DoS and UDP Flood

[bustr]

In the last 6 months I've seen an uptick in DoS and UDP Flood against my home router. Looking around through various industry sources there has been a general uptick in UDP Flood attacks around the world.

What are the ramifications to my game play when these automated scans tickle my router looking for access? It seems China runs DoS scans on an automated batch schedule daily from lists of millions of publicly available IP, while lately I'm seeing more domestic IP sources from various providers around the country when I trace back the source.

Can one of these automated scans cause me to DISCO or create the sudden illusion of rubber bullets while my NetStat and Host Queue time are flat as boards? Ping Plotter is kind of useless in this circumstance. I have 9 hops to Texas and an average 55-58 trip time with no packet loss at least for ICMP.

I'm curious because last night by coincidence, I suddenly had rubber bullets at the same time frame my log showed a DoS scan from China.

[MrRiplEy[H]]

In the last 6 months I've seen an uptick in DoS and UDP Flood against my home router. Looking around through various industry sources there has been a general uptick in UDP Flood attacks around the world.

What are the ramifications to my game play when these automated scans tickle my router looking for access? It seems China runs DoS scans on an automated batch schedule daily from lists of millions of publicly available IP, while lately I'm seeing more domestic IP sources from various providers around the country when I trace back the source.

Can one of these automated scans cause me to DISCO or create the sudden illusion of rubber bullets while my NetStat and Host Queue time are flat as boards? Ping Plotter is kind of useless in this circumstance. I have 9 hops to Texas and an average 55-58 trip time with no packet loss at least for ICMP.

I'm curious because last night by coincidence, I suddenly had rubber bullets at the same time frame my log showed a DoS scan from China.

I've never heard of Denial Of Service scans, do they scan for vulnerabilities in your network or what?

[bustr]

I'm just curious if these can impact my game session.

The Chinese pull public IP every day then scan them in batches from IP registered to Chinese companies.  I get up to 6 a day some days both Chinese and domestic. Many of the Chinese IP have years of repeated complaints to no avail due to being from China. Many of the companies that issue the IP and the companies running the scans are companies owned by the Chinese Military under civilian management. For several years I would get hit by one scan a week registered to the same hotel room in Bejing using different IP. I found out about this because naively I went through the complaint process thinking I was being a good citizen. Rebooting my router to gain a new IP didn't work because every new IP was available to the public and the Chinese scans for lists of public IP. The subsequent DoS scans later are just blind hog finding an acorn approach because the Chinese have the money, people and time to do it. The odds are in their favor by that point.

Like this one today.

[Querying whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '218.7.0.0 - 218.10.255.255'

inetnum:        218.7.0.0 - 218.10.255.255
netname:        UNICOM-HL
country:        CN
descr:          China Unicom Heilongjiang province network
descr:          China Unicom
admin-c:        CH1302-AP
tech-c:         LZ31-AP
status:         ALLOCATED PORTABLE
mnt-by:         APNIC-HM
mnt-lower:      MAINT-CNCGROUP-HL
mnt-routes:     MAINT-CNCGROUP-RR
mnt-irt:        IRT-CU-CN
changed:        hm-changed@apnic.net 20031110
changed:        hm-changed@apnic.net 20040927
changed:        hm-changed@apnic.net 20050511
changed:        hm-changed@apnic.net 20060124
changed:        hm-changed@apnic.net 20090508
source:         APNIC

irt:            IRT-CU-CN
address:        No.21,Jin-Rong Street
address:        Beijing,100140
address:        P.R.China
e-mail:         zhouxm@chinaunicom.cn
abuse-mailbox:  zhouxm@chinaunicom.cn
admin-c:        CH1302-AP
tech-c:         CH1302-AP
auth:           # Filtered
mnt-by:         MAINT-CNCGROUP
changed:        zhouxm@chinaunicom.cn 20101110
changed:        hm-changed@apnic.net 20101116
source:         APNIC

person:         ChinaUnicom Hostmaster
nic-hdl:        CH1302-AP
e-mail:         abuse@cnc-noc.net
address:        No.21,Jin-Rong Street
address:        Beijing,100033
address:        P.R.China
phone:          +86-10-66259764
fax-no:         +86-10-66259764
country:        CN
changed:        abuse@cnc-noc.net 20090408
mnt-by:         MAINT-CNCGROUP
source:         APNIC

person:         Liu Zhiyong
nic-hdl:        LZ31-AP
e-mail:         gaobh@mail.hl.cn
address:        Data Communication Bureau of HLJ
phone:          +86-451-542931
country:        CN
changed:        gaobh@mail.hl.cn 20030801
mnt-by:         MAINT-CNCGROUP-HL
source:         APNIC

% Information related to '218.10.0.0/16AS4837'

route:          218.10.0.0/16
descr:          CNC Group CHINA169 Heilongjiang Province Network
country:        CN
origin:         AS4837
mnt-by:         MAINT-CNCGROUP-RR
changed:        abuse@cnc-noc.net 20060118
source:         APNIC

[MrRiplEy[H]]

Is your IP being flooded by that address or is it just a scan? It may be baiduspider or other Chinese search crawler. Or simply some script kiddie utilizing his hacked servers.

[zack1234]

How do i see if commies are looking at my holiday pictures?

[bustr]

Riply,

This is not a session of you can prove it's not what it is by asking 20 questions. When it's from hotels in mainland China, it's the daily scans for openings in routers worldwide. I went through this when I registered complaints against the Chinese IPs'. The process is owned and subsidized by the Chinese Army. Then ultimately by the West purchasing cheap Chinese goods because the Chinese Army owns much of the production in China visa holding companies. In the last 6 months I've seen an uptick in UDP DoS in my log.

As I originally asked, can these daily scans effect my game play when one hits while I'm in the arena? Yes or No?

[Hoplite]

I've been dealing with this from a professional perspective for the past couple of years.   You might find this interesting:

http://www.slideshare.net/jamkjm/ddos-impact-to-community-financial-institutions


There are several major botnets out there that could be scanning your space for vulnerable systems to infect, including the ones used for the attacks last year.  Or it could be something else.  I'm really not in the weeds of this stuff anymore (i.e. being a front line InfoSec tech is a game for the young) so everything I say is conjecture.  At the very least reach out to your ISP but they may already be aware of it.

[MrRiplEy[H]]

Riply,

This is not a session of you can prove it's not what it is by asking 20 questions. When it's from hotels in mainland China, it's the daily scans for openings in routers worldwide. I went through this when I registered complaints against the Chinese IPs'. The process is owned and subsidized by the Chinese Army. Then ultimately by the West purchasing cheap Chinese goods because the Chinese Army owns much of the production in China visa holding companies. In the last 6 months I've seen an uptick in UDP DoS in my log.

As I originally asked, can these daily scans effect my game play when one hits while I'm in the arena? Yes or No?

Unless the scans *flood* your connection to the extent that your router can't handle the traffic anymore, yes. Otherwise it's not likely that you'll see the effect. Besides we're all getting scanned so its the same for everyone.

[Vulcan]

Most home routers that report "DoS attacks" and "UDP floods" are bollocks (yes that's a technical term).

Most of the time it's residue from people running P2P apps.

[MrRiplEy[H]]

Most home routers that report "DoS attacks" and "UDP floods" are bollocks (yes that's a technical term).

Most of the time it's residue from people running P2P apps.

I have a Zyxel router on the shelf that will log attacks from running aces high or BF3. Not only that, it starts to 'protect' from the datastream causing stutters to the games.