Limiting the bandwidth ?

Discussion in 'Port Explorer' started by Ben, Aug 6, 2003.

Thread Status:
Not open for further replies.
  1. Ben

    Ben Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    12
    Location:
    Los Angeles, CA
    Hey guys, I might not understand correctly the terminology, so I need some help..

    I am consistently bombarded while I am on irc, could I use the bandwidth limiting feature to block the ddos attempts?

    In this situation, should I limit only the "received" amount or should I also limit the "sent"?

    What this feature actually does? it slows down the transmission, or when reaching the limit it causes a disconnect from that server?

    Thanks in advance
     
  2. Ben

    Ben Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    12
    Location:
    Los Angeles, CA
    PS due to ddos, the spoof feature on a certain socket is jammed, how do I clear it ? I click Remove All while on packet mode, but it will not respond?

    Thank you
     
  3. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Ben,
    Are the attacks being sent over the IRC protocol (ie. are you receiving lots of private messages or pings etc. in your IRC client), or are the attacks coming directly to your system via other means not IRC-related, such as ICMP? I rarely IRC these days so im not sure what features are still supported or which ones have been phased out, but there was/(still is?) a command called /Silence. It's similar to /Ignore, but /Ignore is only client-side (your client still receives the messages, but doesnt display them), whereas /Silence stops the messages at the server - you don't receive them. This can be useful when dealing with IRC-based floods.

    Port Explorer is more of an analysis tool though, and although it has port blocking and bandwidth limiting capabilities it's not really an anti-DDoS tool - this is the job of firewalls. If you're under a serious attack your ISP should also be able to offer advice and often directly help (ie. filter some IPs at their servers so they don't make it down to your home system), because even firewalls on your system can't stop traffic from being sent to you.

    Regards,
    Wayne
     
  4. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    The bandwidth throttler CONTROLS the flow of bandwidth for that socket from YOUR computer at the driver layer. So basically if they send you 50KB in one second and you have made the socket only receive 5KB a second then it will take 10 seconds to receive that data. I am pretty sure that by the time you can see data your hardware would already be in the process of receiving all of it so there is no way you can stop the data from the hardware level. Slowing down the socket though will mean whatever application that owns the socket will only receive how much you specify per second.

    -Jason-
     
  5. Ben

    Ben Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    12
    Location:
    Los Angeles, CA
    Thanks a lot guys :)

    Yes I am being ddosed, and not only me that server as well.
    I have detected the channel that is generating the queries but I will not be able to detect who is doing it.

    All in all my PE SpySocket crashed, and everytime I am trying to use it is shutting down the entire application.

    I have just uninstalled / reinstalled PE and I get same results.
    I assume the huge amount of info sent has jammed the SpySocket, and I cannot see how I could clear all data out of it.

    ..unless PE server is down?
     
  6. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Ben,

    While PE is closed you can go to the install directory and delete or rename the capture.bin file. This will null out the contents of the SocketSpy data screen within PE.

    HTH,

    Dan
     
  7. Ben

    Ben Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    12
    Location:
    Los Angeles, CA
    Hey Dan, super, thanks, it worked now.

    That file was 78MB in 2 hours.
     
  8. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Ben, You sure it "crashed" or just "hanged". Like was there an illegal operation or would the window just not update?

    -Jason-
     
  9. Ben

    Ben Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    12
    Location:
    Los Angeles, CA
    Hi Jason,

    well, when I was trying to open the Spy, it will pop , but remain gray for a long period of time, then I would get a message that the program is not responding, then I would click okay to terminate it.
    When I click okay the entire PE would close down.

    The Windows would not suffer a bit because if this.

    Now I am getting it again after say....2 hours after having PE running.

    Somewhere it overfills and will not only jam, but I would run off resources and the entire system will freeze.
    Meaning I could not use no object around, not even Start button, so the only way to deal with would be to unplug the computer from the power.

    much like a ddos attack. Looking at the stats, the irc server I am hooked up is the place where I get most of the hits.
    But I am not being flooded, not being pinged.

    Something causes the memory to fill up fast and I remember seeing "releasing resources" everytime I close down PE.

    So what all this might mean?
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Do you clean out the capture bin frequently? It grows very quick, and if you try to look at the collection of say those 78 mb or more then it could bring you into trouble.
    Long time not seen that problem.
    How big is the capture.bin after those two hours? Must be gigantic!
     
  11. Ben

    Ben Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    12
    Location:
    Los Angeles, CA
    So Jooske, you suggest I should go and check the capture.bin's size often and if I see it reaches, say...10MB I should delete it?

    I am trying to figure out how to clean it...
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You can use the "remove" and "remove all" buttons for instance, or if you want to save it for some reason in the PE directory rename it to something else. You can always open and read them through that viewer.

    Hope this helps!
     
  13. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    If you are on a reasonably slow computer, it may take a while for Socket Spy to process all results if you have TENS of megabytes of capture.bin :) . So don't capture too much at any one time. 10 megabytes would be a good size, depending on your computer, mine can handle around 50MB without much slowdown.

    -Jason-
     
Thread Status:
Not open for further replies.