, but you shouldn't have to worry about a potential DDoS threat. Most, if not all, ISPs have had to deal with their fair share of a script kiddie who searched up, "how to ddos someone 2021" on YouTube and clicked on the first link.

evilcrash
  • 61
  • 4
  • Given that OP clicked on some shady link which led to IP logging, doxing is not entirely off the table (grabify and such alone won't do much but who knows what else they might accidentally share...). Script kiddies getting their hands on some botnets providing DDoS as a service and residing in a foreign country could still be kind of yikes. My suspension of disbelief isn't nearly as strong though... – Lodinn Nov 16 '21 at 12:23