koldfront

Under attack?! #net

๐Ÿ•™๏ธŽ - 2024-03-31

Yesterday evening my home router started acting up. Instead of ping showing a latency of a couple of ms it went up to hundreds, and on top of that it started dropping 40-80% of the packets.

I tried turning it off and on again, wildly guessing that my ISP maybe had done some kind of upgrade or something.

It started up nicely, but then bogged down again. After a while I looked at the smokeping graph, which confirmed that something was wrong:

Smokeping graph showing the latency to the router on my LAN going haywire

I noticed that on my three DNS servers, one behind this router and two on VPS's, named was in the top of the CPU usage list. Hm.

ngrep'ing traffic on port 53 revealed a single IP doing a lot of requests for asjo.org. As in thousands.

I even got a warning from one of the VPS hosters telling me about the sudden spike in outbound traffic.

I started dropping the packets from that IP on the servers, and in the router, the outbound traffic disappeared, and my router no longer suffered. Yay!

Graph showing the sudden increase in traffic on one VPS

It seems like a weird low-key DoS attack, but it's kind of hard to understand. It's not that disruptive - luckily - and it seems to come from one IP-address only.

Well, almost. After I started dropping all packets from that IP, another one showed up as excessively active, so I started dropping packet from that one as well. Almost as soon as I did, the barrage from this second IP stopped completely.

The first IP, however, is still sending UDP packets at some 1-2 MBps to each VPS, here more than 24 hours later. Go figure.

I know that various people mistake my domain asjo.org for something else from time to time (when I had a Twitter account @asjo that also happened quite a bit), but what this IP-address - apparently somewhere in central China - has against my DNS servers, I can't tell. It's odd.

Add comment

To avoid spam many websites make you fill out a CAPTCHA, or log in via an account at a corporation such as Twitter, Facebook, Google or even Microsoft GitHub.

I have chosen to use a more old school method of spam prevention.

To post a comment here, you need to:

ยน Such as Thunderbird, Pan, slrn, tin or Gnus (part of Emacs).

Or, you can fill in this form:

+=