Crystal Web ADSL performance feedback thread Part 3...

[saa044]

that sounds like your firewall isn't configured correctly, you need to drop all inbound from PPPoE otherwise you'll get a ton of ICMP/Port scan traffic and attempts at trying to access your device.

is port 53 open on your mikrotik?

Yes I have blocked port 53 and such and added a few rules to my firewall. I guess the point I was trying to make is not everyone knows how, and that you can do what you want on the PC side, but if you do not know what to do beyond that and it is not happening on your internal network then you are stuffed. We have since moved our work connection to Infinity Fibre, just on their ADSL package, and this has not happened since. Now I know this is a CW thread and not a Infinity or Mweb thread, I was just trying to say things happen outside of the clients control and I was a bit annoyed at the comment patrick made. Not everyone has a Mikrotik or similar router and can set up a firewall to prevent this. My thoughts are with the random old lady on a capped connection and a cheap ADSL router, if they get capped by a outside source without them using the data, what then?

 

[new_in_za2]

I must say that I am somewhat confused after reading the email. I'm currently on a 100GB "Standard Business Capped". This product is not on the list in the email, but it looks like "Standard Business Capped + Midnight Express" will be called "SMME Capped" in the future. For my case, this email didn't really answer anything, but only created a bunch of questions:

1) What will my new product/price be?
2) Does this change mean that the midnight-till-6 data will go away?
3) Midnight-till-18 data is only mentioned for "Xtreme Home Capped", which I guess my new product won't be. Does that mean that I won't have midnight-till-18?
4) The email claims that the free data was previously midnight-till-8, which to the best of my knowledge was never the case. What's the story on this?

 

[patrick123]

Just FYI the same happens on Mweb. And I have a MikroTik router so I can see on each LAN port who uploads and not. And the bad part is that my router will upload at 2mbps on a 4mbps down and 512k up line. Mweb also tuned my the same crap, that it must be a device on my network and not their fault until I sent them a screenshot of the connections in mikrotik showing the internal network quiet as a mouse and the upload via the net going crazy. My router LOG also showed that NOBODY gained access to my router. So how do they utilise my line without getting into my router? It happens on almost every ISP and is a HUGE problem. In the end the only thing that helps is to trace the IP that magicly uploads at 2mbps on a 512k up line and block the whole IP range. If you don't have a advanced router like Mikrotik you wont be able to trace that IP and block it. So yeah it is the ISP's duty to find out how this happens and to prevent it from happening.

Very likely you are subscribed to a Dynamic DNS service. Possibly these guys are trying to get at your IP cameras or other ports that you have open. Don't block or reject, simply drop the packets. You want the ISP to sense and block an IP address range when you get attacked, but there is a possibility that there is another machine on this particular IP address range that somebody here is communicating with and now they must be inconvenienced because you insist that the ISP must block that range. Sorry for you, sh*t happens!

Yes I have blocked port 53 and such and added a few rules to my firewall. I guess the point I was trying to make is not everyone knows how, and that you can do what you want on the PC side, but if you do not know what to do beyond that and it is not happening on your internal network then you are stuffed. We have since moved our work connection to Infinity Fibre, just on their ADSL package, and this has not happened since. Now I know this is a CW thread and not a Infinity or Mweb thread, I was just trying to say things happen outside of the clients control and I was a bit annoyed at the comment patrick made. Not everyone has a Mikrotik or similar router and can set up a firewall to prevent this. My thoughts are with the random old lady on a capped connection and a cheap ADSL router, if they get capped by a outside source without them using the data, what then?

A little bit of knowledge is more dangerous than none at all. Rather get somebody who knows what they are doing to configure your router.

BTW. There are many people who own Lamborghinis and Porches who can't even drive go-cart nevermind a super-car.

 

[Crystal Web Management]

I must say that I am somewhat confused after reading the email. I'm currently on a 100GB "Standard Business Capped". This product is not on the list in the email, but it looks like "Standard Business Capped + Midnight Express" will be called "SMME Capped" in the future. For my case, this email didn't really answer anything, but only created a bunch of questions:

1) What will my new product/price be?
2) Does this change mean that the midnight-till-6 data will go away?
3) Midnight-till-18 data is only mentioned for "Xtreme Home Capped", which I guess my new product won't be. Does that mean that I won't have midnight-till-18?
4) The email claims that the free data was previously midnight-till-8, which to the best of my knowledge was never the case. What's the story on this?

Your query forms part of tomorrow's announcements and updates.

 

[Phinix]

...tomorrow's announcements...

Holding you to it!

 

[saa044]

Very likely you are subscribed to a Dynamic DNS service. Possibly these guys are trying to get at your IP cameras or other ports that you have open. Don't block or reject, simply drop the packets. You want the ISP to sense and block an IP address range when you get attacked, but there is a possibility that there is another machine on this particular IP address range that somebody here is communicating with and now they must be inconvenienced because you insist that the ISP must block that range. Sorry for you, sh*t happens!



A little bit of knowledge is more dangerous than none at all. Rather get somebody who knows what they are doing to configure your router.

BTW. There are many people who own Lamborghinis and Porches who can't even drive go-cart nevermind a super-car.

My router is configured properly and I know it inside out. You have no clue at all what my knowledge is regarding this router and it's OS so that "little bit of knowledge" statement of yours was a low attempt to insult my intelligence regarding this router. I am not claiming to be the best at everything mikrotik, but working with mikrotik for a couple of years now I kind of know my way around it. Also not running a DNS service of any kind. But that's besides the point. Do you think tant marie of 70 will have a mikrotik router that is configured properly? If not and a outside source uses her connection and takes all her data what then? Or does most ISP's these days expect all their clients to 1 have a mega complicated router and 2 know how to configure it? Or should x ISP have something in place to prevent outside users of doing this?

 

[Crystal Web Management]

My router is configured properly and I know it inside out. Also not running a DNS service of any kind. But that's besides the point. Do you think tant marie of 70 will have a mikrotik router that is configured properly? If not and a outside source uses her connection and takes all her data what then? Or does most ISP's these days expect all their clients to 1 have a mega complicated router and 2 know how to configure it? Or should x ISP have something in place to prevent outside users of doing this?

No router will stop it. Simple as that. This kind of attack cannot be stopped on the client side. And as an ISP we cannot know attack traffic from ordinary traffic until after the fact, and even then it is not easy to identify. If attack traffic was easily flagged there would exist systems to stop it. No tech exists yet to do it. It's not a limitation of ISPs but instead a limitation of the nature of these unsecure protocols the internet operates on and is quite simply the risk one takes every single time you initiate an outbound connection the internet. Computerphile have a good video about this on YouTube.

Not even systems like Arbor can identify this traffic. They try, but they don't catch it all, and the attackers are smart enough to know how these systems work and fly under the radar a bit.

 

[saa044]

No router will stop it. Simple as that. This kind of attack cannot be stopped on the client side. And as an ISP we cannot know attack traffic from ordinary traffic until after the fact, and even then it is not easy to identify. If attack traffic was easily flagged there would exist systems to stop it. No tech exists yet to do it. It's not a limitation of ISPs but instead a limitation of the nature of these unsecure protocols the internet operates on and is quite simply the risk one takes every single time you initiate an outbound connection the internet. Computerphile have a good video about this on YouTube.

Not even systems like Arbor can identify this traffic. They try, but they don't catch it all, and the attackers are smart enough to know how these systems work and fly under the radar a bit.

Thank you, that was the answer I wanted. I just simply wanted to show patrick that a man and his family is not always to blame. I managed to stop these attacks by only allowing my internal network to upload and any requests from the outside gets dropped immediatly.

 

[Ho3n3r]

Not bad at all, regarding the prices. Granted, my particular package's price reduction will have basically no impact in my life, but in general it's impressive.

 

[MickeyD]

As CWM has answered. You have shown me nothing and having a fancy router will never stop any attack, and a concerted attack against you IP will suck up your bandwidth, so as I said before tough! Sh*t happens! All you can do is to ensure that your defences are strong enough to cater for it!
BTW if you want to group yourself with 70 year old tant marie or even margaret for that matter, that is your prerogative and then accept what I think of your intelligence!

Take it easy with the personal remarks...

 

[patrick123]

My router is configured properly and I know it inside out. You have no clue at all what my knowledge is regarding this router and it's OS so that "little bit of knowledge" statement of yours was a low attempt to insult my intelligence regarding this router. I am not claiming to be the best at everything mikrotik, but working with mikrotik for a couple of years now I kind of know my way around it. Also not running a DNS service of any kind. But that's besides the point. Do you think tant marie of 70 will have a mikrotik router that is configured properly? If not and a outside source uses her connection and takes all her data what then? Or does most ISP's these days expect all their clients to 1 have a mega complicated router and 2 know how to configure it? Or should x ISP have something in place to prevent outside users of doing this?

.

 

[patrick123]

Take it easy with the personal remarks...

Apologies.

 

[saa044]

Of course, it can be locked down Patrick, just block all traffic from the outside. It is a very simple procedure on the Mikrotik and it works like a bomb. But lets not derail this any further, this is CW support after all and the only reason for my posts were because you blaimed that other guy and his family and I took offense to that. have a nice day further on and looking forward to being a CW subscriber once again. Just waiting for telkom to finish the fibre rollout here.

 

[Sinbad]

Blocking traffic on your router does not prevent the traffic going down your line, using your bandwidth and congesting your connectivity

 

[wingnut771]

Blocking traffic on your router does not prevent the traffic going down your line, using your bandwidth and congesting your connectivity

How come Bryn never felt and complained of congestion?

 

[SauRoNZA]

Official Crystal Web ADSL performance feedback thread Part 3...

Yes I have blocked port 53 and such and added a few rules to my firewall. I guess the point I was trying to make is not everyone knows how, and that you can do what you want on the PC side, but if you do not know what to do beyond that and it is not happening on your internal network then you are stuffed. We have since moved our work connection to Infinity Fibre, just on their ADSL package, and this has not happened since. Now I know this is a CW thread and not a Infinity or Mweb thread, I was just trying to say things happen outside of the clients control and I was a bit annoyed at the comment patrick made. Not everyone has a Mikrotik or similar router and can set up a firewall to prevent this. My thoughts are with the random old lady on a capped connection and a cheap ADSL router, if they get capped by a outside source without them using the data, what then?

The default on every router ever (even a Mikrotik if using default config) is to block all traffic coming in front the outside unless explicitly allowed.

That's why port forwarding is such a hassle with consoles and such for "normal" users.

You don't need a special Mikrotik to do this.

In fact a Mikrotik is dangerous in most hands when people don't know exactly what they are don't.

Don't even get me started on MWEB and some of their Asterisk/Sophia implementations.


I do however agree that there is a need for some transparency from ISP's with regards to where traffic originates from. This is however very hard without applying active logging once a problem occurs and is generally not feasible to have running 24/7.

 

[Sinbad]

How come Bryn never felt and complained of congestion?

Maybe the isp's traffic management prioritized his streaming and http traffic over whatever UDP packets were being transmitted?
Speculation of course, I have no idea

Thing is you need to analyze traffic as it's happening. After the fact there is nothing you can do.

 

[Crystal Web Management]

How come Bryn never felt and complained of congestion?

Not to being up this debate once more, but theoretically that indicates that it wouldn't be a DDoS attack. Any Vumatel customer even on 100Mb/s will be able to confirm that the DDoS symptoms are that it entirely consumes your connection to the point of routers entirely freezing up and nothing getting through. But this is in theory. Attacks change and you do get a-typical attacks and symptoms.

 

[Crystal Web Management]

Maybe the isp's traffic management prioritized his streaming and http traffic over whatever UDP packets were being transmitted?
Speculation of course, I have no idea

Thing is you need to analyze traffic as it's happening. After the fact there is nothing you can do.

If you have a flood from UDP, you have a flood from UDP. We'd have to hard-code bandwidth management which we don't, and even that wouldn't really work.

 

[wingnut771]

Maybe the isp's traffic management prioritized his streaming and http traffic over whatever UDP packets were being transmitted?
Speculation of course, I have no idea

Thing is you need to analyze traffic as it's happening. After the fact there is nothing you can do.

Not to being up this debate once more, but theoretically that indicates that it wouldn't be a DDoS attack. Any Vumatel customer even on 100Mb/s will be able to confirm that the DDoS symptoms are that it entirely consumes your connection to the point of routers entirely freezing up and nothing getting through. But this is in theory. Attacks change and you do get a-typical attacks and symptoms.

Okay thanks, just curious, makes sense