Holy Batman. I think I'm suffering a DOS attack (edit was actually mDNS?)

[wappinghigh]

I think I am suffering a DOS attack

This is friggen scary.

How do I prove this?

I run a Draytek Vigor 2830Vn

Thanks W

Sent from my iPhone using Tapatalk

[msgreenf]

you would have to look at your inbound connections and see what is going on...

[wappinghigh]

Ok. So dealer says to disconnect from internet. And reboot router. I've done this. Network is still basically down. It's now running on is own but Like only 12 out of a possible 88-95 devices are up. Control 4, cameras, computers TVs all down. Holy crap. This is scary. How easy it is to take down a smart home ....

Sent from my iPhone using Tapatalk

[msgreenf]

that doesn't really make sense.  What do you mean it's running on its own? do you mean your internal network is up and not internet connected?  Everything Control4 should still work fine as it's all local to your house

[wappinghigh]

No I meant even though I've disconnected the WAN from the router, the network is still basically down... even after a subsequent reboot...

Sent from my iPhone using Tapatalk

[msgreenf]

1 minute ago, wappinghigh said:

No I meant even though I've disconnected the WAN from the router, the network is still basically down... even after a subsequent reboot...

Sent from my iPhone using Tapatalk

not a DoS/DDoS attack then.  Something in the router has gone screwy

[msgreenf]

or you have a virus inside your home network

[wappinghigh]

There is some unidentified device like on some weird IP address ... 224.0.0.251.... When I run a 192.168.0.1 network. I can identify it's MAC address ...That any clue????

Sent from my iPhone using Tapatalk

[wappinghigh]

What network antivirus stuff do you guys recommend? Is there something you can get that will scan a network???

Sent from my iPhone using Tapatalk

[wappinghigh]

Thanks for your help BTW It's like 11.30pm here. This is darn scary. I'm telling ya!!!

Sent from my iPhone using Tapatalk

[Dave w]

Addresses starting with a number between 224 are used for IP multicast.  IP multicast is a technology for efficiently sending the same content to multiple destinations.
It is commonly used for distributing device state information and video streams, among other things.
It is most likely iTunes or Bonjor or Sonos, etc....Usually on ports 5353 or 5555.
A full list of IPv4 multicast assignments can be found at:
http://www.iana.org/assignments/multicast-addresses

[thegreatheed]

You could also have a device on the network internally that is just malfunctioning and causing a network storm.

[wappinghigh]

Thanks for all the clues everyone. I guess I go back and check the last few devices added recently (since the network has been stable for well over year).....that would be the HEOS and that new Kodi box that were recently added, and adding Asset uPNP DLNA server ...

Sent from my iPhone using Tapatalk

[wappinghigh]

Something has definitely crashed my network. This is one of worst episodes I've seen. Still down. Scary.

Sent from my iPhone using Tapatalk

[wappinghigh]

Like I don't even see an ARP table on the Draytek. Even after multiple reboots and leaving most of the network down and turned off over night. This is serious

Sent from my iPhone using Tapatalk

[msgreenf]

3 minutes ago, wappinghigh said:

This is serious

just cause it's serious and you don't understand what is going on, doesn't mean it's a DDoS attack...

[Cyknight]

So, nothing works at all? Just a though, but I'd grab another router, hook i up and see if things don't just start coming back to life. If not, set up a router and start connecting devices to it one by one.

What you've described could easily be a router gone haywire. It could indeed also be something causing a broadcast storm (Sonos, Heos, or for that matter a touchscreen or doorstation on an intercom session).

Frankly, it's going to be a matter of elimination.

[wappinghigh]

Sure. I've figured it out it's not a DOS attack. Some serious crap going on with the router. Random crap. Makes one appreciate how dependent we have all become on our networks.

Sent from my iPhone using Tapatalk

[wappinghigh]

Black Swan Theory. I suggest software engineers at C4Central read and study! W https://www.amazon.com/Black-Swan-Improbable-Robustness-Fragility/dp/081297381X "A black swan is an event, positive or negative, that is deemed improbable yet causes massive consequences. In this groundbreaking and prophetic book, Taleb shows in a playful way that Black Swan events explain almost everything about our world, and yet we—especially the experts—are blind to them." 

[wappinghigh]

Ok. Up and running. Phew... 

Quick related Question to you all... 

Are there any devices (hardware and or software) that can watch for the development of a network broadcast storm (say running in the background on the network) and then be programmed in Composer to say shoot out a notification (that it's starting to happen)...and subsequently automatically shut down both 1/ the router and 2/ Director (in an orderly fashion)? Cheers W

[Cyknight]

Directly, doubtful.

There are software based monitoring options, some security appliances do it as well. Either could then be used to end out an email, which with the appropriate drivers can then 'send' that to C4 as a trigger.

Assuming you have controlled power outlets etc, you can then program to do the rest.

[Cyknight]

1 hour ago, wappinghigh said:

Black Swan Theory.

In what you just went through, that's sort of like asking the car manufacturer to come up with solutions in case all possible roads are shut down....or light bulb manufacturers to have alternate back-up options in their bulbs in case electricity fails...

Arguably you COULD protect your base infrastructure right now. Have C4 set to a separate VLAN on their own switch preferably, all static IPs.....a storm then has LESS affect, or with other options added (as per your other post) you could shut down everything but that one switch and keep your 'basics' running until you've figured it out.

 

Glad you got it figured out by the way.

[wappinghigh]

Yep. My Suspect is Roon Server. Which uses Multicast. Can't prove it, but you get a feeling for such things. Saw a similar thing happen in the early Sonos days. I was just curious if anyone had thought of writing some sort of network "data"/developing storm monitor driver that we could link into Control4 announcements that's all.. You get a feeling the network is not running well (usually over a period of a couple days).. it's kind of a sixth sense.. then bang down she goes.. trouble is I wasn't at home when the final crash happened....  

[wappinghigh]

Just re-reading your post, as a matter of interest can the primary Controller running director be isolated on it's own VLAN/switch? Do you'all do that routinely? What is best practice protecting HA networked homes against network storms? There is Prosafe gear? Is that the brand right? That Control4 took over>? Is there anything in that line up which would help?  

[wappinghigh]

On 10/20/2016 at 3:49 AM, Dave w said:

Addresses starting with a number between 224 are used for IP multicast.  IP multicast is a technology for efficiently sending the same content to multiple destinations.
It is commonly used for distributing device state information and video streams, among other things.
It is most likely iTunes or Bonjor or Sonos, etc....Usually on ports 5353 or 5555.
A full list of IPv4 multicast assignments can be found at:
http://www.iana.org/assignments/multicast-addresses

Thanks for that clue. Bingo that's it.. Roon uses mDNS.... https://en.wikipedia.org/wiki/Multicast_DNS Highly  likely to be the culprit IMHO??