Australian Internet Security Initiative - DDoS reporting

It appears something is being done about Distributed Denial of Service (after the Census debacle). I received the following from my ISP (name removed):-
(My ISP) participates in the Australian Internet Security Initiative (AISI) which is a service provided by the Australian Communications and Media Authority (ACMA) to assist in reducing spam and to improve the security level of the Australian Internet.

We recently received an AISI report from the ACMA indicating that a computer connected to your (ISP) broadband service has been compromised and might be infected with malicious software. The following details were provided to us:
IP Address: Date: Time: Type: Vulnerable Service: DDoS Amplifier (DNS)

My ISP sends and automated response to me by email. The email isn’t very helpful and the links aren’t either. Unless you know what a DDoS is, you might still be guessing, it does not address us by name and could be construed with spam. So a way to go to help the consumer, but a good start towards cleaning up DoS attacks.

Now, my other gripe. I have been fully protected by McAfee Security Centre, which gave me the big green tick “Your System Is Secure”. Yet according to the AISI, I am leaking nasties on a daily basis. Re-installed, scanned again, several times - nothing.

Anyone else experiencing this?

It may still be a scam email. Do you have a fixed address from your ISP or is it dynamically allocated? If fixed it is probably worthwhile checking Spamhaus to see if your IP address is listed. https://www.spamhaus.org/lookup/. You can also check you IP against a multiple of lists at http://whatismyipaddress.com/blacklist-check

If your address is dynamically allocated then it may be any one who uses your ISP who had that address at the time. Again you can use Spamhaus or the MyIP one to see if it is on their lists.

If you think you may be infected also run Malwarebytes (free edition)

As to your AV package I would suggest you have a read of some testing done on AV products. McAfee is trending downwards in AV testing but is still a good option but there are better out there, and it is somewhat of a resource hog. Have a look at AV Comparatives results https://www.av-comparatives.org/wp-content/uploads/2016/12/avc_prot_2016b_en.pdf

and/or Av-Test.org Test antivirus software for Windows 10 - August 2023 | AV-TEST

Also visit BleepingComputers https://www.bleepingcomputer.com/forums/ for extra help and advice if needed.
Hope they help you

I raised it with my ISP who responded that they only relay the message - they do not offer any help.

As I am on a Satellite service and this is the only device on this connection, and IP address is correct - I am assuming it’s me. I disabled WiFi 10 days ago (before the first report). If anyone knows how to configure a Belkin WiFi so it does not reduce the internet speed to a crawl and seemly do the other two devices for only a minute at a time - let me know. I am getting so frustrated with this set up. Belkin has no ‘set-up’ for a satellite dish - I tried ‘Cable’ (figuring it similarly doesn’t require a password etc - a direct connect), doesn’t work.

Thanks for the links. Not on any blacklists. Whew! I am still welcome out there.

Actually this service does exist and the link can be found at http://www.acma.gov.au/Industry/Internet/e-Security/Australian-Internet-Security-Initiative/australian-internet-security-initiative

A relevant section of the page is

"Through the AISI, daily email reports are provided to internet providers identifying IP addresses on their networks observed as being malware infected or potentially vulnerable to malicious exploits. Internet providers are encouraged to use the AISI data to identify and inform affected customers about their malware infection or service vulnerability, including providing advice to infected customers on how they can fix the compromise or remedy the open or vulnerable service.

The malware infection and service vulnerability data used in the AISI is provided by organisations seeking to enhance the security of the Internet, including Microsoft, the Spamhaus Project and the Shadowserver Foundation. This data is independently assessed by the ACMA before it is included in the AISI program. AISI data is constantly updated as new infections, threats and vulnerabilities emerge."

Your IP address can still vary depending on how they allocate IP addresses. If you turn your Router/Satellite hardware off or they refresh the link you can get a change of IP address if they dynamically assign them.

As to your wifi issue I am not really sure what you require. If the wifi connection is for your household usage ie so you can surf wirelessly then that is easy to secure. If it is about connection between your house and the dish that is done through a wireless signal I would recommend you discuss it with your provider.

For you home wireless security I can assist you over the web using Teamviewer but I can give you a basic run down of the steps if you need them just PM me.

Further to your issue the [quote=“zackarii, post:1, topic:13073”]
DDoS Amplifier (DNS)
[/quote]

This is a vulnerability in DNS Server resolvers (something that is more to do with your provider than you). DNS (Domain Name System) allows you to type in an address such as www.microsoft.com and have it converted to a numeric reference so the site can be found. This is because the internet is really using numbers not words to link to sites.

The problem is port 53 (UDP) is allowing these requests through when it shouldn’t be. So a fix could be to use another DNS service such as google’s (Configure your network settings to use the IP addresses 8.8.8.8 and 8.8.4.4 as your DNS servers) or OpenDNS (208.67.222.222 & 208.67.220.220) instead of the DNS service your provider supplies.

From a write up about the SpamHaus DDoS attack http://news.idg.no/cw/art.cfm?id=E79BC5BA-B95C-BAB5-8AFA3980E773A39C

"DNS servers are used primarily to look up and resolve domain names such as www.computerworld.com and www.idg.com to their corresponding IP addresses. If a DNS server does not have the domain information in its database or cache. it queries other nearby DNS servers for the information.

Ideally, DNS servers should be configured only to handle look up requests coming from within a specific domain or IP address range. So a DNS server belonging to an ISP should handle only requests coming from within the its IP address range.

In reality however, millions of DNS servers are configured by default to be open DNS resolvers that accept and respond to queries from outside their own domain, making them vulnerable to exploitation by attackers because virtually anyone on the Internet can use an open DNS server to handle genuine or malicious queries."

I have a satellite dish on the roof, which connects to a box on the wall, which has an Ethernet cable to my laptop. All fine so far. No passwords or set up of software to get internet connection.

However, my husband has a tablet and I have a phone, neither of which can get the internet (no mobile signal here). My answer was a WiFi (it is secured WPA2 with passwords - nearest neighbour 1km away - dead end road). Worked on my ultra slow ADSL. Now on satellite (as described above), it goes very slow. 12MB/s on ethernet cable to down to 0.036MB/s on WiFi. Should only be marginally slower. Also notice that the tablet will download for about a minute, stop, the start again in a minute or so. I have been searching the net for answers, but satellite is so rare there’s little help there.

I have now received more AISI reports through my ISP, this time for DDoS Amplifier (DNS) and SMB. I realise my ISP is only passing on what they have received from the AISI, but their links to assistance are woeful. One link no longer exists, the other two - staysafeonline and AISI give me nothing I can use. AISI has statistics which show SMB to be a big issue.

As I have been having connection problems with the satellite NBN (off line for days, a few minutes of connection now & then, but kind of working for the last 2 days) I had removed the WiFi modem, connected the laptop directly by LAN to the NBN Satellite modem. Everything is up to date Win 7 Pro, McAfee scans OK.

So why can’t AISI write something that the layman can understand that my ISP can link to? Are any other people getting AISI reports?

I can tell you some steps to perhaps resolve the SMB issue (this is not related to how you connect to the internet). The steps outlined below will turn off the SMB v1.0 service on your machine which is what the Wannacry and similar Ransomware variants use to infect your machine.

If you are using Win 7 you need to run some commands from the Command prompt (admin privileges). So first do these steps:

1. Click Start, click All Programs, and then click Accessories.
2. Right-click Command prompt, and then click Run as administrator.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

Once the Cmd box is open enter these commands one after the other (feel free to copy and paste) pressing enter after each:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

If using Win 8, 8.1, or 10 you can use the search bar at the bottom (Cortana) and type Control Panel then from the list select the one at the top that says Control Panel Destop App. When “Control Panel” opens up go to “Programs and Features” and when it opens select “Turn Windows features on or off”. When this list populates untick the “SMB 1.0/CIFS File Sharing Support” and then click “OK”.

The DDoS Amplifier part is more difficult. It could mean that your settings on a router are not correctly setup and are allowing traffic in and out that shouldn’t have access. It could also mean that the DNS servers you use have been hacked. Or perhaps at least one of your computers/tablets/phones may have been infected/hacked and is now part of a Bot network which would mean you need to clean them up to ensure they are not infected.

Check your Router/Modem to make sure the NAT (Network Address Translation) and firewall are on if not turn them on. Change the default login name and password for the Router/Modem and keep a record of it. Ensure you are using WPA or preferably WPA2 to secure your Wifi Traffic, I note you posted you are but if you have been hacked things could have been changed (not a big risk where you say you are but still worth doing).

Ensure you have a decent Antivirus program on your PC (not necessarily a paid one) try Avira, Avast, (these previous 2 can be easily setup from https://ninite.com), Bitdefender (has a free version), Norton, Panda, Kaspersky or Trend Micro are all good options but some do cost and please don’t rely on Microsoft’s Defender/Security Essentials. McAfee is a bit resource hungry and can be a little less than what you want when seeking good results but if you like it then try an online scan as well such as Trend’s Housecall:

https://esupport.trendmicro.com/en-us/home/pages/technical-support/1105967.aspx?vwd=KB--prd=gen--src=HHOLanding-_-loc=Default

Make sure your PC’s firewall is turned on, The Windows’ one is fine but there are others out there eg Comodo or Zonealarm Free and some Security Suites come with their own firewall.

Once you have determined what AV product you want and have installed it you need to install the free version (you can buy the Pro version but there is no need) of Malwarebytes (https://www.malwarebytes.com/mwb-download/thankyou/).

HOW TO ENTER SAFE MODE IN WINDOWS

To get to safe mode in Win 7 you need to restart your machine and as it boots up keep pressing (multiple presses not a single long one) the F8 key, if successful you will see a list of start up options and you just need to move to the Safe Mode with Networking one and press Enter. If not successful just restart and repeat until you get it.

For Win 10 it is a bit different to get to this mode. You have to click the Setting icon (looks like a cog) from your Start menu, then click “Update & Security” then click “Recovery” then click “Restart now” under the “Advanced start-up” paragraph. At this point your machine will restart and you need to Click " Troubleshoot" from the options then “Advanced options”, click “Startup Settings” click “Restart”. Your PC will restart and you will be offered a list of options and in this case press the number 5 on your keyboard.

Enter “Safe Mode with Networking” on your Windows machine/s run Malwarebytes, update it, then in it’s settings tab ensure scan for rootkits is ticked and finally run a scan. If it detects any problems allow it to clean them up. It may ask you to restart to finish cleaning up but just delay the restart until you do the next step.

After finishing the Malwarebytes scan then you should go to the Hosts file found in “%WINDIR%\system32\drivers\etc” (just copy and paste that entry into file explorer without the quotes) and check if there are entries there beyond “127.0.0.1 localhost” (if any others have a # before them they can be ignored). If there are other entries check them out by doing a web search to see if they should be there. The Hosts file cannot normally be altered but you can right click it, select properties, and uncheck the “Read only” setting and remove any bad entries. Do not remove the 127.0.0.1 localhost one it is very important.

After this has been done you can restart your PC and it will restart in normal mode. Once you are logged in run a complete Virus Scan to ensure anything missed gets caught and if you wish run an online scan.

On the phones look to use a decent AV product with well respected names eg AVG, Avira, Kaspersky (many can be used free and ensure you get the “real” ones). Then scan your phone. If Apple iPhones I am not sure what is available for them. If you really are unsure if everything is ok you can do a factory reset but be aware this will delete all your saved data, so back them/it up just in case before you do the reset.

If the tablet/s are Android again use the same as the phones and if Windows based use the same as on the PC. Again on an Android Tablet you can do a factory reset and again be sure to back up beforehand.

I hope these hints and steps help get your problems sorted out.

Great explanation and assistance. Thank you @grahroll!

My pleasure, I hope it helps people out and keeps their online activities safer.