Netgear Armor and DoS

Question

I've been plagued with DoS attacks, some of which seem to be taking my router off-line for a few minutes until it recovers. From reading forums, I gather that this is because the buffer that holds unanswered SYN/ACK requests if overflowing.

I'm wondering if the Netgear Armor product will help this in any way?

Walt

FURRYe38 · Answer

Netgear has set up a community forum specifically for the Nighthawk App product. Most of the people who watch that forum are more likely to have experience with Nighthawk App and know how to work it better than those of us who follow this "general router" forum. Might be more likely to find someone who has a solution if the question is posted there:
https://community.netgear.com/t5/Nighthawk-App/bd-p/en-home-networking-apps
Good Luck.

CrimpOn · Answer

Walt_S&nbsp;wrote:I'm wondering if the Netgear Armor product will help this in any way?I doubt very much that Armor would have any effect on DoS attacks.I also doubt very much that DoS are having a serious effect on your Orbi system.I have collected the logs from two Orbi systems for almost two years.Both systems log these "DoS attacks" every day of every month, and neither system seems to be affected.&nbsp;Netgear has an algorithm that looks at patterns in connection attempts to see if they fit specific profiles.&nbsp; If they do, then a note is put into the Orbii file if the user has selected that option.&nbsp; There are options to quit doing the DoS analysis and to quit logging the results.&nbsp; Both would (in theory) free up processor resources, although no one seems to know how much or if it would be significant.&nbsp;I am not aware of any method to report the amount of available "buffer space".&nbsp; The Orbi debug page does show the number of connections in use.&nbsp; Out of 65,536 possible connections, my Orbi is now using 1,941.&nbsp; This is on the web page http://orbilogin.net/debug.htm&nbsp;What are the specific symptoms that lead you to believe the Orbi has gone "offline"?

Walt_S · Answer

Thanks for the info on Armor. &nbsp;I kind of thought that would be the case, but decided to ask anyway.&nbsp;I get many log entries relating DoS attempts, and occasionally one is picked up by my FingBox which (among other things) monitors Internet Connectivity. &nbsp;I had originally been blaming my ISP for the numerous outages I'm experiencing, but then I noted a correlation between FingBox reports of network outages with some of the DoS entries in the Orbi log. &nbsp;For example, the FingBox reported offline at 02:19 this morning, and return to onliine at 02:27. &nbsp;Here is the log entry from Orbi:[DoS Attack: TCP/UDP Chargen] from source: 199.195.249.122, port 58736, Wednesday, June 09, 2021 02:19:35&nbsp;and at 2:30, the Orbi was assigning DHCP addresses:[DHCP IP: 192.168.1.39] to MAC address 58:27:8c:ee:53:63, Wednesday, June 09, 2021 02:30:28&nbsp;Which is from a NAS drive connected by Ethernte cable to the router.&nbsp;I don't know if that helps. &nbsp;The only other advice I've gotten is to change my Internet-facing IP address, which my ISP refused to do.&nbsp;Walt

CrimpOn · Answer

Walt_S&nbsp;wrote:I get many log entries relating DoS attempts, and occasionally one is picked up by my FingBox which (among other things) monitors Internet Connectivity.Can you give more detail about DoS attempts being picked up by FingBox?&nbsp; From the context, what I see is a correlation between log entries in the Orbi and network connectivity report from the FingBox, correct?&nbsp; That is, the FingBox did not actually report on anything penetrating the Orbi firewall?&nbsp;I have totally struck out trying to find a User Manual for FingBox or a technical description of "how it works."&nbsp; (any hints where to look?)The idea of matching a connectivity monitor with the Orbi log is intriguing.&nbsp; I have various ping monitors, and am interested in what internet IP's FingBox uses to check connectivity.&nbsp; (Guess I could Ping some DNS server every 30 seconds, but honestly I do not know how they react to some IP pinging them for days and days..)&nbsp;Did not notice a mention of the Orbi log mentioning anything about "internet lost."&nbsp; I would think if the Orbi lost service for 8 minutes, there would be some log entry. (If the CPU was at 100% for 8 minutes, that could explain - "oops" it was able to log that DoS entry.)&nbsp;Walt_S&nbsp;wrote:I don't know if that helps. &nbsp;The only other advice I've gotten is to change my Internet-facing IP address, which my ISP refused to do.In my opinion, this is not a solution.&nbsp; Those reported DoS findings are not personal.&nbsp; They scan every public IP over and over looking for a response.&nbsp; It would be a matter of minutes before a new IP address began reporting DoS attempts.

CrimpOn · Answer

Having no Fingbox, I set up PingInfoView (Windows, free from Nirsoft) to ping a bunch of internal devices plus CloudFlare DNS (1.1.1.1) and Google DNS (8.8.8.8) every 30 seconds&nbsp; This has been running almost continuously for over a week.&nbsp; During this week, the Orbi has logged 249 attacks of various kinds.(about 15/day).&nbsp; During this same period, CloudFlare DNS has missed 15 pings and GoogleDNS has missed 5 pings.&nbsp; ICMP (ping) is a UDP packet, which is not monitored like TCP is.&nbsp;When I compare the time of missed ping responses against the Orbi log entries, a couple of them do seem to match.&nbsp; Then there are the over 200 attacks which do not match with ping failures.&nbsp; But that could also be a result of the Orbi finally being overcome. i.e. not only did the Dos cause a disruption of internet, but it also caused the Orbi to fail in writing an entry to the log.&nbsp;So, do Denial of Service (DoS) attacks so overload the Orbi that it ceases to function?&nbsp; My feeling remains, not very often but certainly possible.

Forum Discussion

Netgear Armor and DoS

5 Replies