What happens to your connection / modem when you are DDoSed and how can you prevent it?

-2

I want to learn more about how DDoS and DoS attacks affect the network and how you can prevent them. I know how they 'work' and why the network is overloaded but I still dont know if a router / computer that's connected to a router is being DDoSed, if that affects the modem (that's connected to the router).

And if it's possible to protect my router and (game) servers on my computer (that will be port forwarded) against these attacks with, for example, Cloudflare DNS and / or setting up a VPN server.

Kind regards,

Ruben

R_ Flintstone

Posted 2018-05-11T10:14:07.843

Reputation: 13

Hosting public-facing servers from a home internet connection is usually a bad idea. You'd be better off renting out a server machine elsewhere. – MoonRunestar – 2018-05-11T11:15:15.223

1@Sonickyle27- Why? You can protect your connection, I only want to know if your modem gets effected when your router is being attacked. – R_ Flintstone – 2018-05-11T12:21:23.757

Answers

From the outside, only your public IP address is visible. A DDoS is sent to this public IP, which is your modem. If your modem passes this to the router, your router then has to decide if it sends this to a device in its network, or disregard the package.

In any case, it really depends on the hardware which of all these is going to fail first.

It is possible the modem fails first, then packets don't come in at all, and are stopped at the modem.

Its possible the router is weaker, so the modem relays the packets, and the router fails. It depends on how the router fails if the treshold for the modem is reached or not, but its possible the modem will fail after the router fails.

Its also possible a specific port is targetted, and the device behind it fails.

An attacker has to commit resources to do such attack, so they will likely stop once they see that whatever they're targetting is no longer responding. By that reasoning, if any of the devices in this loop fails, the attacker may stop and the other devices may be kept alive.

How can you prevent an attack like this? Have a modem that is capable of identifying an attack and then discarding it entirely without being affected.

NB: It's possible you have a modem/router device, one device that does both. In that case you would need a modem/router that is capable of stopping a DDoS attack, or add a modem to the signal that can do so.

In addition, keep in mind, that if an attacker wants your network down, you need expensive equipment with fall-over policies to deal with a DDoS. This solution is something you will not want in a home situation. You may want to look into the quickest way to recover from a DDoS attack, which is something that can identify the DDoS, and reset the system.

Final note: It's unlikely for a home user to be attacked like this, and performing a DDoS is illegal. It is likely that you know who will have performed the DDoS attack, so it is a far better idea to take legal actions after it was done, so it happens once and never again. For that, make sure you have sufficient evidence.

LPChip

Posted 2018-05-11T10:14:07.843

Reputation: 42 190

So i could run whireshark on my computer to 'record' the network's activity and then when a DDOS attack is happening (what is unlikely) 'save' the ip and basicly go to the police and/or ISP with that IP? – R_ Flintstone – 2018-05-11T13:14:21.720

Yes. You could also look into enabling logging on your modem/router/server. Depending on how the attack is targetted, it is likely that they will target your gameserver, so its EventViewer will show the connect attempts too. Also record any conversations with other people in-game, if you suspect one of your opponents doing a DDoS on you. Make sure your log has time stamps so you can correlate those events with the DDoS and say: look, he said he was going to DDoS me, and 3 minutes later, my log shows it happened. – LPChip – 2018-05-11T14:02:24.757

Well, I have a plugin that records: username, UUID, IP, country, last and first login + all chat messages from certain players (if you execute the command with their username) and saves them into the database. So proof enough when someone does / says this. – R_ Flintstone – 2018-05-11T14:05:28.153

Yeah. I'm just telling you so you don't forget. :) – LPChip – 2018-05-11T14:14:31.077

@R_Flintstone In case of a DDoS attack you will most likely not be able to tell (or at least proof) who attacked you. Also keep in mind that logging PII may be restricted by (inter)national law. – danzel – 2018-05-11T15:28:58.557

@danzel - What is PII exactly ? Saving IP's ? – R_ Flintstone – 2018-05-11T16:00:38.400

PII: Personal Identification Information. If this answer helped you, feel free to mark it as answer, so others know you no longer need help. – LPChip – 2018-05-11T16:26:34.420

@R_Flintstone Personally Identifiable Information. What exactly is considered PII depends on the specific applicable laws. But, as I said, in case of a DDoS the attacker's real IP will most likely not show up in your logs anyways.

– danzel – 2018-05-11T16:58:34.173

There are some steps you can try to mitigate this situation.

Unplug the modem router, download new firmware for the two on your phone if you need to. When you plug your modem and router back in, you should be assigned a new IP address. (I'm assuming yours is behind a FQDN so the new IP won't help much).
Go into the device that's holding the global IP for its WAN connection. Disable ping replies on the WAN interface. (Sometimes called stealth).
Record the offending IP addresses performing the attack. You can notify your ISP, or send emails to (abuse@offendingdomain.com). You can find out what companies own these addresses by doing an ARIN lookup.
Consider moving your server platform to a hosting service. (They have network engineers staffed to mitigate attacks like this). Or buy an IDS (intrusion detection system) for your network.

Tim_Stewart

Posted 2018-05-11T10:14:07.843

Reputation: 3 983

So I'm actually able to disable the replies? – R_ Flintstone – 2018-05-12T09:47:16.187

The FQDN often changes with the ip address as this ip address is often encoded in the fqdn. – LPChip – 2018-05-12T11:06:40.907

If they are using a ICMP DOS, yes if your router has these options. – Tim_Stewart – 2018-05-12T17:37:31.403

1@Tim_Stewart ah... I was mistaken with the hostname. Although it is often an fdqn, an fdqn is not the hostname. :) Example of such hostname vs ip address: IP: 123.45.67.89 with hostname 89-67-45-123.example.com – LPChip – 2018-05-12T18:02:10.760