NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

GeoffChesh's avatar
GeoffChesh
Aspirant
Jan 22, 2020

Repeated DOS attacks causing dropped connections

I have an RBR40 Router and associated satellite, running Firmware v.2.3.5.34 in a Mac/IOS based environment (no Windows Machines on the network).

 

Following a lack of stability in the WiFi connection, I started to investigate the logs, and found a series of DOS attack warnings (similar to the entry below):

 

[DoS Attack: ACK Scan] from source: 102.132.108.61, port 443, Wednesday, January 22, 2020 07:21:47

 

Looking up the ip address, it seems that these are coming from Facebook, and whilst there are not vast numbers of them, the dropped connection that these cause in the router, is starting to interfere with our use of the web. Unfortunately blocking or disabling Facebook is not an option in this house.

 

At the moment, the 'blunt tool' that I have used to cope with these events, is to disable the protection in the Wan Setup screen. I'm just a bit concerned that this wil have other unanticipated consequences for my network.

 

So my questions are .....

 

  1. Are these entries likely to be genuine attempts to compromise my security ?
  2. Should I be bothered about these 'attacks' ?
  3. What other options do I have to prevent the dropped connections ?
  4. Are there any other (realistic) consequences for the network if I leave the protection disabled ? 

Other than these entries, my logs are fairly clear - just reporting NTP syncs, DHCP management and the routine stuff I would expect the router to take care of. I have no 'unexpected' devices on the network, and the Guest Network is operational (secured by a complex password, with just one trusted user connected to it).

 

The network contains the regular mix of laptpos, ipads, phones, internet-enabled TVs, set-top box, video enabled doorbell, remote controlled heating system, smart speakers and a printer. Around 30 devices in total.

 

Connection to the internet is through a Cable router (set to Modem mode only - a Virgin SuperHub 3 (yeuch ....))

 

Thanks in advance

 

Geoff

8 Replies

  • michaelkenward's avatar
    michaelkenward
    Guru - Experienced User
    Jan 22, 2020
    GeoffChesh wrote:

     

    So my questions are .....

     

    1. Are these entries likely to be genuine attempts to compromise my security ?
    2. Should I be bothered about these 'attacks' ?

     

    No and No.

     

    These "false positives" of DOS attack are a "feature" of Netgear's crummy logging system. There is a steady stream of messages here about them.

     

    GeoffChesh wrote

    What other options do I have to prevent the dropped connections ?

    If these really are the cause of the dropped connections – which may or may not be the case – then an easy option is to tell the thing not to log these events.

     

    GeoffChesh wrote:
    Are there any other (realistic) consequences for the network if I leave the protection disabled? 

     

    What are you doing that you think disables the protection? Telling your router to ignore "Known DoS attacks and Port Scans" does not affect your security. It merely tells the thing to ignore those events.

     

    Whether or not this will prevent the dropouts is another matter. One way ion which logging can cause that sort of behaviour is if it puts a lot of strain on the router's processor. Is there really enough going on in your logs to suggest that this might be the case?

     

    Other things that can cause a hissy fit on the router are enabling QoS, Traffic Meter and anything else that requires the router to do anything out of the ordinary.

     

    • CrimpOn's avatar
      CrimpOn
      Guru - Experienced User
      Jan 22, 2020
      michaelkenward wrote:
      Other things that can cause a hissy fit on the router are enabling QoS, Traffic Meter and anything else that requires the router to do anything out of the ordinary.

      It is not clear to me that the user has any control over QoS on the Orbi product.  There are QoS parameters (nvram show), so one would expect that Orbi is doing "something", but I cannot find a way to affect what.

       

      I like the theory that excessive CPU load overwhelms the Orbi and can cause "problems", such as dropped connections.  If turning off features makes the "problem go away", that would be supporting evidence.

      • michaelkenward's avatar
        michaelkenward
        Guru - Experienced User
        Jan 22, 2020
        CrimpOn wrote:

        It is not clear to me that the user has any control over QoS on the Orbi product.  There are QoS parameters (nvram show), so one would expect that Orbi is doing "something", but I cannot find a way to affect what.

         

        I agree. I was just talking generalities to try to illustrate how these things might happen.

         

        CrimpOn wrote:

        I like the theory that excessive CPU load overwhelms the Orbi and can cause "problems", such as dropped connections.  If turning off features makes the "problem go away", that would be supporting evidence.

        It is a regular explanation around here as to how wifi and stuff can slow down when anything processor intensive is going on on a router. Logging would seem to be another possibility.

         

        Again, it is more theory than anything that Netgear has owned up to.

         

        I remain to be convinced that this is what is going on here. And it still isn't clear to me what GeoffChesh has gone to "disable the protection in the Wan".

         

        My Orbi is an AP mode, which disables some of the stuff that gets logged. All I see is [Time synchronized with NTP server]. I can't get in deep enough to see if it is possible to disable the protection in the Wan. On the R7800, I see nothing on that front, merely options to disable logging.

         

        Any thoughts on that front?