Clients son's friend got ahold of his IP and is DDoS'ing my client.

[thecomputerguy]

Client emails me because she says her sons "Friend" got his IP address somehow and has been DDoS'ing him while playing games. Their internet is dragging and cutting out periodically, and her sons says it's because his buddy is being funny and DDoS'ing him.

Client runs her business out of her home and I told her that her best option is to get the IP changed which would require a call to the ISP and could takes hours and hours on the phone if a reboot of the modem doesn't change the IP.

I told her to get ahold of this kids parent's and try to get him to stop or threaten legal action since her business is run from home.

Anyone else know of any other way?

 

[phaZed]

Legal action (Police called) is the official remedy. It is illegal to knowingly DDOS someone. They do need to log the attack or get evidence of the DDOS. It's advisable and neighborly to talk to the other kids parents and see what comes of that first.

 

[lan101]

I remember having a conversation with spectrum about this. If you pull the modem power over night you might get lucky and pull a new ip the next day. It could take several days sometimes. From what they said on the residential side the only way is "hope" or a new modem.

On the business side they could initiate a new ip I believe is what they told me.

 

[timeshifter]

Seems like the simplest fix would be to call the ISP. Tell them someone is attacking their modem. The ISP should easily be able to see it if it's happening. A couple of commands on their end to block the offending source IP (and even shut down the account or severely throttle it - if it's from the same ISP. Have seen several client's have their service throttled when they had infected machines spamming the Internet)

 

[YeOldeStonecat]

Seems like the simplest fix would be to call the ISP. Tell them someone is attacking their modem. The ISP should easily be able to see it if it's happening. A couple of commands on their end to block the offending source IP (and even shut down the account or severely throttle it - if it's from the same ISP. Have seen several client's have their service throttled when they had infected machines spamming the Internet)

Yup...bingo! A simple call.

 

[Markverhyden]

Unless it's a fixed IP, which is highly unlikely in a residence, it's pretty simple. Connect directly to the modem, release the IP, power down the modem for 30 minutes, disconnect it from the line in, power up and then reconnect the line in after a few minutes. Done that many times with Spectrum. Sometimes might need to be powered off longer. But the key is to release the IP first.

 

[HCHTech]

her sons says it's because his buddy is being funny and DDoS'ing h

Just a thought, but maybe you should try to verify this conclusion?

 

[Sky-Knight]

Just a thought, but maybe you should try to verify this conclusion?

I ditto this, we just had someone on these forums assumed 20H2 broke Youtube yesterday...

Correlation doesn't equate to causation, and you need to verify that Internet connection is actually healthy because all of this could simply be noise.

 

[MichaelBits]

If it's truly a DDoS attack, they need to contact the ISP. The ISP will have the means to track it down and stop it. They will also likely alert whatever ISP the attacker is using and report him to them.

As others said, need to ensure it's an actual attack first.

We are a WISP ourselves, we take DDoS attacks pretty seriously. Whether it's an attack on one of our customers, or one of our customers attacking someone else.

 

[thecomputerguy]

How do you go about verifying a DDoS attack? Just ask the ISP?

 

[HCHTech]

How do you go about verifying a DDoS attack? Just ask the ISP?

Well, if you had a firewall, you could certainly look at logs of incoming traffic. Too many requests from one IP would raise my antenna, I'd think. Who knows what is recorded on the average residential ISP gateway. Probably easier to pull a new IP using @Markverhyden suggestion and see if the problem goes away.

 

[Sky-Knight]

DDoS != DoS

 

[Markverhyden]

How do you go about verifying a DDoS attack? Just ask the ISP?

The first D stands for Distributed. So you'd be looking at lots of traffic from lots of IP's.

 

[HCHTech]

her sons says it's because his buddy is being funny and DDoS'ing him.

I would question (perhaps unwisely, I know) the ability of a random gamer kid to organize or control a botnet....just to "be funny", hence my comment about high traffic from a single IP. Without data, it's all speculation anyway.

 

[Sky-Knight]

I would question (perhaps unwisely, I know) the ability of a random gamer kid to organize or control a botnet....just to "be funny", hence my comment about high traffic from a single IP. Without data, it's all speculation anyway.

Presumably such a kid would be generating traffic from his own home. And, since most residential connections are asynchronous, he doesn't have enough bandwidth on a single connection to flatten anyone else's receive.

So it has to be a DDoS, even small one... which is why I don't think this is happening at all. I'm pretty sure they're just having connection problems and the kid is being an idiot.

 

[frase]

Sounds like this kid has watched too much Mr.Robot. I would call his bluff and tell him authorities are going to be involved in the situation.
Then watch his firewall come down and admit he was joking, then let him go back to his scripts.