Find out if slow internet access is due to being attacked
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Find out if slow internet access is due to being attacked
Internet access from an adsl router gets very slow at times. I know there may be many networking reasons for this but let's focus on the security aspect for now: might it be that I am being attacked at the public ip? How can one find out if an attack is going on?
Let's see where the "stuff" gets eaten up. Try to install a rootkit hunter first. Just to see if someone is inside already. Check with your distro for that.
If the system is reported as clean, issue this in the console:
Quote:
netstat -anp | more
and see what processes are hooked up to the Internet. Next, let's see if you're getting the goods you pay your provider for, do a speed test...
It could be as simple as a failing network portion in the network of the provider or excessive traffic "nearby". Attacks from the OUTside may slow things down, but traffic from and to the outside is more likely to slow things down...
And, last but not least, keep your box up to date...
Isn't there anything to detect attacks from the outside?
If I'm being attacked to my public ip, then is it any use to make that ip something else at a server elsewhere by using a vpn to that server so netstat can be run there instead?
You could restart the modem, that way, it will/should request a different IP address from you provider. If the slow state still persists, then, we should look further...
Unless you're running a public server...
I know there may be many networking reasons for this but let's focus on the security aspect for now:
So, you've decided to focus on one of the least likely causes, so the chances are that this will prove completely inconclusive. OK, I'm game.
Do you see any packets that you don't understand on your side of whatever connects you to whatever type of network connection you have?
If that fails, do you have any diagnostics in the interface device that tell you anything? Do you have any diagnostics from your ISP (and that may include data usage from your ISP, as that may show up surprising data rates on the far side of whatever the interface is)?
If you don't have any of the above, you may be forced into considering something that is more likely, or give up.
How are you measuring performance? I use an ftp server provided by my ISP and by downloading and uploading a 5 MB file I can get a reasonable benchmark. See if you ISP has some similar performance test facility.
Do you have more than one computer sharing the connection? Is someone else on your LAN hogging the bandwidth?
Does your modem have any logging capabilities? My ZyXel has at least some statistics available. Compare the Packets received/transmitted by the WAN and see how that compares with the traffic on the LAN. If the WAN is a lot larger then perhaps the modem is blocking some attack traffic.
Once you have some data/evidence get hold of your ISP and raise a little H. You are paying them for performance. If they are not delivering they should be willing to assist in resolving the issue.
I can guarantee you that your public IP IS getting attacked. In fact, it would be a safe bet to say that all public IP, or at least almost all public IP addresses are getting attacked. There are millions of idiots out there running bots and other scanning scripts. These scripts will try to find everything from vulnerable SSH servers to printers, including remote desktops, mail servers, VOIP servers, etc.
The likelihood of you personally being attacked, with the express intent to overwhelm and compromise you is remote and by this token a Denial of Service (DOS) attack against your to reduce your bandwidth is equally unlikely. Real possibilities of what could be happening include, failing hardware, noise on your DSL lines, sand-vine and other throttling activity from your provider, etc.
The first steps to identify the problem include those spelled out above, use netsat to see what connections you have open, make sure your own system hasn't been compromised, run some speed tests, etc. You can also use the application iftop, which will watch your network connections and show you what applications are using bandwidth.
In answer to your question about watching the traffic to "see if your being attacked" you can look at the traffic manually, using an application like Tcpdump or you could use a packet sniffer like Snort. If you go the snort route, beware that you will get A LOT of false positives. It is important to realize that what is hitting your public IP isn't the important part, but rather what is making it through your firewalls to the applications and what is your system having to deal with.
I can guarantee you that your public IP IS getting attacked. In fact, it would be a safe bet to say that all public IP, or at least almost all public IP addresses are getting attacked. There are millions of idiots out there running bots and other scanning scripts. These scripts will try to find everything from vulnerable SSH servers to printers, including remote desktops, mail servers, VOIP servers, etc.
That's absolutely a fair point, but the only cases that you would commonly see of this being a sufficiently persistent attack to cause noticeable data rate loss would be if you were running an Online Casino operation (or similar... anyone for whom a denial of service would have a directly definable bottom line cost) that could be thought to be up for exploitation.
Of course, we don't know that the OP isn't running an Online Casino Or, just maybe, his IP address was previously in use by such an operation, but that does come in the 'long shots' area, rather than anything that is actually probable.
Anyway, here is my list of likely causes of network slowdowns. I thought of something else overnight, but now I've lost it, so i know this list is missing at least one thing. And, the order of items in such a list is always rather context sensitive. If I know that you are a software engineer and you make your own cables, I'll push faulty/intermittent cables up the list. (And, you'll swear I'm wrong, but we'll see.)
And, you could clearly agglomerate items differently; for example, you could put all of the wireless items together.
'Bad' DNS server (probably using a sever that does not exist, but could be one that does exist, but doesn't respond or is very slow)
Poor contention ratio
Poor ISP performance, generally (ie, the ISP is just plain slow)
Intermittent ethernet cable, or cable of insufficient performance (eg, cat 4 where cat 6 is required)
Poor computer performance generally (eg, swapping) leading to computer not being able to handle data at high rates
ISP performance throttling (either due to a plain mistake at the ISP, or false (???) detection of abuse, leading to deliberate throttling or [[QoS]] restrictions)
Wireless in poor sig-to-noise band (eg, interference from other noise sources in the band, or selection of a band that, while originally quiet, is now noisy)
Need to re-learn bands, for ADSL transmission (after lightning strike re-setting m/r or after line works shifting acceptable frequency bands)
Noise on ADSL line, leading to poor [[sig:noise]] ratio
Poor ADSL line quality/excess ADSL line distance, leading to use of few sub-bands
Incorrect mtu leading to re-tries...and re-re-tries
Poorly configured local filtering on POTS copper line (eg, interference from baseband equipment locally to the user premises)
-> attack <-
Incorrect asymmetry in adsl connection [[(upstream:downstream]] bandwidth incorrectly allocated)
keep losing DHCP-assigned IP address (lease time set badly at one end or the other, or ignored)
Wireless system antennas incorrectly mutually aligned (if antennas have variable alignment, or the boxes at either end can be aligned)
A list of this kind is really almost impossible to get absolutely 'right'; you either have wireless or you don't and if you don't have wireless, then the wireless items are irrelevant, even though they cause problems for those with wireless. Equally, the DNS and IPV6 stuff are, taken together, probably the most common causes of problems, but, once you are aware of those and know how to get the set-up right, you won't have those problems. And, quite a lot of this is rate dependant - mostly, you get away with lowered internal network data rates, because the link to the wider internet isn't that fast, but as expectations of a fast connection rise, then that puts the internal network rates under more pressure.
And I am absolutely sure that everyone will have a slightly different ordering of those things. Absolutely sure of that.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.