1

I have a home network, big family, with around 20 devices on it at any given time. It seems like every year or so, some device gets a virus or a security flaw is revealed, and the device starts behaving badly.

Normally the device will behave badly and try to password crack my network folders etc.

But the latest thing we have experienced this year is that the affected device will start firing off 1000's of requests to some site. Afterwards, I get on a DDOS ban list. For example, I can at this time not access

An answer below has helped me understand that this is due to Akamai Tecnhologies blocking my IP. I called Akamai Tecnhologies and they confirmed this and let me know that my IP was suspected as "Web Scraping." Meaning some sort of malware must have made tons of web requests to site(s) protected by Akamai Tecnhologies and therefore got flagged as a DDoS attacker. Not necessarily malware, it could have been some rogue software issue that caused these excessive requests too. I have contacted them trying to get the exact sites it hit so that I can debug further.

This sucks because my ISP does not allow me to change my IP address so I'm stuck banned.

I have my router's QoS feature turned on and I do not see any suspicious network behavior at this time. But that could change at any given moment.

So now the question:

What methods are there to identify this situation so that I can take immediate action?

Namely, I need a way to get an alert when my home network has suddenly become a DDOS attack node. Ideally something could be attached to the router to send me a notification - "hey device IP 192.168.1.x just started making 1000's of requests to sites so I have blocked its access until you take action."

So far this is what I have done:

  • See How do I know if my computer is being used for a botnet-based DDoS attack?
  • Changed all passwords, set up 2factor authentication on all password manager sites, etc.
  • Formatted all the windows laptops with fresh copies of windows, because Windows has a higher tendency to have viruses.
  • Virus scanned my whole network.
  • Block all TCP/UDP traffic to any devices that are meant to be used in local intranet only. Such as my security cameras and android tablets that monitor those cameras.
  • Anti-virus software on each device, make sure software updates are kept up to date, etc.
  • Make sure no one but me has admin access of devices. All user accounts on each computer are restricted to just what that person needs.

UPDATE:

I'm using a netgear R9000 router. Do you think there are any REST/SOAP api web services that I can use to create a simple program that watches for DDoS attack patterns?

  • "Block all TCP/UDP traffic to any devices that are meant to be used in local intranet only[,] such as my security cameras": was that before or after you got your IP ban? Because my guess is this should pretty much fix it, unless those [cameras use methods to punch holes in your firewall](https://security.stackexchange.com/a/129974/93625). – Ben Sep 19 '18 at 15:17
  • Have you checked/reflashed your externally facing router itself? – ximaera Sep 19 '18 at 15:18
  • @Ben Yes I blocked those devices after the issue. So i'm hoping this helps. And ximaera I was a couple versions back on my netgear R9000 firmware updates. hopefully that helps too. but yeah... looking for ways to react to this in the future. i think i can fix the issue and be proactive just fine. – Nicholas DiPiazza Sep 19 '18 at 15:36
  • I probably won't have time to expand this to a full answer, but you can configure an outgoing firewall to block outgoing traffic that looks like a DDOS attack. This should be easy enough to detect because such traffic is very distinct - repeated rapid requests to the same IP address. It's almost like fail2ban but in reverse. Here is a related question: https://security.stackexchange.com/questions/76507/how-to-prevent-outgoing-udp-attacks – Conor Mancone Sep 19 '18 at 16:57
  • 2
    You'll just have to make sure the firewall is in between all of your devices and the internet. Probably the best way to do that is with a router that gives you full control over firewall rules, which may require an router running open firmware. – Conor Mancone Sep 19 '18 at 16:57
  • yes @ConorMancone i was just thinking about that same thing. I do have a router capable of open firmware actually. – Nicholas DiPiazza Sep 19 '18 at 17:35
  • You said that your ISP doesn't let you change your external IP address, but they may cycle it if you restart your router. Did you restart the router? – hft Sep 19 '18 at 17:58
  • Yes I tried that. Unplugged coaxial and modem for an hour. plugged it back in. same IP address. They are going to send me another modem to see if that helps. Charter Spectrum is my ISP and they have very poor support for this situation. But to their credit, they are at least trying to help me. – Nicholas DiPiazza Sep 19 '18 at 17:59

3 Answers3

3

Set up a Pihole to block ads, malicious sites and to log DNS requests. When the numbers spike you'll know where to block and who is causing the issue.

As explained in the pi-hole documentation (and video documentation) you configure your router to use the pi-hole machine as a DNS server. See this video circa 0:57 seconds: youtube.com/watch?v=vKWjx1AQYgs

Any Linux box will do, not necessarily a Raspberry Pi. I added block lists for Microsoft Telemetry and Spybot immunization list.

Screen grab from phone https://pi-hole.net

  • 1
    interesting. but how does this work if it's not part of the router? In my situation a lot of the devices in question are android, camera, iphone, etc. – Nicholas DiPiazza Sep 19 '18 at 17:50
  • I see. I would have to set up pi-hole as my dns server. very interesting. – Nicholas DiPiazza Sep 19 '18 at 17:55
  • Here is what I really need: https://discourse.pi-hole.net/t/can-i-run-pi-hole-directly-on-my-router/9148/5 – Nicholas DiPiazza Sep 19 '18 at 17:57
  • Why do you want to install this on your router? Is your router running one of the supported Linux distros? If not then probably not worth the effort. – hft Sep 19 '18 at 18:04
  • Well I just need it to somehow be in effect for all devices hosted by my router. But if I set it up as the DNS server from the router, that should do it. (i think). feel free to educate me if I'm wrong. I'm still figuring this all out. – Nicholas DiPiazza Sep 19 '18 at 18:05
  • 2
    As explained in the documentation (and video documentation) you configure your router to use the pi-hole machine as a DNS server. You don't install it *on* your router... at least not in the documented basic installation... See video circa 0:57 seconds: https://www.youtube.com/watch?v=vKWjx1AQYgs – hft Sep 19 '18 at 18:07
  • Good luck! Happy hunting! – hft Sep 19 '18 at 18:08
  • That's it. Just be aware that if there is an issue with this DNS replacer you may need to be able to switch the router back to be the DNS server quickly - or incur the wrath of all the network users who will be connected but unable to resolve URLs. – Andy Anderson Sep 19 '18 at 18:10
  • Be sure to replace your ISP DNS addresses as well as the IPv4 DNS announced by the router. Have a play with your own devices and static IP addresses first to get used to has it works, test the reliability of the hardware and build up some good block lists. – Andy Anderson Sep 19 '18 at 18:13
  • Yep. seems like exactly what I need. – Nicholas DiPiazza Sep 19 '18 at 18:26
  • 2
    Not every DDoS malware does DNS resolution (though we've figured out before that it's not an actual DDoS attack in this case). – ximaera Sep 19 '18 at 18:55
  • that is a really good point @ximaera. who is to say the malware developers aren't smart enough to hit the ipaddresses to bypass this sort of fix? – Nicholas DiPiazza Sep 20 '18 at 03:15
0

Sorry for disappointing you (because your intention to be a responsible Internet citizen is very commendable), but there's no easy way to do what you want to do.

The simplest of the suggestions though would be to write an e-mail to a DDoS mitigation service provider which is denying you access and to kindly ask for support and clarification. A DDoS mitigation provider probably knows what kind of malware you should expect to see in your network out of its network fingerprint that is left.

Looks like the provider in question is Akamai Tecnhologies in your case, because three of four domain names you've provided point to Akamai IP addresses. USPS probably either has some dedicated equipment bought and deployed or is serviced by AT&T, in either case, Akamai would be easier to reach.

Other methods are a lot more complicated. However, one thing you've apparently forgotten to do is to check your externally facing gateway router (or just to reflash it and update it to a latest firmware version). SOHO routers are a common target for malware.

Also, it might not as well be your fault. Some DDoS mitigation services implement a technique that could best be described as "network redlining", i.e. preventing access from whole networks which seem suspicious, blocking entire ISPs or countries (e.g. China, if we speak of a U.S.-based network service), and so on. To make sure you aren't affected by this, ask your friends and neighbours, try to figure out if other customers of your ISP experience the same set of issues.

ximaera
  • 3,445
  • 9
  • 23
  • Yeah I called Akamai already and they said it was due to my ip address participating in what they believed to be web scraping. I've already done most of the proactive things you have suggested. But it's the reactive that I'm asking about here. I think the only way I can think of is to somehow monitor the router's QoS, and respond with an email to my cellphone's txt email address when it sees unusual behavior. but the QoS doesn't track number of requests. It only really tracks Mbps up/down. – Nicholas DiPiazza Sep 19 '18 at 16:03
-1

There are multiple ways to solve this. Network based detection / interception may be a good start. E.g. installing a firewall that will throttle and or block suspicious traffic.