Internet access from an adsl router gets very slow at times. I know there may be many networking reasons for this but let's focus on the security aspect for now: might it be that I am being attacked at the public ip? How can one find out if an attack is going on?

Hi,

Let's see where the "stuff" gets eaten up. Try to install a rootkit hunter first. Just to see if someone is inside already. Check with your distro for that.

If the system is reported as clean, issue this in the console:

and see what processes are hooked up to the Internet. Next, let's see if you're getting the goods you pay your provider for, do a speed test...

It could be as simple as a failing network portion in the network of the provider or excessive traffic "nearby". Attacks from the OUTside may slow things down, but traffic from and to the outside is more likely to slow things down...

And, last but not least, keep your box up to date...

Good luck

Thor

Isn't there anything to detect attacks from the outside?

If I'm being attacked to my public ip, then is it any use to make that ip something else at a server elsewhere by using a vpn to that server so netstat can be run there instead?

You could restart the modem, that way, it will/should request a different IP address from you provider. If the slow state still persists, then, we should look further...
Unless you're running a public server...

It does get faster after a reboot of the router. But slows down again after visiting a few sites.

Isn't there any way to find out information about the origin of any attack?

Would it be possible to let someone else take the hit and deal with it much better than me?

So, you've decided to focus on one of the least likely causes, so the chances are that this will prove completely inconclusive. OK, I'm game.

Do you see any packets that you don't understand on your side of whatever connects you to whatever type of network connection you have?

If that fails, do you have any diagnostics in the interface device that tell you anything? Do you have any diagnostics from your ISP (and that may include data usage from your ISP, as that may show up surprising data rates on the far side of whatever the interface is)?

If you don't have any of the above, you may be forced into considering something that is more likely, or give up.

Let's have your list of the most likely reasons then.

Btw, I don't see anything wrong in the output of netstat, I think it is the adsl router that is being dos attacked, or load attacked.

A couple of questions/thoughts...

How are you measuring performance? I use an ftp server provided by my ISP and by downloading and uploading a 5 MB file I can get a reasonable benchmark. See if you ISP has some similar performance test facility.

Do you have more than one computer sharing the connection? Is someone else on your LAN hogging the bandwidth?

Does your modem have any logging capabilities? My ZyXel has at least some statistics available. Compare the Packets received/transmitted by the WAN and see how that compares with the traffic on the LAN. If the WAN is a lot larger then perhaps the modem is blocking some attack traffic.

Once you have some data/evidence get hold of your ISP and raise a little H. You are paying them for performance. If they are not delivering they should be willing to assist in resolving the issue.

Ken

But you started off by saying that you don't want to do that. What's changed?

ADSL? Are you using a normal (consumer) ADSL modem/router and a wired connection?

I can guarantee you that your public IP IS getting attacked. In fact, it would be a safe bet to say that all public IP, or at least almost all public IP addresses are getting attacked. There are millions of idiots out there running bots and other scanning scripts. These scripts will try to find everything from vulnerable SSH servers to printers, including remote desktops, mail servers, VOIP servers, etc.

The likelihood of you personally being attacked, with the express intent to overwhelm and compromise you is remote and by this token a Denial of Service (DOS) attack against your to reduce your bandwidth is equally unlikely. Real possibilities of what could be happening include, failing hardware, noise on your DSL lines, sand-vine and other throttling activity from your provider, etc.

The first steps to identify the problem include those spelled out above, use netsat to see what connections you have open, make sure your own system hasn't been compromised, run some speed tests, etc. You can also use the application iftop, which will watch your network connections and show you what applications are using bandwidth.

In answer to your question about watching the traffic to "see if your being attacked" you can look at the traffic manually, using an application like Tcpdump or you could use a packet sniffer like Snort. If you go the snort route, beware that you will get A LOT of false positives. It is important to realize that what is hitting your public IP isn't the important part, but rather what is making it through your firewalls to the applications and what is your system having to deal with.

1 members found this post helpful.

That's absolutely a fair point, but the only cases that you would commonly see of this being a sufficiently persistent attack to cause noticeable data rate loss would be if you were running an Online Casino operation (or similar... anyone for whom a denial of service would have a directly definable bottom line cost) that could be thought to be up for exploitation.

Of course, we don't know that the OP isn't running an Online Casino Or, just maybe, his IP address was previously in use by such an operation, but that does come in the 'long shots' area, rather than anything that is actually probable.

Anyway, here is my list of likely causes of network slowdowns. I thought of something else overnight, but now I've lost it, so i know this list is missing at least one thing. And, the order of items in such a list is always rather context sensitive. If I know that you are a software engineer and you make your own cables, I'll push faulty/intermittent cables up the list. (And, you'll swear I'm wrong, but we'll see.)

And, you could clearly agglomerate items differently; for example, you could put all of the wireless items together.

1. 'Bad' DNS server (probably using a sever that does not exist, but could be one that does exist, but doesn't respond or is very slow)
2. Poor contention ratio
3. Poor ISP performance, generally (ie, the ISP is just plain slow)
4. Wireless transmission path showing excessive attenuation
5. Intermittent ethernet cable, or cable of insufficient performance (eg, cat 4 where cat 6 is required)
6. Poor computer performance generally (eg, swapping) leading to computer not being able to handle data at high rates
7. ISP performance throttling (either due to a plain mistake at the ISP, or false (???) detection of abuse, leading to deliberate throttling or [[QoS]] restrictions)
8. Wireless in poor sig-to-noise band (eg, interference from other noise sources in the band, or selection of a band that, while originally quiet, is now noisy)
9. Need to re-learn bands, for ADSL transmission (after lightning strike re-setting m/r or after line works shifting acceptable frequency bands)
10. Noise on ADSL line, leading to poor [[sig:noise]] ratio
11. Poor ADSL line quality/excess ADSL line distance, leading to use of few sub-bands
12. IPV6 enabled in networking
13. IPV6 enabled in browser
14. Badly configured router/router needing firmware update
15. Default gateway incorrect
16. mDNS (etc) setting DNS server incorrectly, althougn initial local setting correct
17. Badly configured interface at local exchange (too few bands allocated)
18. Ethernet in low bit rate/half-duplex mode
19. Failed/marginally failed microfilter (after, eg, lightning strike)
20. Incorrect mtu leading to re-tries...and re-re-tries
21. Poorly configured local filtering on POTS copper line (eg, interference from baseband equipment locally to the user premises)
22. -> attack <-
23. Incorrect asymmetry in adsl connection [[(upstream:downstream]] bandwidth incorrectly allocated)
24. keep losing DHCP-assigned IP address (lease time set badly at one end or the other, or ignored)
25. Wireless system antennas incorrectly mutually aligned (if antennas have variable alignment, or the boxes at either end can be aligned)

A list of this kind is really almost impossible to get absolutely 'right'; you either have wireless or you don't and if you don't have wireless, then the wireless items are irrelevant, even though they cause problems for those with wireless. Equally, the DNS and IPV6 stuff are, taken together, probably the most common causes of problems, but, once you are aware of those and know how to get the set-up right, you won't have those problems. And, quite a lot of this is rate dependant - mostly, you get away with lowered internal network data rates, because the link to the wider internet isn't that fast, but as expectations of a fast connection rise, then that puts the internal network rates under more pressure.

And I am absolutely sure that everyone will have a slightly different ordering of those things. Absolutely sure of that.