Constant DDoS attack on dynamic IP, how do they get IP?

Hi, a mate and I are getting constantly DDoSed but we are offline on everything and even when our computers are off it happens.
We are both running PFSense and can see the logs we are getting attacked on port 19 (Chargen attack) or port 53 (DNS Amp attack)
We are unable to figure out how they are getting our IP Addresses.
I have a dynamic IP, I got attacked within minutes of a IP change.
My mate has a static IP however he got it changed multiple times and he keeps getting attacked within a hour.
If anyone has any suggestions how to mitigate the attacks, a way to catch who it is or how they are getting our IPs.

Thank you very much.

Sam

Do you have DDNS set up? That would be the obvious culprit. Other wise I'm not sure, could be some malicious software on one of your computers updating them with you IP or could be something else.

Those sound like snort alerts, are you actually losing connectivity from these attacks? Because snort gets a lot of false positives and there's always going to be a lot of junk hitting your firewall. So if it's not effecting your network performance then it's just normal noise and nothing to worry about.

I had DDNS setup a while back but not now. And yes we lose net connectivity pfsense blocks the attacks however it maxes out our inbound traffic so the internet just dies completely. We beleive its a chargen and a DNS attack we get

Yeah the traffic is the attack, there's not much you can do to block it once it's there. I'm not sure what you can do other then try to find how they're getting your IP address, although they could be attacking a range of IPs, does your friend use the same ISP as you?.

Have you talked to your ISP about it? What did they say?

No he is using a different ISP but no one else I know is getting attacked, its only me and him even our other close friends we game with aren't getting attacked...
Well I'm with Telstra and they sent a tech out which was irrelevant but they fixed a connection issue, not the point... It's still happening and they don't want to do much about it. We just can't do much, we've saved all the logs but its all china etc...

No, I cannot because there is SOO many different IP Addresses... Like hundreds

It's probably your games which are giving your IP away. Easy solution would be to use a VPN, although this probably isn't ideal because of the added latency.

Well even when we aren't playing games... And I never used to use VPN.

It sucks so much... Because there is nothing I can do.

I can't track them down any way can I?

What programs are you using? There are many programs, who give away your IP.
Try to maybe reinstall your OS and freshly install your software. Try staying away
from services like Skype and Server-based games, since these will give away
your IP-adress...

It will be a bit of siftting but look at your state table's in PfSense. It essentially shows you all connections that are currently active.

Seeing as you know the ports, within the filter expression type: ":(port number)" and it will filter current connections on that port.

Quick Q? Did this ever happen before switching to PfSense? and were you using the ISP provided modem and router? (Also who is the ISP)

Max_J
There are no programs that have been open on all the attacks, I've had all the computers turned off and thats still happened.

Zanginator
This never happened before switching to PFSense I've been using it since March without a problem, this started about 4-6 Weeks ago. I am with Telstra (Australia), I use one of their modem in bridged mode plugged into PFSense and PFSense uses PPPoE for authentication etc...

What router were you using before pfsense?

I have not finished reading this yet but it looks like good info and I may be applying it to my pfsense router myself. http://www.wedebugyou.com/2012/11/how-to-prevent-and-mitigate-ddos-part1/

A net gear N600

It still isn't going to prevent my bandwidth getting flogged.

Have you run a malware scan on your PC? You could be infected with something that is calling home with your IP.

1 Like

Yes, and unfortunately nothing... (Never thought I'd say that)
We spoke yesterday, we think it might be steam, any ideas on how they would get it from steam itself?

Yep

  • run nmap and check what ports you (and other pc's) have open
  • disconnect any else from the network - wireless printers, smartphones, blu-ray players, tv's etc. Perhaps something is compromised and is leaking out your globabl ip
  • have a good look at any UDP services (as it will keep pushing packets (stream) larger than the request if something)
  • perhaps capture a bit of the traffic (tcp dump or wireshark) and analyse the traffic

Fitchx
Valve patched it last year...

Deejeta
Sure, I'll do that see if there is anything "strange" going on. But we've got to remember this is happening to two of us.

Thanks very much, I'll post my findings.

1 Like

Good to know. Seems like something they never should have needed to patch.