wappinghigh Posted October 19, 2016 Share Posted October 19, 2016 I think I am suffering a DOS attack This is friggen scary. How do I prove this? I run a Draytek Vigor 2830Vn Thanks W Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
msgreenf Posted October 19, 2016 Share Posted October 19, 2016 you would have to look at your inbound connections and see what is going on... Link to comment Share on other sites More sharing options...
wappinghigh Posted October 19, 2016 Author Share Posted October 19, 2016 Ok. So dealer says to disconnect from internet. And reboot router. I've done this. Network is still basically down. It's now running on is own but Like only 12 out of a possible 88-95 devices are up. Control 4, cameras, computers TVs all down. Holy crap. This is scary. How easy it is to take down a smart home .... Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
msgreenf Posted October 19, 2016 Share Posted October 19, 2016 that doesn't really make sense. What do you mean it's running on its own? do you mean your internal network is up and not internet connected? Everything Control4 should still work fine as it's all local to your house Link to comment Share on other sites More sharing options...
wappinghigh Posted October 19, 2016 Author Share Posted October 19, 2016 No I meant even though I've disconnected the WAN from the router, the network is still basically down... even after a subsequent reboot... Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
msgreenf Posted October 19, 2016 Share Posted October 19, 2016 1 minute ago, wappinghigh said: No I meant even though I've disconnected the WAN from the router, the network is still basically down... even after a subsequent reboot... Sent from my iPhone using Tapatalk not a DoS/DDoS attack then. Something in the router has gone screwy Link to comment Share on other sites More sharing options...
msgreenf Posted October 19, 2016 Share Posted October 19, 2016 or you have a virus inside your home network Link to comment Share on other sites More sharing options...
wappinghigh Posted October 19, 2016 Author Share Posted October 19, 2016 There is some unidentified device like on some weird IP address ... 224.0.0.251.... When I run a 192.168.0.1 network. I can identify it's MAC address ...That any clue???? Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
wappinghigh Posted October 19, 2016 Author Share Posted October 19, 2016 What network antivirus stuff do you guys recommend? Is there something you can get that will scan a network??? Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
wappinghigh Posted October 19, 2016 Author Share Posted October 19, 2016 Thanks for your help BTW It's like 11.30pm here. This is darn scary. I'm telling ya!!! Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
Dave w Posted October 19, 2016 Share Posted October 19, 2016 Addresses starting with a number between 224 are used for IP multicast. IP multicast is a technology for efficiently sending the same content to multiple destinations. It is commonly used for distributing device state information and video streams, among other things. It is most likely iTunes or Bonjor or Sonos, etc....Usually on ports 5353 or 5555. A full list of IPv4 multicast assignments can be found at: http://www.iana.org/assignments/multicast-addresses Link to comment Share on other sites More sharing options...
thegreatheed Posted October 19, 2016 Share Posted October 19, 2016 You could also have a device on the network internally that is just malfunctioning and causing a network storm. Link to comment Share on other sites More sharing options...
wappinghigh Posted October 19, 2016 Author Share Posted October 19, 2016 Thanks for all the clues everyone. I guess I go back and check the last few devices added recently (since the network has been stable for well over year).....that would be the HEOS and that new Kodi box that were recently added, and adding Asset uPNP DLNA server ... Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
wappinghigh Posted October 19, 2016 Author Share Posted October 19, 2016 Something has definitely crashed my network. This is one of worst episodes I've seen. Still down. Scary. Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
wappinghigh Posted October 19, 2016 Author Share Posted October 19, 2016 Like I don't even see an ARP table on the Draytek. Even after multiple reboots and leaving most of the network down and turned off over night. This is serious Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
msgreenf Posted October 19, 2016 Share Posted October 19, 2016 3 minutes ago, wappinghigh said: This is serious just cause it's serious and you don't understand what is going on, doesn't mean it's a DDoS attack... Link to comment Share on other sites More sharing options...
Cyknight Posted October 19, 2016 Share Posted October 19, 2016 So, nothing works at all? Just a though, but I'd grab another router, hook i up and see if things don't just start coming back to life. If not, set up a router and start connecting devices to it one by one. What you've described could easily be a router gone haywire. It could indeed also be something causing a broadcast storm (Sonos, Heos, or for that matter a touchscreen or doorstation on an intercom session). Frankly, it's going to be a matter of elimination. Link to comment Share on other sites More sharing options...
wappinghigh Posted October 19, 2016 Author Share Posted October 19, 2016 Sure. I've figured it out it's not a DOS attack. Some serious crap going on with the router. Random crap. Makes one appreciate how dependent we have all become on our networks. Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
wappinghigh Posted October 20, 2016 Author Share Posted October 20, 2016 Black Swan Theory. I suggest software engineers at C4Central read and study! W https://www.amazon.com/Black-Swan-Improbable-Robustness-Fragility/dp/081297381X "A black swan is an event, positive or negative, that is deemed improbable yet causes massive consequences. In this groundbreaking and prophetic book, Taleb shows in a playful way that Black Swan events explain almost everything about our world, and yet we—especially the experts—are blind to them." Link to comment Share on other sites More sharing options...
wappinghigh Posted October 21, 2016 Author Share Posted October 21, 2016 Ok. Up and running. Phew... Quick related Question to you all... Are there any devices (hardware and or software) that can watch for the development of a network broadcast storm (say running in the background on the network) and then be programmed in Composer to say shoot out a notification (that it's starting to happen)...and subsequently automatically shut down both 1/ the router and 2/ Director (in an orderly fashion)? Cheers W Link to comment Share on other sites More sharing options...
Cyknight Posted October 21, 2016 Share Posted October 21, 2016 Directly, doubtful. There are software based monitoring options, some security appliances do it as well. Either could then be used to end out an email, which with the appropriate drivers can then 'send' that to C4 as a trigger. Assuming you have controlled power outlets etc, you can then program to do the rest. Link to comment Share on other sites More sharing options...
Cyknight Posted October 21, 2016 Share Posted October 21, 2016 1 hour ago, wappinghigh said: Black Swan Theory. In what you just went through, that's sort of like asking the car manufacturer to come up with solutions in case all possible roads are shut down....or light bulb manufacturers to have alternate back-up options in their bulbs in case electricity fails... Arguably you COULD protect your base infrastructure right now. Have C4 set to a separate VLAN on their own switch preferably, all static IPs.....a storm then has LESS affect, or with other options added (as per your other post) you could shut down everything but that one switch and keep your 'basics' running until you've figured it out. Glad you got it figured out by the way. Link to comment Share on other sites More sharing options...
wappinghigh Posted October 21, 2016 Author Share Posted October 21, 2016 Yep. My Suspect is Roon Server. Which uses Multicast. Can't prove it, but you get a feeling for such things. Saw a similar thing happen in the early Sonos days. I was just curious if anyone had thought of writing some sort of network "data"/developing storm monitor driver that we could link into Control4 announcements that's all.. You get a feeling the network is not running well (usually over a period of a couple days).. it's kind of a sixth sense.. then bang down she goes.. trouble is I wasn't at home when the final crash happened.... Link to comment Share on other sites More sharing options...
wappinghigh Posted October 21, 2016 Author Share Posted October 21, 2016 Just re-reading your post, as a matter of interest can the primary Controller running director be isolated on it's own VLAN/switch? Do you'all do that routinely? What is best practice protecting HA networked homes against network storms? There is Prosafe gear? Is that the brand right? That Control4 took over>? Is there anything in that line up which would help? Link to comment Share on other sites More sharing options...
wappinghigh Posted October 21, 2016 Author Share Posted October 21, 2016 On 10/20/2016 at 3:49 AM, Dave w said: Addresses starting with a number between 224 are used for IP multicast. IP multicast is a technology for efficiently sending the same content to multiple destinations. It is commonly used for distributing device state information and video streams, among other things. It is most likely iTunes or Bonjor or Sonos, etc....Usually on ports 5353 or 5555. A full list of IPv4 multicast assignments can be found at: http://www.iana.org/assignments/multicast-addresses Thanks for that clue. Bingo that's it.. Roon uses mDNS.... https://en.wikipedia.org/wiki/Multicast_DNS Highly likely to be the culprit IMHO?? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.