Help needed with possible DDoS

JSNJSN Member Posts: 56 ■■■□□□□□□□
in Off-Topic
So I'm noticing some odd slowness on my network, despite the fact that there has been some work being done in the area for another ISP. Running the netstat command came up with a lot of incoming addresses on my network. I am not very experienced so I am not sure if I am being attacked or not, or at this point how to mitigate this.
Any help would be much appreciated
· Share on FacebookShare on Twitter

Comments

  • p@r0tuXus[email protected] Member Posts: 532 ■■■■□□□□□□
    Yep. Looks like the problem is quite obvious. You see, it's all upside down. Heh.
    Completed: ITIL-F, A+, S+, CCENT, CCNA R|S
    In Progress: Linux+/LPIC-1, Python, Bash
    Upcoming: eJPT, C|EH, CSA+, CCNA-Sec, PA-ACE
    · Share on FacebookShare on Twitter
  • JSNJSN Member Posts: 56 ■■■□□□□□□□
    http://i67.tinypic.com/149z66a.jpg
    · Share on FacebookShare on Twitter
  • cyberguyprcyberguypr Senior Member Mod Posts: 6,896 Mod
    Is this machine behind a router?
    · Share on FacebookShare on Twitter
  • JSNJSN Member Posts: 56 ■■■□□□□□□□
    Yes, just a typical home router access from my laptop.
    · Share on FacebookShare on Twitter
  • PJ_SneakersPJ_Sneakers CompTIA, EC-Council, ISACA, (ISC)², Microsoft USAMember Posts: 880 ■■■■■■□□□□
    Open up resource monitor and see which processes are using the most traffic.
    · Share on FacebookShare on Twitter
  • JSNJSN Member Posts: 56 ■■■□□□□□□□
    PJ_Sneakers wrote: »
    Open up resource monitor and see which processes are using the most traffic.

    Seems to be resolved now, do you have any advice on how to mitigate attacks in the future? I renewed and released the DHCP and tried changing my IP on windows. I'm not really sure how to comprehend that traffic either, I just know there were a few bouts of slow internet.
    · Share on FacebookShare on Twitter
  • PJ_SneakersPJ_Sneakers CompTIA, EC-Council, ISACA, (ISC)², Microsoft USAMember Posts: 880 ■■■■■■□□□□
    Its probably not a DOS. If it's anything malicious it'd probably be malware. But it's likely to be a Windows process too, or Dropbox, or any number of other things. Nail down which process it is, and research it.
    · Share on FacebookShare on Twitter
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    I would agree with PJ_Sneakers - it is not likely a DOS attack. I've actually seen this before but I just don't recall the circumstance or scenario.

    @OP - it would be helpful if you posted info so it's easier to read but from what I could glean without getting a neck cramp - looks like outbound connections from your computer. And if your router/firewall is configured correctly, it's unlikely to be inbound connections.

    It looks like a browser hijack to me but I also recall finding another reason for this - just can't remember what...

    If you post better details from the netstat - Ideally not a screenshot - it would be interesting to try to diagnose.
    · Share on FacebookShare on Twitter
  • VeritiesVerities Member Posts: 1,162
    Not sure what a DoS looks like over Netstat (now I have to go look). Netstat is used to typically show network connections, its actually deprecated and SS is the replacement. Read the man pages for how to differentiate between TCP and UDP connections or established or listening ports. To me it looks like multiple connections are established over HTTPS. This typically happens when you visit a website or multiple websites. I'm not sure exactly you would determine any type of attack or specifically a browser hijack over those ports unless you close all your web browsers and watch netstat drop or maintain the connections or inspect the actual traffic.

    Anyways, securing your IPtables should be your first line of defense:
    -P INPUT DROP
    -P FORWARD DROP
    -P OUTPUT ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT-A INPUT -i lo -j ACCEPT
    -A INPUT -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited

    The bolded lines are going to provide you the most security at the OS layer from outside attackers, specifically bots that crawl the internet looking for systems to exploit and also limit the amount of input from any established or new connections.

    Edit (check this out):     https://linuxaria.com/howto/how-to-verify-ddos-attack-with-netstat-command-on-linux-terminal
    · Share on FacebookShare on Twitter
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    paul78 wrote: »
    .... I also recall finding another reason for this - just can't remember what...
    Oh - I think these are mostly connections to Microsoft networks. Are you running Skype by any chance? I have a vague recollection about that when I saw this in the past.
    · Share on FacebookShare on Twitter
  • VeritiesVerities Member Posts: 1,162
    paul78 wrote: »
    Oh - I think these are mostly connections to Microsoft networks. Are you running Skype by any chance? I have a vague recollection about that when I saw this in the past.

    And here I was thinking this was a Linux desktop. Now that I look at the top of the picture, I can see Windows Explorer C:\ path.icon_lol.gif
    · Share on FacebookShare on Twitter
  • NetworkNewbNetworkNewb Member Posts: 3,298 ■■■■■■■■■□
    Use "netstat -b" to see what exe is using each connection. Honestly that just looks like mine when I have a bunch of tabs open in my browser though...
    · Share on FacebookShare on Twitter
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    NetworkNewb wrote: »
    Honestly that just looks like mine when I have a bunch of tabs open in my browser though...

    LOL - good point - there are a lot of CDNs on that list. I did probe a couple of the IP/port's though but there wasn't a HTTP listener at the destination othere than at the CDNs.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.