cancel
Showing results for 
Search instead for 
Did you mean: 

DDOS/DOS Help

ZHackH
Joining in

Hey Ladies and gents. I have been a VM customer for about 13 years... The following is something I'll break down into two sections. The story/Proof and help/advice. Feel free to skip to the advice section if the long read is not for you.

The story/Proof

I've lived at my current address for about 8 years. My neighbour for the last 4. We've always been very polite and neighbourly. Hi and a smile. Most importantly, I've never heard him and his wife. which is ideal given we live in a terraced house. However, when the pandemic hit this guy lost his job and my assumption is that with our current economy things haven't improved. During the first lockdown this guy started to drink. I'd seem him stumbling outside or clearly intoxicated. Eventually, in 2022 he started crashing around his home late at night, shouting screaming etc etc. Politely I'd brought up the subject, not even in a direct way more so "I heard some strange noises" etc. He apologized profusely. But soon after, I'm talking within a few days, I started hearing something rubbing against the wall.

Side note: My living room wall is adjacent to his hallway/entrance and stairs

The sound, sounds exactly like someone rubbing their hands together. My initial thought was that the neighbour was doing painting and decorating, but this was followed by my connection dropping and reconnecting. Like someone turning a light switch on and off. My initial response was new LAN cables and a "new" router from VM. But this bought me a few days and this disconnect followed by an immediate reconnect resumed. The evidence that I this drop and reconnect was actually intentional came from my neighbours wife. He being drunk and his wife frustrated had a blow up where she specifically said "$*&%ing around with the neighbours internet." His drunken response was along the lines of "Who does he think he is." Just riddled with more expletives. None of which he said when we spoke face to face.

I took this info to my VM and they identified the drops but said they don't have the capabilities to stop it and that I would d need to I myself would need to ID the source ETC ETC. Long story short they can't do much without certain legal criteria being met beforehand. I plan to get this too them but obviously my first priority is stopping this attack.

Advice: VM suggested that I can put my router into router mode and use an external router. My research initially took me to VPN routers but eventually led me peplink routers which are built with enhanced security in mind. To be honest, router security beyond a long password that I change periodically, isn't something I am familiar with. However I am eager to learn. My hope is that using a router which is more secure is my first step and that Surf Soho/peplink can assist. I had no idea that VM routers were this vulnerable. But my question is will router mode help.

This is what the hack looks like: https://imgur.com/AwabF8c/embed?ref=https%3A%2F%2F

The above in recorded from my tv while playing a gaming console. I've edited the vid to show one instance but in practice happens several times per minute. On/off. I've been a gamer since the Super Nintendo. Before console were online and I've never experienced anything like that. I didn't even know what a ddos was until I realized it was intentional.I came here because most people suspect that DDOS on me as an individual isn't worthwhile. Assuming that one individual would need a multitude of machines, physically, at his address. Despite the fact that you can purchase DOS attacks online

Please advise.






 

Please help.

 

34 REPLIES 34

Hey goslow

The cables have been changed 3 times. Twice by myself and once by VM. Also a change in router which bought me a few days before the disconnect started again relentlessly. My Console, never moved. neither did either router and the cables being brand new...

Coupled with the admission from my neighbours wife and my experience as a gamer, I'm pretty certain the intention is malicious.

That aside, when the next attack happens what should I do. Check the BQM or post a setting/result found within the router.

So much respect and appreciation for taking the time.

goslow
Alessandro Volta

@ZHackH wrote:

Hey goslow

The cables have been changed 3 times. Twice by myself and once by VM. Also a change in router which bought me a few days before the disconnect started again relentlessly. My Console, never moved. neither did either router and the cables being brand new...

<snip>


If that is so, I'd suggest that your VM connection needs further investigation based on the upstream stat's and the entries in the network log. Read the info here

https://community.virginmedia.com/t5/Speed/Hub-status-data-understanding-network-log-messages/td-p/4...

on 'RCS Partial Service' and T3 timeouts which appear in your network logs. You also have the 1970 date stamp in your network log which is also mentioned in the help topic in regard to noise issues. Is that all of your network log or have you edited the contents? There is not much in it if that's everything in it from end of November.

I don't think you are being attacked by your neighbour (or have been). I think you have a connection issue.

If VM has swapped your hub, I would expect your new hub would get a different IP address so any previous attack (if there ever was one) would be on the old IP address and your neighbour would not know the new one for a new hub.

In addition, just before Xmas, I had to look at the connection of a friend who was experiencing numerous disconnections and requiring a regular reboot of the hub. His upstream stat's were the same as yours (one channel on 16 QAM). VM swapped the hub, various cables and splitters and the problem went away but the upstream error still showed in his hub stat's. My friend is certainly not a gamer (web browsing only) and I guess VM's changes made sufficient improvement for him but without actually curing the problem. Gaming requires a good upstream and downstream connection so I am guessing that this is why you are experiencing the problem on your console.

If you have got the BQM running, just let it do its thing and let it run through a period when you experience the issue and the BQM should capture the disconnection (if it is your VM connection which is being affected).

You'll need some of the regular tech experts on here to advise further once you have a BQM to look at as well, alongside the hub stat's. They'll be able to add to (or correct!) what I have already suggested about your issue. Once you have got some BQM data crossing a time period in which you are disconnected, post that BQM graph for further comment and suggestions.

legacy1
Alessandro Volta
You sure no one playing about with the coax for your connection?
---------------------------------------------------------------

Screenshot 2023-01-16 at 14-24-57 Broadband Quality Monitor thinkbroadband.png

It happened again today twice between 11 ant 12:30 but on my console. Is there a way to monitor the targeted device.

goslow
Alessandro Volta

@ZHackH wrote:

 

It happened again today twice between 11 ant 12:30 but on my console. Is there a way to monitor the targeted device.


Your BQM is showing a small amount of packet loss at approx 00:00, 08:45 and 11:00 today (this is to your VM hub, not individually to your console).

Post up another set of your Downstream, Upstream and Network Logs.

You'll then need someone on here to comment who has a good knowledge of the stat's and the BQM graphs to advise if the info gives any clues as to whether they are the cause of the disconnections on your console.

This is obviously several hours after the loss of service so I'm not sure how relevant but as you asked.

Downstream bonded channels

Channel Frequency (Hz) Power (dBmV) SNR (dB) Modulation Channel ID

12590000005.638256 qam16
22510000005.538256 qam15
32670000006.138256 qam17
4275000000638256 qam18
5283000000638256 qam19
62910000006.138256 qam20
7299000000638256 qam21
83070000005.538256 qam22
93150000005.938256 qam23
103230000005.837256 qam24
113310000005.538256 qam25
12339000000637256 qam26
133470000005.838256 qam27
143550000005.438256 qam28
153630000005.438256 qam29
163710000004.637256 qam30
173790000003.937256 qam31
183870000004.137256 qam32
193950000004.337256 qam33
20403000000438256 qam34
214110000004.437256 qam35
224190000004.538256 qam36
235230000002.437256 qam37
24531000000237256 qam38



Downstream bonded channels

Channel Locked Status RxMER (dB) Pre RS Errors Post RS Errors

1Locked38.6160
2Locked38.6120
3Locked38.660
4Locked38.980
5Locked38.660
6Locked38.950
7Locked38.650
8Locked38.670
9Locked38.670
10Locked37.670
11Locked38.610
12Locked37.650
13Locked38.650
14Locked38.680
15Locked38.650
16Locked37.6150
17Locked37.320
18Locked37.650
19Locked37.650
20Locked38.620
21Locked37.680
22Locked38.6100
23Locked37.33510
24Locked37.64500

 

Upstream bonded channels

Channel Frequency (Hz) Power (dBmV) Symbol Rate (ksps) Modulation Channel ID

13010000537.5512064 qam4
22360020337.3512016 qam5
34960026838512064 qam1
44309992737.8512064 qam2
53660004437.8512064 qam3



Upstream bonded channels

Channel Channel Type T1 Timeouts T2 Timeouts T3 Timeouts T4 Timeouts

1ATDMA0000
2ATDMA0000
3ATDMA0000
4ATDMA0000
5ATDMA0000

 

 

goslow
Alessandro Volta

@ZHackH wrote:

This is obviously several hours after the loss of service so I'm not sure how relevant but as you asked.


Just seeking to confirm your stat's are unchanged since yesterday. You still have 16 QAM on one of your upstream channels and it looks as if your hub has restarted since yesterday as well.

Post up your full 'Network Log' to see what is recorded when you experienced the disconnections today at 08:45, 11:00 and 12:00. Post the full log, don't edit bits out of it.

After that I'll have reached the limit of my tech skills to try to help further but others on here should be able to put the pieces together and advise on what is going on.

My thinking is along the lines that you are getting some sort of short disconnections which are knocking your console offline during gaming but without affecting your other online activities.

I am surprised no one else has dived in here with further info/advice. It's all very interesting, unusual neighbour behaviour, threats of internet tampering, one device being knocked offline ... wish I knew more about the tech side to join the dots for you.

Andrew-G
Alessandro Volta

ZhackH: What's the BQM tracking?  It doesn't look like a Virgin Media connection, which looks like this:

My Broadband Ping - Aquiss/Openreach 330 Mbps

I must say I'm with goslow here - never attribute to malice that which can be attributed to other stuff.  As noted your upstream modulation looks unreliable which could cause problems for a latency sensitive uses, but also notice the downstream pre-RS errors show a dodgy pattern.  Pre-RS errors don't actually cause a problem as they're corrected by the hub, but assuming from the numbers of errors on other channels that you rebooted the hub recently, then the pre-RS counts on the highest channels might be accompanied over time by post-RS errors, and they certainly will cause issues unless at very low levels.

The other thought is, is the problem connection over wifi?  There's lots of things (esp in terraced houses) that can cause momentary loss of a wifi connection.  As one example of many, any recent Panasonic microwave is a very effective wifi-denial weapon. 

The folks next door affecting the connection is a exceedingly remote chance, they would have to figure
out your IP address and a DOS attack would raise a huge range of red flags to VM's platform monitoring,
a DDOS attack is a costly thing to perform. 

So turning to the Hub logs, there is 1 noise degraded channel at 16 qam
and then there are 4 normal channels at 64 qam.

If we ignore the 1 degraded channel, the 4 x 64 qam channel represent a total of 108Mb/s of upstream bandwidth,
that could be over 3 times the Upstream subscription rate. The reason for having 5 channels is to be a bit more
robust there there is a noise issue.

Client62_0-1673888702764.png

 

Hey Goslow

I did disconnect my router for about 20 minutes this morning. I do that in attempts to change the ip and the only other bit of help I recieved. The network logs do not show any other entries beyond the ones I posted earlier. As for the BQM, the disconnects happened between 11:30 -12:30. I myself took the router offline.

@Andrew
The BQM is tracking my router. I'm using a VPN. The attack as we call it is device specific. It targets the console and knocks me offline. The console is unmoved, untouched apart from a duster. IF you're seeing something one the BQM that doesn't make sense please share. I am using the router / Lan connection with my console.

@client
I'm almost ashamed to say that I don't get what a noise issue is

I'd like to add this nugget of info. Before the attacks started, they'd always follow my neighbour rubbing up against the wall. My wife who was initially skeptical and wanted to rationalise it as something else, saw/heard the pattern. I could game, right up until, my neighbour starts caressing the wall. After that stopped, you could set your watch to it. The disconnects would start. And I understand that the chances are remote but seeing it in practice is a different thing. I say that with every ouce of all due respect.

The disconnects happen on the console only. I'm guessing latency and buffering make streaming/tv less of a target. They knock the console off and immediately reconnect as seen in the link in my opening post.

That being said, is there a way to monitor the console as a device or will the BQM capture everything. Also and equally as important. Are there settings I can change in the modem to make DDOS/DOS attacks less successful?

As always I really appreciate the help and guidance. I'm sure this can reach a successful conclusion. So again, thanks.