Official Crystal Web ADSL performance feedback thread Part 2...

Are you satisfied with your Crystal Web account?

  • Total voters
    126
Status
Not open for further replies.
Crystal Web said:
Yup, that's my suspicion. I think they have been compromised, which is a real pity. And a very serious issue if confirmed. It also pushes the data through our IPC connections, so we're looking at ways to actively try to block this for you guys as well now.

I will be sending them emails.
Click to expand...

SYN FLOODING Attack: IN=ppp1.1 OUT=br0 SRC=198.23.140.138 DST=192.168.0.13 LEN=52 TOS=0x00 PREC=0x00 TTL=85 DF PROTO=TCP SPT=7678 DPT=67 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x8000000

Seems someone is attacking my xbox which is the desination IP in my local network above ... maybe related to the Xbox live service then.

The plot thickens.
 
thewusman said:
SYN FLOODING Attack: IN=ppp1.1 OUT=br0 SRC=198.23.140.138 DST=192.168.0.13 LEN=52 TOS=0x00 PREC=0x00 TTL=85 DF PROTO=TCP SPT=7678 DPT=67 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x8000000

Seems someone is attacking my xbox which is the desination IP in my local network above ... maybe related to the Xbox live service then.

The plot thickens.
Click to expand...

There are constant attacks every day that most routers are able to natively block. Some are not "out of the ordinary" necessarily. Switch off all non-ISP default DNS lookups, and power cycle your router to try to force a new IP and see if the same happens. My suggestion is to switch off from the power entirely for 20min and request a port reset as well.
 
Just wanted to post that in the South all is looking rosy. Something I've not been able to post so much in a long while.

Keep up the great work.
 
FYI, I use UnoDNS and am not seeing any strange traffic patterns.
I do not use a dynDNS setup for unotelly, I use a script on my mikrotik for updating my IP address.
I have dyndns, but not a commercial one though, I use Mikrotik's native one.

Therefore I think it's more likely related to dyndns.org than unotelly.
 
Thank you for the notice email Crystal. Just another level of service when compared to other ISPs. Dollars to donuts they would not have sent a mail at this time. Hell...I doubt they would even know something was amiss, and even if they did, they'd not think to inform their customers.

Well done.
 
Sinbad said:
FYI, I use UnoDNS and am not seeing any strange traffic patterns.
I do not use a dynDNS setup for unotelly, I use a script on my mikrotik for updating my IP address.
I have dyndns, but not a commercial one though, I use Mikrotik's native one.

Therefore I think it's more likely related to dyndns.org than unotelly.
Click to expand...

Difficult for us to pin-point, and the attacks are random and not affecting everyone equally. It is however not localised to one region or IP range, nor ISP by the way. We've identified it to be an issue with either DNS Proxies, or Dynamic DNS services. Difficult for us to make the call on that just yet. And we're also not making any accusations against any particular provider or providers. We have chosen the rather safe than sorry route.
 
Orihalcon said:
Thank you for the notice email Crystal. Just another level of service when compared to other ISPs. Dollars to donuts they would not have sent a mail at this time. Hell...I doubt they would even know something was amiss, and even if they did, they'd not think to inform their customers.

Well done.
Click to expand...

Such a pleasure. It's just the responsible thing to do. Has taken all of last night and today to confirm, so what's another 30min making sure everyone is properly informed? Just makes sense to me.
 
Sinbad said:
FYI, I use UnoDNS and am not seeing any strange traffic patterns.
I do not use a dynDNS setup for unotelly, I use a script on my mikrotik for updating my IP address.
I have dyndns, but not a commercial one though, I use Mikrotik's native one.

Therefore I think it's more likely related to dyndns.org than unotelly.
Click to expand...
Could be. I'm also on UnoDNS, and no issues here. HOWEVER - I had a massive slowdown around midnight last night, which has since resolved itself. Maybe I was one of the earlier targets?
 
Unotelly is not affected, been using it fine all day.
http://map.ipviking.com
 
biometrics said:
DJ you are making some serious allegations.
Click to expand...

OK (below) with redacted identification information. Happens every day that IPs are targeted and prevented from being attacked. On this occasion, there's one of two common denominators - Dynamic DNS or Proxy DNS services. Choose to believe me or don't, won't change the fact that we've had to maintain a bit of an onslaught over the last 24 hours, and actually began a few days ago. IPViking shows live data and doesn't cover everything. You're welcome to check attack maps from earlier today to confirm some of these if you have to.

semaphore said:
Yeah, sorry. I don't buy it. Post evidence to support your claim.
Click to expand...

Not that we have to do this, but:

DoS host detection alert started at 2015-04-26 12:19:30 GMT.

URL:
Host: [redacted]
Signatures: Total Traffic
Impact: 113.81 Mbps/44.10 Kpps
Importance: High
Managed Objects: "(xDSL)"
---

----
Date: 26 Apr 2015 12:25:13 +0000
From: [redacted]
To: [redacted]
Subject: [[redacted] SP] TMS mitigation 'Alert [redacted] Auto-Mitigation' stopped

Mitigation ID: [redacted]
Leader: [redacted]

Name: Alert 991425 Auto-Mitigation
Started: 2015-04-26 12:19:31
Stopped: 2015-04-26 12:25:06
Alert ID: 991425
Managed Object: (xDSL)
Prefix Count: 1
Prefix 1: [redacted]
Filter: drop src port 1900 and dst port 80 and proto udp
Zombie Threshold (bps): 10000000
Zombie Threshold (pps): 10000

Directed at the end user. Any more questions?
 
Is that an automated report from IS?

This stuff happens all the time. It's not likely directed at you as an ISP.
 
biometrics said:
Is that an automated report from IS?

This stuff happens all the time. It's not likely directed at you as an ISP.
Click to expand...

Nothing was directed towards us as an ISP. Who ever stated that was the case? Users in SA were targeted, and we identified a common denominator. In fact in our network notice email to our customers we specifically stated that this was was probably not a targeted attack. However we choose to play open cards, and it seems this level of transparency irks some and you prefer to challenge us. So be it.

I'm starting to understand the less than transparent attitude other ISPs choose to adopt here.

In future please direct these queries to our support desk or info email, thanks.

Bio, you know where my PM box is. It's been a long 3 days, and I won't be getting involved in justifying this for the next few hours or days again now in some sort of public spat. Not even sure what the issue is here. If there is one, you're welcome to PM me or email me.
 
For the record, we have not accused any organisation or any institution of anything. We proactively spotted an issue and openly alerted our customers about it, and made explicit mention in our email notice to customers that this was preventative only, as we had seen reports of this, and can confirm internally that such events took place. Also helps that our two test lines were both hit, and we were able to extract information from this as well, rather than relying solely on customer feedback (which also confirmed the problem). We also tested this on numerous backbones and ISP accounts over the last few days to confirm. In addition, investigations with the forensic teams at our backbone provider confirmed the events. Note, this is internal communication between ourselves and various providers. It's not public disclosure documentation.

You are welcome to submit a request for our data should you feel it is necessary, following the necessary commercial and legal channels, and we will happily submit this to you should it be required by us to do so, either by law, or by best practice.
 
DJ... said:
Directed at the end user. Any more questions?
Click to expand...

All that proves is someone on your network is being targeted, not that the source of the target is from a breach in a provider. Seriously grasping for straws there. Most likely some script kiddie who thinks they are part of anonymous.
 
Status
Not open for further replies.
Back
Top
Sign up to the MyBroadband newsletter
X