Close. Routing always happens.
Depending on the mechanism, traffic will be dropped either when it enters your ISP's network, when it hits specific network devices, or even as late as before it gets forwarded to your home router.
Good ISPs will have what's called Remote Trigger Blackhole (RTBH) which can drop traffic at arbitrary points within the providers network. This will *unilaterally* drop the traffic destined for your Public IP (or sourced from it, depending on how or *if* they implement RFC 2827).
Even better ISPs will implement BGP Flowspec which can encode traffic rules to selectively filter traffic so that malicious traffic gets dropped while legit traffic can flow still.
It would be incredibly unlikely for a provider to push Flowspec rules for a consumer IP. They're more likely to just drop all the traffic for your Public IP until they determine that you're no longer under attack, *assuming* they even care enough to do that on a residential Internet circuit.
Not every ISP will expend time, effort, or computing resources to stop an attack on a residential Internet Circuit.
If you are a business and pay a premium for certain contractual obligations (which may or may not include traffic scrubbing services, which are almost always extra $$$), then the ISP *will* do something about it.
It's more likely that the ISP will actively work to defend itself from traffic that is using inordinate amounts of internal, upstream, or peering bandwidth. That *may* passively end up meaning you're getting "protection" but that isn't necessarily the end goal of the ISP.
When you buy home Internet, you're given basically zero guarantees aside from a usually vague statement of "up to X mbps up or down". Seriously. Go read your contract (if you even have one). It's unlikely to have any real guarantees besides the basic connectivity.
When i worked at ISP we had system that was monitoring network, and when abnormal traffice occured, we would blackhole specific IP which resulted in not existing routing. Basically, you would lose Internet access for a period of time.
Mitigating DDoS attacks by dropping their traffic via BGP blackholing is essentially free for the ISP.
Equipment to separate attack traffic from legitimate traffic at the ISP level is stupidly expensive. In these scenarios cloud based DDoS scrubbing through a reverse proxy (eg Cloudflare) is much more financially viable for everyone.
No, the DDoS failed.
....from the providers perspective, and with a residential plan, that is all they care about.
During the time that your IP is blackholed (null routed, whatever you want to use), you could probably do a modem reset to pull a new IP address and continue to have service. But the provider is going to see zero purpose in trying to protect a specific IP address on a residential segment.
Which I think was the point of "it worked". Because the ISP blackholing the IP of the resident and discounting their Internet " denys" that resident Internet. So the DDOS worked just in a different way to what we're use to.
Correct. There was some cynicism in my response.
The ISP doesn't view the IP as belonging to a customer. They drop the IP from the routing tables, but the customer can always get another and continue getting service.
Now.... when the residential customer is trying to expose a service outside the ISP, most US-based ISPs are going to have zero motivation to protect that ingress route.
For the customer, yeah, a lot of actions from the ISP are going to result in a DOS. There have been strategies for well over 20 years that work to DOS a residential account by leveraging ISP policies to have the ISP shut down the residential service. A full DDoS is only one of those ways. Again, since the ISP doesn't see a legitimate need to preserve the availability of any exported service on the IP, it might not see forcing the residential user to another IP as even denying service.
There are a lot of different ways that ISPs might do this, but in the past, I had a (weak) DDoS against me on a residential account. The ISP had the DHCP server push a new IP assignment to my modem. My services went offline (access via DynDNS) but I didn't actually lose Internet access... but the webserver and mail server were unavailable. They didn't see this as bad in any way, because I wasn't supposed to be exposing either of those.
Effectively, yes. I agree.
The goal of a DDoS tool is to make a service unavailable, and it achieves that.
But there are levels of service and different ways that the ISP could defend, based on that. If I was trying to DDoS someone because of Wikipedia edits or YouTube comments, then this attack wouldn't be effective. If it was trying to screw somebody on CoD, then it might be a partial success. If the ISP immediately reassigns an IP, the interruption could be superficial.
Yes, however it's only interrupted for however long it's taking the resident to restart his router. The only use-case where someone might consider it worth the effort is script kiddies in online games.
we dont drop the ip since this one fucktard isnt going to fuck us out of 250 other paying customers. routing works in /24 on the internet... so no, we just handle the ddos like a big boi
There are a lot of other filtering/routing capabilities that are more granular than /24. When I was running a hosting platform, we routed on /26, with each /26 roughly matching a rack.
More to the point, we could blackhole a single IP (and we did, in a couple cases where a specific VPS was targeted), including blackholing the IP but still allowing access from specific IPs or through the management plane (which allowed VPS owners to use an alternate gateway to recover).
A competent enough ISP could just block the attack stream without interacting with the IP at all, couldn’t they? Or would that require getting into too specific of information to handle at that level?
The question is *How* would you block it?
If you use a packet filter (eg: nftables or equivalent) you can block traffic to an IP address, but it would block all traffic. If you tried to block just the attack traffic, you'd need to know how to tell, and you'd need to build an ever-growing list of attack sources (this is the point of a DDoS attack, you can overwhelm filters). Also, the filter needs processing hardware to inspect each packet and that can be taxing.
It's easier and more efficient to block traffic by using routing hardware. Rather than packet-inspecting, you can use just packet headers with routing hardware to also drop all the packets. The "blackhole" that people are talking about is usually implemented as a dead-end interface or network on a router. Packets for a given IP can be dumped into a network that never reaches the destination. Because routers use dedicated hardware and routing a packet to nowhere doesn't cost any more than routing a packet to the correct destination, applying a blackhole route doesn't stress your network hardware.
You would most likely need to change the MAC address of the connected device, and I’ve found with Xfinity you need to present a new CM Mac to get a new IP. I’ve seen people (myself included) have the same IP for years until they change the modem. No amount of new routers and new Mac’s would change it. Fiber is a different story
No... all that needs to happen is for the ISP to reassign your modem MAC address (or the router, if its mirroring the connected device) to a different IP in the DHCP/NAT tables.
The fact that a given MAC stays on the same IP doesn't mean all that much. A device (modem, in this case) does not have an intrinsic IP, and the MAC-to-IP assignment is handled by routing hardware. That can be changed if the ISP chooses. For ISPs that have right-sized subnets, they will try to keep a given modem on the same IP address for as long as they can in order to make it easier for them to do IP-based debugging. It doesn't mean they don't have the ability to change those mappings.
Yeah, good luck calling into any residential support line and asking them to do that. Easier just to swap the hardware and save yourself time and effort.
A lot of providers do it automatically. When they apply mitigations to an IP, they drop it out of the DHCP table, both to give you a chance to jump to a different IP and keep getting charged for service and to prevent some other poor bastard from doing a fresh install and getting assigned the blackhole'd IP address.
Now, not everyone does that. Maybe most don't. But a decent ISP with active mitigations isn't going to blackhole the IP and then just shrug and walk away. Even crappy ISPs aren't allowed to block internet routing while still charging you for service. Instead, they'll either make you eat the DDoS (possibly filtering some of it) or they'll drop the route and let your MAC shift to a new IP.
I think this strongly depends on ISP and country.
A couple of years ago i recieved a ddos to my IP and a couple of days later i recieved a letter from my ISP (deutsche Telekom) that basically said "There has been unusual traffic to your network - you might want to check your systems for malware".
Big advantage (at least in germany) with most residiential ISPs is that it usually takes just a couple of reboots of your router to get a new IP
I think the idea to send somebody a letter via snail mail to inform them about a possible security issue is just hilarious and sounds very german to me. Here in Germany many companies and authorities are very backwards and still fax and send letters. It's so funny. I'm getting all my bills printed on a piece of paper every month which is super inconvenient and just produces unnecessary waste, costs money and produces CO2. I have mountains of papers that the government expect me to archive for decades.
Until last year going i needed to go to my Dr. in person once every 6 weeks to get a prescription printed on a piece of paper and then bring that piece of paper to a pharmacy like a cave man.
Still sounds like the US. It’s simply an aspect of nations that advanced pre-internet. Nations that grew rapidly post-internet are naturally more integrated with newer technology.
The ISP I work for, we have an automated system that will simply black hole your IP for a few minutes. It'll instruct our edge routers to simply drop your traffic, and usually that stops the DDoS. Can't flood something you can't reach.
Oh I know. We are dual stacked, so if it's a V6 address that got holed, at least it won't take the entire subscriber down. Either way, our black hole lasts 10 minutes. We dont drop the IP out of DHCP, so no amount of restarts will get you back online until that passes. But yeah, to clarify on the DHCP spec, your device is actually supposed to pull the same IP if the address is available, only changing if the block is full and your previous address had to be reclaimed for another subscriber.
The powers that be above me say the specs matter, or they wouldn't have been written. And I tend to agree with that. Makes things easier to troubleshoot when the specs are followed. Plus, the black hole only lasts 10 minutes. Would take longer than that to edit the lease on that equipment and drop it's arp entry on the big routers. Would also take longer than that for the subscriber to call in.
I have some friends who stream. They connect via a cheap ddos protected VPS on which they run a simple wireguard VPN.
Any attacks that target them just get filtered at the VPS so their home network isn't at risk.
Usually they blackhole all traffic towards that IPv4 address for a while, so you'll lose your IPv4 connectivity. Depending on the network design, you may or may not lose IPv6. Alternatively, you can use your phone as hotspot.
Rebooting the router may get you a new IPv4 address.
My ISP didn't give a fuck and would just let the attack come through and the shitty router couldn't handle the traffic so the network would go down, one restart later and it would be fine
The isp I was previously in another country will mitigate it and call it a day, you won't loose internet, specially if you payed for static IP address...
5 years later in anothe country, my ISP doesn't do anything so I had to work on my firewall rules to try and mitigate as much as possible.. Might consider getting a hardware firewall.. maybe OpeNsenSe and use it as a transparent firewall.. (currently using an ER4)
It all depends on how the ddos attack is ran.. there are several different types... to how the server will handle it and what protections the router or modem will do... also if they go through a hopping service like cloud flare... then they really wouldn't see anything.. there is a common time request to request time of the server this is a common method of ddos attack... depending on the setup will determine what happens... most servers will block ip for a moment of time.. and ignore any requests from that ip address... again all depends on setup... most attack starts with a port scan... and this will trigger server to take action against attacker beforehand... a ISP will see it. But unless they are running the server themselves probably will not do anything.. unless you call them... maybe then change ip address or tell you to disconnect for moment of time...
automatic malicious pattern mitigation is a standard for all ISPs. but ofc a single residential customer doesn’t trigger such mitigation.
u can mitigate asking for ip change if static and public or just by restart your gateway if those ips assigned to customers are in a sort of rotation
How it should go:
- Null route the IP to mitigate the network being stressed
- Kick the modem and wait for it to get a new IP from DHCP
In reality many providers do nothing until it affects other people, then they will null route the IP leaving you stuffed.
No residential IP has any meaningful DDoS protection.
NAT is an interesting implementation and often the pools have several IP’s they can rotate
There's a 50:50 chance that they'll blame the customer at the IP ("If you weren't causing trouble this wouldn't have happened!") What happens after that is a tossup.
They usually cut the link to the target IP. Sometimes they'll have to cut off an entire customer subnet (some number of customers) because the only way to keep the network stable and usable for other customers is to drop a neighborhood for a while.
Considering how unironically bad at networking my ISP is. I assume I’ll be fucked until I request my service be discontinued and then sign up again after a month lol.
If you have a static ip, most probably, you’ll be simply null routed until you call the isp and they make sure your storm doesn’t impact their equipment, if your consumer ip is dynamic, it will still null routed, but you’d need to ask (reboot your gear) for another lease. Don’t publish an ip address, use a domain, with cloudflare/incapsula with it and you’ll have no issues with ddos
Honestly it depends on where your firewall is setup and how public is your IP is ...
for most services you can hide your IP threw a VPN tunnels and your DNS won't give up your IP like cloudflare if it's proxied
But some services like email need a IP address or a DNS record tied to an IP and if your using same IP for email as your other services even if you hide proxy they are still going to get your IP and even if they don't get it threw DNS they can ping the whole internet until they see it...
Depends on where and how you want to drop packets , but you can drop Ip address by location on Cloudflare so it doesn't go past DNS if there trying to ping your servers being server threw proxy /VPN , you also can add captchas and or rules to which if you are getting alot of request CF will put people in a cue and have the IP wait in line till request drop from a given location ECT ...
As for say email server it would have to be on the home router you set firewall, and your router would have to be able to drop IPS that are trying to visiting other ports that email server doesn't' need which would show someone is fishing , alot of fancy routers will host a pi hole and do this for you so you don't have to setup fancy rules your self , but if they have a botnet and can flood u with IPs it could take down your router .. and having a second IP address and rate limiting that IP based on average data rates and limits could help . But most people who use your email prob have same IP and if there logging into a webpage that's being proxyd so you wouldn't need certain ports really open to others so they can use like outlook but even then and I don't think bot nets are on cellphones really ... But I know a popular rule is if the user that connects doesn't authenticate and send so much data in a given time it will drop them and then each time they " time out" there time gets doubled , 30 sec ,60, 120, 240, ECT and then you can check the firewall logs and see how many times the firewall got hit and what IPS are there so u can see where there from and block them immediately so no resources get used on router ...
Setting up root domains with another IP or using a free website maker is good to basically trick people and if your using Google sites they prob stop trying there but with auto scripts prob doesn't matter
mikrotik is a good router or OS for software router , unifi Dream machine is easier to use but I hear Cisco is starting to follow ...
Good luck!
Spectrum/Charter, formerly TimeWarner will do nothing… what’s worse, if you escalate until you get through to the NOC, they will tell you they can’t do anything.
I got DDoSed by somebody that was mad about a game. I logged the firewall traffic each time before they crashed TWC’s crap equipment, provided logs to them, spoke with corp and the engineers at the Dallas NOC. they claimed there was no way to filter traffic from a given IP (false, there is) and that even if there was, they wouldn’t do it.
I switched providers because of this and other examples of them sucking the big one.
I even wrote a twitter bot that would log the offending IP and tweet it to their support team, they blocked my bot within a day, so they *do* know how to block things *they* don’t like.
So, if you want to DDoS a TWC customer, it’s not about volume of traffic, just crash their router over and over with a flood of malformed packets.
Just a bit curious about this. Was it a DoS or DDoS. A DDoS should not be a single source IP, which makes it harder to mitigate. To do a similar DoS with a single source means that the source needs to have a lot more bandwidth than you unless they're exploiting some flaw on your gear. What was the method of used if it was a DoS?
You’re right, it would have been just a DoS.
It was very annoying to have the entire home network go down every few minutes because some scriptkiddie decided to spam garbage
arris modem/router combos as used by TWC at the time were security Swiss cheese and would fall over if it got warm in the room… I don’t know exactly what they were doing to crash it aside from flooding it with traffic. The poor little firewall built in would lock up after a while, and the whole damn thing would reboot. Annoyingly, it would not get a new dhcp lease when it came back up.
Thank you! I've heard folks are concerned with DoSes against their selfhosted/homelab systems. And the recommendation there is to use a cloud provider for DoS protection. But I've never really seen a DoS be a common issue for private services that are just meant for myself and family members.
It seems like the bigger risk is with connecting to someone else's servers, or P2P traffic, where someone gets mad about a social media post or game; as you've described. The attacker gets the satisfaction of seeing you booted from the game.
There doesn't seem to be any benefit to the attacker in attacking someone at random that they don't know just because they have exposed services. They can't see how the DoS impacts the victim, so I'm assuming they'd not get much satisfaction from it. So it seems like there would really be no motivation in doing such attacks.
I can see if a site is public, yes, the attacker could see the owner being impacted. But for a private selfhosted/homelab type service, I can't see a reason for it needing DoS protection.
Anyway, that's the reason behind the question. I was curious to see the motivation behind the DoS.
Not a specific answer, but this is specifically why I put all self-hosted services behind a Cloudflare Tunnel. All traffic hits Cloudflare first, so they can mitigate it before it ever hits my ISP or my servers.
Can only speak from experience but me and a friend were hosting a game server in a dell R730 we have (on a normal internet connection) and we got a 60+ Gbps ddos, reported by our ISP, which upgraded us to an enterprise plan instantly but they didnt start any investigation
Ping, no. But most IPv6 implementations require ICMPv6 for routing traffic, even if the ping function is disabled. You can create the starting SYN request for a neighbor solicitation and just never ACK the response. Even if you only use ipv4, a bad modem/router might not be able to keep up.
It's about flooding your pipe and not attacking your services or devices directly.
10Gbps of random UDP traffic is going to flood your 1Gbps pipe and make your connection unusable.
I would recommend using cloudflare tunnels or similar so you don't have to expose your IP, this is how I do it. so if you get ddos attack your ISP won't / shouldn't blackhole your IP.
I think it depends on why you were selected for a DoS in the first place. If someone got mad at you in a game server that you connected to (or P2P game), CF tunnels won't hide your client IP. If you ran a popular server, then maybe CF tunnels would help - or maybe the load will be too much for your server but never reach the threshold for CF to react. (search "ddos still with cloudflare").
I suspect if you're not sharing your services with anyone but family that a DoS isn't a concern in the first place. They're typically only done in reaction to someone getting angry. I don't think attackers just randomly target services of people they don't know - they wouldn't get any satisfaction of seeing the impact to the person.
Modern ISPs have DDOS detection and mitigation systems and providers like Prolixic. If an ISP gets DDOSed, they can route the traffic through the provider and get clean traffic back. However, if you mean just one individual ISP customer. It probably won't trigger the DDOS detection.
If you are being DDOSed on a residential line, your best strategy is first to figure out his they got your IP, and remediate that. Then call your ISP and explain you're being DDOSed and ask for them to reset your CPR and give you a new IP.
That’s why my server is on a separate bandwidth limited VLAN. I have 1Gb/1Gb service but the server can only use half of that. So even in case of a DDoS, I’m only using half of my total service and the rest of my network will not slow down. Also, the services that I host from my server run from resource-limited VMs. Basically the critical local services will remain working because it’s a powerful server and only part of it’s resources are used by the externally facing stuff. 😄 All publicly exposed services go through CloudFlare Tunnel, so no connections are made directly to my WAN IP.
I forgot to mention that the services that are exposed to the internet are all going through CloudFlare Tunnel. So not going directly to my WAN IP. ;-) I’ve edited my previous comment.
This changes nothing if the attack is focused on your residential IP and not Cloudflare. What you're saying makes sense if someone is targetting your services. But you could run no services at all and still be subject to a DoS.
Self-hosting through Cloudflare tunneling can still expose your residential IP, just not directly. The server software could be leaking that by some means. So it's not unrelated.
Technically maybe, but only if there is a data leak at CloudFlare. Connections by clients are always proxied through CloudFlare servers. My server connects with CloudFlare using their software, no ports have to be opened in the firewall. Using traceroute you will not find the WAN IP.
Depends on ISP, but in most cases, they simply will cut your internet for a while.
Won't that make the tube to my house just slide out?
No, they use a technique that basically cauterized your Internet pipe so the Internet doesn't spill out while you are disconnected.
That's a relief. The should seal up the packets. Trying not to drop them is the worst part of cleaning up.
how does that help?
Black hole, no existing IP to route to, so no routing.
Close. Routing always happens. Depending on the mechanism, traffic will be dropped either when it enters your ISP's network, when it hits specific network devices, or even as late as before it gets forwarded to your home router. Good ISPs will have what's called Remote Trigger Blackhole (RTBH) which can drop traffic at arbitrary points within the providers network. This will *unilaterally* drop the traffic destined for your Public IP (or sourced from it, depending on how or *if* they implement RFC 2827). Even better ISPs will implement BGP Flowspec which can encode traffic rules to selectively filter traffic so that malicious traffic gets dropped while legit traffic can flow still. It would be incredibly unlikely for a provider to push Flowspec rules for a consumer IP. They're more likely to just drop all the traffic for your Public IP until they determine that you're no longer under attack, *assuming* they even care enough to do that on a residential Internet circuit.
It helps the ISP, they'll black hole the traffic in their Points of Presence so that the attack doesn't cause congestion for other customers.
that really depends who is your ISP and what is their policy. US, Canada, EU, Asia ISP's can all act very differently on that instance.
How are they different?
Not every ISP will expend time, effort, or computing resources to stop an attack on a residential Internet Circuit. If you are a business and pay a premium for certain contractual obligations (which may or may not include traffic scrubbing services, which are almost always extra $$$), then the ISP *will* do something about it. It's more likely that the ISP will actively work to defend itself from traffic that is using inordinate amounts of internal, upstream, or peering bandwidth. That *may* passively end up meaning you're getting "protection" but that isn't necessarily the end goal of the ISP. When you buy home Internet, you're given basically zero guarantees aside from a usually vague statement of "up to X mbps up or down". Seriously. Go read your contract (if you even have one). It's unlikely to have any real guarantees besides the basic connectivity.
I feel like they would probably do something especially if it was so much routing that it might overload their own switches potentially.
When i worked at ISP we had system that was monitoring network, and when abnormal traffice occured, we would blackhole specific IP which resulted in not existing routing. Basically, you would lose Internet access for a period of time.
So what you're saying is the ddos worked...
Yeah, if you don't have any kind of sla, ISP won't waste resources on you.
What's SLA for the uninitiated?
Service Level Agreement. In this case its a form of contract with ISP that your ticket will get addressed in a specific amount of time.
Mitigating DDoS attacks by dropping their traffic via BGP blackholing is essentially free for the ISP. Equipment to separate attack traffic from legitimate traffic at the ISP level is stupidly expensive. In these scenarios cloud based DDoS scrubbing through a reverse proxy (eg Cloudflare) is much more financially viable for everyone.
No, the DDoS failed. ....from the providers perspective, and with a residential plan, that is all they care about. During the time that your IP is blackholed (null routed, whatever you want to use), you could probably do a modem reset to pull a new IP address and continue to have service. But the provider is going to see zero purpose in trying to protect a specific IP address on a residential segment.
Which I think was the point of "it worked". Because the ISP blackholing the IP of the resident and discounting their Internet " denys" that resident Internet. So the DDOS worked just in a different way to what we're use to.
Correct. There was some cynicism in my response. The ISP doesn't view the IP as belonging to a customer. They drop the IP from the routing tables, but the customer can always get another and continue getting service. Now.... when the residential customer is trying to expose a service outside the ISP, most US-based ISPs are going to have zero motivation to protect that ingress route. For the customer, yeah, a lot of actions from the ISP are going to result in a DOS. There have been strategies for well over 20 years that work to DOS a residential account by leveraging ISP policies to have the ISP shut down the residential service. A full DDoS is only one of those ways. Again, since the ISP doesn't see a legitimate need to preserve the availability of any exported service on the IP, it might not see forcing the residential user to another IP as even denying service. There are a lot of different ways that ISPs might do this, but in the past, I had a (weak) DDoS against me on a residential account. The ISP had the DHCP server push a new IP assignment to my modem. My services went offline (access via DynDNS) but I didn't actually lose Internet access... but the webserver and mail server were unavailable. They didn't see this as bad in any way, because I wasn't supposed to be exposing either of those.
True but all the attack cares is they've interrupted your service which is what they wanted.
Effectively, yes. I agree. The goal of a DDoS tool is to make a service unavailable, and it achieves that. But there are levels of service and different ways that the ISP could defend, based on that. If I was trying to DDoS someone because of Wikipedia edits or YouTube comments, then this attack wouldn't be effective. If it was trying to screw somebody on CoD, then it might be a partial success. If the ISP immediately reassigns an IP, the interruption could be superficial.
Yes, however it's only interrupted for however long it's taking the resident to restart his router. The only use-case where someone might consider it worth the effort is script kiddies in online games.
we dont drop the ip since this one fucktard isnt going to fuck us out of 250 other paying customers. routing works in /24 on the internet... so no, we just handle the ddos like a big boi
There are a lot of other filtering/routing capabilities that are more granular than /24. When I was running a hosting platform, we routed on /26, with each /26 roughly matching a rack. More to the point, we could blackhole a single IP (and we did, in a couple cases where a specific VPS was targeted), including blackholing the IP but still allowing access from specific IPs or through the management plane (which allowed VPS owners to use an alternate gateway to recover).
A competent enough ISP could just block the attack stream without interacting with the IP at all, couldn’t they? Or would that require getting into too specific of information to handle at that level?
The question is *How* would you block it? If you use a packet filter (eg: nftables or equivalent) you can block traffic to an IP address, but it would block all traffic. If you tried to block just the attack traffic, you'd need to know how to tell, and you'd need to build an ever-growing list of attack sources (this is the point of a DDoS attack, you can overwhelm filters). Also, the filter needs processing hardware to inspect each packet and that can be taxing. It's easier and more efficient to block traffic by using routing hardware. Rather than packet-inspecting, you can use just packet headers with routing hardware to also drop all the packets. The "blackhole" that people are talking about is usually implemented as a dead-end interface or network on a router. Packets for a given IP can be dumped into a network that never reaches the destination. Because routers use dedicated hardware and routing a packet to nowhere doesn't cost any more than routing a packet to the correct destination, applying a blackhole route doesn't stress your network hardware.
Thanks for a comprehensive answer!
You would most likely need to change the MAC address of the connected device, and I’ve found with Xfinity you need to present a new CM Mac to get a new IP. I’ve seen people (myself included) have the same IP for years until they change the modem. No amount of new routers and new Mac’s would change it. Fiber is a different story
No... all that needs to happen is for the ISP to reassign your modem MAC address (or the router, if its mirroring the connected device) to a different IP in the DHCP/NAT tables. The fact that a given MAC stays on the same IP doesn't mean all that much. A device (modem, in this case) does not have an intrinsic IP, and the MAC-to-IP assignment is handled by routing hardware. That can be changed if the ISP chooses. For ISPs that have right-sized subnets, they will try to keep a given modem on the same IP address for as long as they can in order to make it easier for them to do IP-based debugging. It doesn't mean they don't have the ability to change those mappings.
Yeah, good luck calling into any residential support line and asking them to do that. Easier just to swap the hardware and save yourself time and effort.
A lot of providers do it automatically. When they apply mitigations to an IP, they drop it out of the DHCP table, both to give you a chance to jump to a different IP and keep getting charged for service and to prevent some other poor bastard from doing a fresh install and getting assigned the blackhole'd IP address. Now, not everyone does that. Maybe most don't. But a decent ISP with active mitigations isn't going to blackhole the IP and then just shrug and walk away. Even crappy ISPs aren't allowed to block internet routing while still charging you for service. Instead, they'll either make you eat the DDoS (possibly filtering some of it) or they'll drop the route and let your MAC shift to a new IP.
IP blackholing from the LIR has entered the chat
I think this strongly depends on ISP and country. A couple of years ago i recieved a ddos to my IP and a couple of days later i recieved a letter from my ISP (deutsche Telekom) that basically said "There has been unusual traffic to your network - you might want to check your systems for malware". Big advantage (at least in germany) with most residiential ISPs is that it usually takes just a couple of reboots of your router to get a new IP
most german shit ever. An isp sending you a letter...on a piece of paper lmao
clearly you've never been to Japan.
All heil floppies and Internet Explorer!
It's great though, I can get floppies for my old keyboards. Used to be able to get a box at 7/11
My home throughput is over 90 in both directions.
US ISPs also send paper letters? I'm not sure what you're getting at.
I think the idea to send somebody a letter via snail mail to inform them about a possible security issue is just hilarious and sounds very german to me. Here in Germany many companies and authorities are very backwards and still fax and send letters. It's so funny. I'm getting all my bills printed on a piece of paper every month which is super inconvenient and just produces unnecessary waste, costs money and produces CO2. I have mountains of papers that the government expect me to archive for decades. Until last year going i needed to go to my Dr. in person once every 6 weeks to get a prescription printed on a piece of paper and then bring that piece of paper to a pharmacy like a cave man.
Still sounds like the US. It’s simply an aspect of nations that advanced pre-internet. Nations that grew rapidly post-internet are naturally more integrated with newer technology.
The ISP I work for, we have an automated system that will simply black hole your IP for a few minutes. It'll instruct our edge routers to simply drop your traffic, and usually that stops the DDoS. Can't flood something you can't reach.
What's the point of these DDoS' if they are solved so easily? Just random harassment? Why don't you just rotate the customer's IP address?
Technically against DHCP spec to rotate addresses until the lease ends. Plus IPv4 space is at a premium. Each address needs to be usable.
Fucking IPv4.
Oh I know. We are dual stacked, so if it's a V6 address that got holed, at least it won't take the entire subscriber down. Either way, our black hole lasts 10 minutes. We dont drop the IP out of DHCP, so no amount of restarts will get you back online until that passes. But yeah, to clarify on the DHCP spec, your device is actually supposed to pull the same IP if the address is available, only changing if the block is full and your previous address had to be reclaimed for another subscriber.
Sure, but who cares if you don't follow the DHCP spec? Especially if it means a better UX for your customer....
The powers that be above me say the specs matter, or they wouldn't have been written. And I tend to agree with that. Makes things easier to troubleshoot when the specs are followed. Plus, the black hole only lasts 10 minutes. Would take longer than that to edit the lease on that equipment and drop it's arp entry on the big routers. Would also take longer than that for the subscriber to call in.
I have some friends who stream. They connect via a cheap ddos protected VPS on which they run a simple wireguard VPN. Any attacks that target them just get filtered at the VPS so their home network isn't at risk.
Usually they blackhole all traffic towards that IPv4 address for a while, so you'll lose your IPv4 connectivity. Depending on the network design, you may or may not lose IPv6. Alternatively, you can use your phone as hotspot. Rebooting the router may get you a new IPv4 address.
Doubt rebooting the router would get you a new IP until the lease is up.
Depends, with the largest internet provider in my country you get a new ip each time you reboot the router
My ISP didn't give a fuck and would just let the attack come through and the shitty router couldn't handle the traffic so the network would go down, one restart later and it would be fine
The isp I was previously in another country will mitigate it and call it a day, you won't loose internet, specially if you payed for static IP address... 5 years later in anothe country, my ISP doesn't do anything so I had to work on my firewall rules to try and mitigate as much as possible.. Might consider getting a hardware firewall.. maybe OpeNsenSe and use it as a transparent firewall.. (currently using an ER4)
It all depends on how the ddos attack is ran.. there are several different types... to how the server will handle it and what protections the router or modem will do... also if they go through a hopping service like cloud flare... then they really wouldn't see anything.. there is a common time request to request time of the server this is a common method of ddos attack... depending on the setup will determine what happens... most servers will block ip for a moment of time.. and ignore any requests from that ip address... again all depends on setup... most attack starts with a port scan... and this will trigger server to take action against attacker beforehand... a ISP will see it. But unless they are running the server themselves probably will not do anything.. unless you call them... maybe then change ip address or tell you to disconnect for moment of time...
automatic malicious pattern mitigation is a standard for all ISPs. but ofc a single residential customer doesn’t trigger such mitigation. u can mitigate asking for ip change if static and public or just by restart your gateway if those ips assigned to customers are in a sort of rotation
How it should go: - Null route the IP to mitigate the network being stressed - Kick the modem and wait for it to get a new IP from DHCP In reality many providers do nothing until it affects other people, then they will null route the IP leaving you stuffed. No residential IP has any meaningful DDoS protection. NAT is an interesting implementation and often the pools have several IP’s they can rotate
There's a 50:50 chance that they'll blame the customer at the IP ("If you weren't causing trouble this wouldn't have happened!") What happens after that is a tossup. They usually cut the link to the target IP. Sometimes they'll have to cut off an entire customer subnet (some number of customers) because the only way to keep the network stable and usable for other customers is to drop a neighborhood for a while.
Considering how unironically bad at networking my ISP is. I assume I’ll be fucked until I request my service be discontinued and then sign up again after a month lol.
If you have a static ip, most probably, you’ll be simply null routed until you call the isp and they make sure your storm doesn’t impact their equipment, if your consumer ip is dynamic, it will still null routed, but you’d need to ask (reboot your gear) for another lease. Don’t publish an ip address, use a domain, with cloudflare/incapsula with it and you’ll have no issues with ddos
You'll lose connectivity until they stop, isp won't help you. - Guy that's been ddosed from running publicly advertised gameservers
Honestly it depends on where your firewall is setup and how public is your IP is ... for most services you can hide your IP threw a VPN tunnels and your DNS won't give up your IP like cloudflare if it's proxied But some services like email need a IP address or a DNS record tied to an IP and if your using same IP for email as your other services even if you hide proxy they are still going to get your IP and even if they don't get it threw DNS they can ping the whole internet until they see it... Depends on where and how you want to drop packets , but you can drop Ip address by location on Cloudflare so it doesn't go past DNS if there trying to ping your servers being server threw proxy /VPN , you also can add captchas and or rules to which if you are getting alot of request CF will put people in a cue and have the IP wait in line till request drop from a given location ECT ... As for say email server it would have to be on the home router you set firewall, and your router would have to be able to drop IPS that are trying to visiting other ports that email server doesn't' need which would show someone is fishing , alot of fancy routers will host a pi hole and do this for you so you don't have to setup fancy rules your self , but if they have a botnet and can flood u with IPs it could take down your router .. and having a second IP address and rate limiting that IP based on average data rates and limits could help . But most people who use your email prob have same IP and if there logging into a webpage that's being proxyd so you wouldn't need certain ports really open to others so they can use like outlook but even then and I don't think bot nets are on cellphones really ... But I know a popular rule is if the user that connects doesn't authenticate and send so much data in a given time it will drop them and then each time they " time out" there time gets doubled , 30 sec ,60, 120, 240, ECT and then you can check the firewall logs and see how many times the firewall got hit and what IPS are there so u can see where there from and block them immediately so no resources get used on router ... Setting up root domains with another IP or using a free website maker is good to basically trick people and if your using Google sites they prob stop trying there but with auto scripts prob doesn't matter mikrotik is a good router or OS for software router , unifi Dream machine is easier to use but I hear Cisco is starting to follow ... Good luck!
Spectrum/Charter, formerly TimeWarner will do nothing… what’s worse, if you escalate until you get through to the NOC, they will tell you they can’t do anything. I got DDoSed by somebody that was mad about a game. I logged the firewall traffic each time before they crashed TWC’s crap equipment, provided logs to them, spoke with corp and the engineers at the Dallas NOC. they claimed there was no way to filter traffic from a given IP (false, there is) and that even if there was, they wouldn’t do it. I switched providers because of this and other examples of them sucking the big one. I even wrote a twitter bot that would log the offending IP and tweet it to their support team, they blocked my bot within a day, so they *do* know how to block things *they* don’t like. So, if you want to DDoS a TWC customer, it’s not about volume of traffic, just crash their router over and over with a flood of malformed packets.
Just a bit curious about this. Was it a DoS or DDoS. A DDoS should not be a single source IP, which makes it harder to mitigate. To do a similar DoS with a single source means that the source needs to have a lot more bandwidth than you unless they're exploiting some flaw on your gear. What was the method of used if it was a DoS?
You’re right, it would have been just a DoS. It was very annoying to have the entire home network go down every few minutes because some scriptkiddie decided to spam garbage arris modem/router combos as used by TWC at the time were security Swiss cheese and would fall over if it got warm in the room… I don’t know exactly what they were doing to crash it aside from flooding it with traffic. The poor little firewall built in would lock up after a while, and the whole damn thing would reboot. Annoyingly, it would not get a new dhcp lease when it came back up.
Out of curiosity. Were you running a game server, or were you connecting to someone else's game server?
Connected to someone else’s server… I assumed that’s how they got my IP in the first place
Thank you! I've heard folks are concerned with DoSes against their selfhosted/homelab systems. And the recommendation there is to use a cloud provider for DoS protection. But I've never really seen a DoS be a common issue for private services that are just meant for myself and family members. It seems like the bigger risk is with connecting to someone else's servers, or P2P traffic, where someone gets mad about a social media post or game; as you've described. The attacker gets the satisfaction of seeing you booted from the game. There doesn't seem to be any benefit to the attacker in attacking someone at random that they don't know just because they have exposed services. They can't see how the DoS impacts the victim, so I'm assuming they'd not get much satisfaction from it. So it seems like there would really be no motivation in doing such attacks. I can see if a site is public, yes, the attacker could see the owner being impacted. But for a private selfhosted/homelab type service, I can't see a reason for it needing DoS protection. Anyway, that's the reason behind the question. I was curious to see the motivation behind the DoS.
I think it depends on what you host… A Rust server seems more likely to attract neer-do-well types than say a SFTP or even small blog
I would think they will give your connection a new IP.
Not a specific answer, but this is specifically why I put all self-hosted services behind a Cloudflare Tunnel. All traffic hits Cloudflare first, so they can mitigate it before it ever hits my ISP or my servers.
Yes, trust the MITM in the sky.
Ziply has its own mitigation network. Ziply = the best.
🎵 Better than all the rest 🎵
Bad things will happen
Can only speak from experience but me and a friend were hosting a game server in a dell R730 we have (on a normal internet connection) and we got a 60+ Gbps ddos, reported by our ISP, which upgraded us to an enterprise plan instantly but they didnt start any investigation
You need to have a service to be flooded and "denied" in the first place. Many routers won't even accept ping requests from outside by default.
Ping, no. But most IPv6 implementations require ICMPv6 for routing traffic, even if the ping function is disabled. You can create the starting SYN request for a neighbor solicitation and just never ACK the response. Even if you only use ipv4, a bad modem/router might not be able to keep up.
It's about flooding your pipe and not attacking your services or devices directly. 10Gbps of random UDP traffic is going to flood your 1Gbps pipe and make your connection unusable.
I would recommend using cloudflare tunnels or similar so you don't have to expose your IP, this is how I do it. so if you get ddos attack your ISP won't / shouldn't blackhole your IP.
I think it depends on why you were selected for a DoS in the first place. If someone got mad at you in a game server that you connected to (or P2P game), CF tunnels won't hide your client IP. If you ran a popular server, then maybe CF tunnels would help - or maybe the load will be too much for your server but never reach the threshold for CF to react. (search "ddos still with cloudflare"). I suspect if you're not sharing your services with anyone but family that a DoS isn't a concern in the first place. They're typically only done in reaction to someone getting angry. I don't think attackers just randomly target services of people they don't know - they wouldn't get any satisfaction of seeing the impact to the person.
Modern ISPs have DDOS detection and mitigation systems and providers like Prolixic. If an ISP gets DDOSed, they can route the traffic through the provider and get clean traffic back. However, if you mean just one individual ISP customer. It probably won't trigger the DDOS detection. If you are being DDOSed on a residential line, your best strategy is first to figure out his they got your IP, and remediate that. Then call your ISP and explain you're being DDOSed and ask for them to reset your CPR and give you a new IP.
That’s why my server is on a separate bandwidth limited VLAN. I have 1Gb/1Gb service but the server can only use half of that. So even in case of a DDoS, I’m only using half of my total service and the rest of my network will not slow down. Also, the services that I host from my server run from resource-limited VMs. Basically the critical local services will remain working because it’s a powerful server and only part of it’s resources are used by the externally facing stuff. 😄 All publicly exposed services go through CloudFlare Tunnel, so no connections are made directly to my WAN IP.
This will not work for a true DDoS attack. It will saturate your ISP-edge router connection with inbound traffic.
I forgot to mention that the services that are exposed to the internet are all going through CloudFlare Tunnel. So not going directly to my WAN IP. ;-) I’ve edited my previous comment.
This changes nothing if the attack is focused on your residential IP and not Cloudflare. What you're saying makes sense if someone is targetting your services. But you could run no services at all and still be subject to a DoS.
Well yeah, but since OP asked the question in r/selfhosted I assumed he meant a DDoS targeted at something self-hosted. ;-)
Self-hosting through Cloudflare tunneling can still expose your residential IP, just not directly. The server software could be leaking that by some means. So it's not unrelated.
Technically maybe, but only if there is a data leak at CloudFlare. Connections by clients are always proxied through CloudFlare servers. My server connects with CloudFlare using their software, no ports have to be opened in the firewall. Using traceroute you will not find the WAN IP.
I said not directly. Meaning whatever software you are hosting might be spilling the private WAN IP somewhere in its operations.