Inbound traffic analysis

Posted by: Dignan

Inbound traffic analysis - 16/10/2018 04:28

Hi everybody. This is outside my experience so I'm coming to you brilliant folks. A family friend came to me with a problem that's been plaguing them for a while now. They have regular internet outages, and apparently their logs show repeated inbound traffic requests over short periods of time. I've looked at the logs but I honestly don't understand what I'm looking at. I also don't quite see anything extreme. The homeowners have received new routers from Verizon FiOS, have made sure they've received a new IP, but the problem keeps happening.

The husband apparently took his laptop to China so they're thinking it could be that. I have no idea. They also have a Savant AV and automation system in the house, but their support people say it's not their equipment.

Any advice on how to figure out what's happening? I could share the logs from the FiOS router that they sent me, but I'd prefer to private message.
Posted by: Shonky

Re: Inbound traffic analysis - 16/10/2018 06:40

You'll need to define "repeated inbound traffic requests" a bit better most likely.

Any publicly routable IP on the internet will regularly get bots, crawlers, script kiddies etc looking for open systems. They'll try all the usual ports, usernames/passwords etc.

A huge majority of home internet connections simply use a NAT type device which in effect is also a basic firewall (yes, lots of people will say it's not a firewall) as it won't allow any connections in unless something like a port forward is created to an internal device or an internal device uses UPnP to create one.

So just make sure nothing is open on the internet side of the router, have decent virus/malware scanners on PCs and you should be pretty right. Make sure any web interfaces to the router are only accessible from the inside or have secure passwords and preferably secure (HTTPS/SSL type) connections
Posted by: tfabris

Re: Inbound traffic analysis - 16/10/2018 15:03

You’re looking for intrusion detection software.
https://en.wikipedia.org/wiki/Intrusion_detection_system

I haven’t looked into this market in several years, but before it was EOL’d I used Black Ice Defender. I don’t know if anyone else has made software to fill the gap it left behind: it was simple to use and understand even for non professionals, yet it still gave incredible detail of each intrusion attempt and took active steps to block them.
Posted by: Dignan

Re: Inbound traffic analysis - 16/10/2018 20:53

Thanks guys.

Christian, everything you described is what I've always thought. From what these people are describing to me, they seem to think they have the equivalent of a DDOS. None of the incoming connections are getting through, but they seem to be shutting down the connection.

Tony, looks like Black Ice doesn't exist anymore. Any ideas what the current favorite is?
Posted by: mlord

Re: Inbound traffic analysis - 16/10/2018 21:00

Wasn't there some BIG NEWS many months back about a common hack that nearly all consumer gateway gear (aka "modems") is vulnerable to, whereby they are easily subjected to DDOS attacks?

Or maybe it was only in such gear which uses a chipset from a specific manufacturer?
Posted by: Shonky

Re: Inbound traffic analysis - 17/10/2018 02:52

If they're truly getting DOSed (not necessarily DDOS) then a firewall is can't do all that much anyway. It needs to be handled by upstream devices.

Does their router have any ability to show current traffic in/out? Is it possible a device like the laptop is infected and creating large amounts of outgoing traffic (e.g. spam) which might present itself as the internet going down?
Posted by: mlord

Re: Inbound traffic analysis - 17/10/2018 12:49

I seem to recall that the widespread DDOS vulnerability was due to too long of a "connection timeout" setting in the (Linux) firmware of those devices. If one has shell access, it is easily "fixed" until the next power cycle.

So.. not always needing an upstream fix, but, yeah.