Hey guys, I might not understand correctly the terminology, so I need some help.. I am consistently bombarded while I am on irc, could I use the bandwidth limiting feature to block the ddos attempts? In this situation, should I limit only the "received" amount or should I also limit the "sent"? What this feature actually does? it slows down the transmission, or when reaching the limit it causes a disconnect from that server? Thanks in advance
PS due to ddos, the spoof feature on a certain socket is jammed, how do I clear it ? I click Remove All while on packet mode, but it will not respond? Thank you
Ben, Are the attacks being sent over the IRC protocol (ie. are you receiving lots of private messages or pings etc. in your IRC client), or are the attacks coming directly to your system via other means not IRC-related, such as ICMP? I rarely IRC these days so im not sure what features are still supported or which ones have been phased out, but there was/(still is?) a command called /Silence. It's similar to /Ignore, but /Ignore is only client-side (your client still receives the messages, but doesnt display them), whereas /Silence stops the messages at the server - you don't receive them. This can be useful when dealing with IRC-based floods. Port Explorer is more of an analysis tool though, and although it has port blocking and bandwidth limiting capabilities it's not really an anti-DDoS tool - this is the job of firewalls. If you're under a serious attack your ISP should also be able to offer advice and often directly help (ie. filter some IPs at their servers so they don't make it down to your home system), because even firewalls on your system can't stop traffic from being sent to you. Regards, Wayne
The bandwidth throttler CONTROLS the flow of bandwidth for that socket from YOUR computer at the driver layer. So basically if they send you 50KB in one second and you have made the socket only receive 5KB a second then it will take 10 seconds to receive that data. I am pretty sure that by the time you can see data your hardware would already be in the process of receiving all of it so there is no way you can stop the data from the hardware level. Slowing down the socket though will mean whatever application that owns the socket will only receive how much you specify per second. -Jason-
Thanks a lot guys Yes I am being ddosed, and not only me that server as well. I have detected the channel that is generating the queries but I will not be able to detect who is doing it. All in all my PE SpySocket crashed, and everytime I am trying to use it is shutting down the entire application. I have just uninstalled / reinstalled PE and I get same results. I assume the huge amount of info sent has jammed the SpySocket, and I cannot see how I could clear all data out of it. ..unless PE server is down?
Hi Ben, While PE is closed you can go to the install directory and delete or rename the capture.bin file. This will null out the contents of the SocketSpy data screen within PE. HTH, Dan
Ben, You sure it "crashed" or just "hanged". Like was there an illegal operation or would the window just not update? -Jason-
Hi Jason, well, when I was trying to open the Spy, it will pop , but remain gray for a long period of time, then I would get a message that the program is not responding, then I would click okay to terminate it. When I click okay the entire PE would close down. The Windows would not suffer a bit because if this. Now I am getting it again after say....2 hours after having PE running. Somewhere it overfills and will not only jam, but I would run off resources and the entire system will freeze. Meaning I could not use no object around, not even Start button, so the only way to deal with would be to unplug the computer from the power. much like a ddos attack. Looking at the stats, the irc server I am hooked up is the place where I get most of the hits. But I am not being flooded, not being pinged. Something causes the memory to fill up fast and I remember seeing "releasing resources" everytime I close down PE. So what all this might mean?
Do you clean out the capture bin frequently? It grows very quick, and if you try to look at the collection of say those 78 mb or more then it could bring you into trouble. Long time not seen that problem. How big is the capture.bin after those two hours? Must be gigantic!
So Jooske, you suggest I should go and check the capture.bin's size often and if I see it reaches, say...10MB I should delete it? I am trying to figure out how to clean it...
You can use the "remove" and "remove all" buttons for instance, or if you want to save it for some reason in the PE directory rename it to something else. You can always open and read them through that viewer. Hope this helps!
If you are on a reasonably slow computer, it may take a while for Socket Spy to process all results if you have TENS of megabytes of capture.bin . So don't capture too much at any one time. 10 megabytes would be a good size, depending on your computer, mine can handle around 50MB without much slowdown. -Jason-