How to detect a cyber attack

hugoeyng · Aug 30, 2019, 2:00 PM

@Derelict Instead Google DNS or ISP DNS what IP could I use to monitor? Any suggestion?

KOM · Aug 30, 2019, 2:01 PM

Perhaps one of your ISPs core routers. Do a traceroute somewhere and see what the second or third hop is.

stephenw10 · Aug 30, 2019, 2:09 PM

I've never seen an issue using 8.8.8.8 personally.

The fact that you have some SWAP usage shown in that screenshot shows that at some point you exhausted the RAM. That can make things go waaaay slower.
Check the Status > Monitoring graphs for memory usage. Does it peak when you see these incidents?

Steve

Rico · Aug 30, 2019, 2:12 PM

@stephenw10 said in How to detect a cyber attack:

I've never seen an issue using 8.8.8.8 personally.

Yeah I like to use 8.8.8.8, 8.8.4.4 and 1.1.1.1 for monitoring too.

-Rico

hugoeyng · Aug 30, 2019, 2:39 PM

@KOM Great!

hugoeyng · Aug 30, 2019, 2:41 PM

@Rico I am not sure but is possible that "You will get false positives using Google's DNS servers." as said @tim-mcmanus.

But I liked @KOM suggestion.

Rico · Aug 30, 2019, 2:48 PM

I never heard of Google deliberately dropping ICMP traffic to their DNS Servers and personally I never had any issues with it.

WANGW is using 8.8.8.8 atm.

-Rico

Rico · Aug 30, 2019, 2:51 PM

Monitoring any ISP router does not really show a reliable route to the Internet.
Your ISP could have any routing/peering issue, even if their (core) router is perfectly reachable from your side.

-Rico

KOM · Aug 30, 2019, 2:58 PM

It shows you if there is a problem between you and your ISP. Anything past that is out of your control. The whole point of the thing is to be a gateway monitor, not a 5-hops-away monitor. The farther away you monitor, the more likely you will get a false positive of some sort, and I wouldn't want my gateway going down because there is a routing problem many hops away from me.

Raffi_ · Aug 30, 2019, 3:04 PM

On the monitor IP topic, I agree with @Rico and @stephenw10. I have not had issue so far with google DNS. In fact I switched to Google DNS because I suddenly had issues with my ISP's (third hop router). After months of working fine, we had power failures in the area which I suspect also caused issues with that route on the ISP's network. My gateway was marked as down when it wasn't. Switched to 8.8.8.8 and it's been good since then. Is it a perfect solution? No. Will this happen to you? Probably not, but using a device IP on a specific route on the ISP's network to me seems like trouble. If that route goes down like in my case, the traffic will get rerouted and still reach where it needs to go on the web. But that can't happen if my gateway is marked as down and monitoring action is enabled. Ideally, I would like to be able to put in multiple monitor IPs, so if one is not responding another one could.

stephenw10 · Aug 30, 2019, 3:25 PM

I will say that whilst I've never seen an issue with it on numerous pfSense installs, including my own, Google respond to ping there more as a courtesy. They could just stop responding. Also when you ping 8.8.8.8 you are hitting a machine via anycast so the service may vary depending on where you are pinging from.

Steve

Raffi_ · Aug 30, 2019, 3:34 PM

@stephenw10 said in How to detect a cyber attack:

I will say that whilst I've never seen an issue with it on numerous pfSense installs, including my own, Google respond to ping there more as a courtesy. They could just stop responding. Also when you ping 8.8.8.8 you are hitting a machine via anycast so the service may vary depending on where you are pinging from.

Steve

Let's hope they don't pull the rug out from under us. I think a lot of gateways would be marked as down :)

hugoeyng · Aug 30, 2019, 5:54 PM

@Raffi_ said in How to detect a cyber attack:

Let's hope they don't pull the rug out from under us. I think a lot of gateways would be marked as down

I hope so too!

I tried monitoring White House and Pentagon IP´s but it did not succedd.

Those IP´s, I believe, would be the last to be down. :)

Thank you everybody.

Raffi_ · Aug 30, 2019, 5:56 PM

@hugoeyng said in How to detect a cyber attack:

@Raffi_ said in How to detect a cyber attack:

Let's hope they don't pull the rug out from under us. I think a lot of gateways would be marked as down

I hope so too!

I tried monitoring White House and Pentagon IP´s but it did not succedd.

Those IP´s, I believe, would be the last to be down. :)

Thank you everybody.

haha I hope you don't get a knock on the door from people in black suits.

akuma1x · Aug 30, 2019, 6:28 PM

@hugoeyng said in How to detect a cyber attack:

I tried monitoring White House and Pentagon IP´s but it did not succedd.

So, White House Down?

https://www.imdb.com/title/tt2334879/

Jeff

hugoeyng · Aug 30, 2019, 6:29 PM

@Raffi_ :))))))

hugoeyng · Aug 30, 2019, 6:37 PM

@akuma1x hahaha The first to be under attack. Is not a good idea use it to monitoring. Is more secure using the butcher shop next door IP.

runningboy · Feb 20, 2021, 12:21 PM

In most cases, a cyberattack is almost impossible to notice. This operation takes place instantly and the user does not even understand how the intruders entered the system and control it. This situation happened in the office where I work a few months ago. Cybercriminals tried to get hold of our customer base and spread this information online. They penetrated the network and got all the access codes and passwords from our system, which is why the programs crashed and, by chance, they were unable to commit theft. Since then, we've turned to Cyber Essentials to help protect and support our system from potential threats. I hope this will not happen again.