Please help me choose a better modem

---

@handy142 wrote:

ive had a Netgear  DGND3300 working  for years its worked flawlesly but the influx if DoS attacks has forced me to use firewall rules to block the IP address doing the attack its worked for months.

Netgear's logging mistakenly described some legitimate traffic as DoS.

If you "whois" some of those IP addresses you may find that they are Google or even your |SP!

thanks for the quick responce i dont think my ISP would try to contact me 14 times in under 1 second 

this to me looks like a real attack

---

@handy142 wrote:

i dont think my ISP would try to contact me 14 times in under 1 second

 

---

Why not? Maybe it is just responding to your traffic.

after doing a who is on one of the IP i get 

Organization:   RIPE Network Coordination Centre (RIPE)

this is NOT my ISP .... 

---

@handy142 wrote:

after doing a who is on one of the IP i get 

Organization:   RIPE Network Coordination Centre (RIPE)

this is NOT my ISP .... 

---

Maybe not.

But nor is it the Russian mafia:

RIPE Network Coordination Centre

---

@handy142 wrote:
...it's worth doing for the results I get.

If you explain the results that you get, then perhaps someone can suggest a replacement modem that will give you improvements on that front.

ok, normally heres a good example of one "attack" (ive removed my IP from these)

Tue, 2017-01-17 03:09:16 - UDP Packet - Source:134.119.219.27,5445 - [DOS]
Tue, 2017-01-17 03:09:16 - UDP Packet - Source:134.119.219.27,5445 - [DOS]
Tue, 2017-01-17 03:09:16 - UDP Packet - Source:134.119.219.27,5445 - [DOS]
Tue, 2017-01-17 03:09:16 - UDP Packet - Source:134.119.219.27,5445 - [DOS]
Tue, 2017-01-17 03:09:16 - UDP Packet - Source:134.119.219.27,5445 - [DOS]
Tue, 2017-01-17 03:09:16 - UDP Packet - Source:134.119.219.27  - [PORT SCAN]

then i add that IP my my block list and then i get

Tue, 2017-01-24 15:04:19 - UDP Packet - Source:134.119.219.27,5327  - [Any(ALL) rule match]

in short this means they cant dos me again as ive blocked them

unfortunatly my modem can only block 108 IP's before it gets full i would like one that allows me more or unlimited blocked IP's

Forgive me. I should have been clearer. We already know about the limited number of IP addresses you can block.

I should have said tell us the results that you get in terms of better performance when you block those addresses.

Does blocking them make your Internet go faster? Do you get a better browsing experience?

---

@handy142 wrote:

ok, normally heres a good example of one "attack" (ive removed my IP from these)

 

Tue, 2017-01-17 03:09:16 - UDP Packet - Source:134.119.219.27,5445 - [DOS]
Tue, 2017-01-17 03:09:16 - UDP Packet - Source:134.119.219.27,5445 - [DOS]
Tue, 2017-01-17 03:09:16 - UDP Packet - Source:134.119.219.27,5445 - [DOS]
Tue, 2017-01-17 03:09:16 - UDP Packet - Source:134.119.219.27,5445 - [DOS]
Tue, 2017-01-17 03:09:16 - UDP Packet - Source:134.119.219.27,5445 - [DOS]
Tue, 2017-01-17 03:09:16 - UDP Packet - Source:134.119.219.27  - [PORT SCAN]

 

then i add that IP my my block list and then i get

 

Tue, 2017-01-24 15:04:19 - UDP Packet - Source:134.119.219.27,5327  - [Any(ALL) rule match]

 

in short this means they cant dos me again as ive blocked them 

 

This is not true.  One other precious resource to be protected is your Internet connection.  Someone can still take you down by flooding it.  A block list can do nothing to stop that.  All your block list has done has hidden the attack.  It's the equivalent of putting blinders on.  Functionally, nothing has changed.

The modem was already stopping the attacks.  The address filters aren't buying you anything.

i think my modem wasnt filtering anything untill i started to block them the report as above shows my modem recived the request(s)

once i block thenm my modem would ignore the IP and not process that request

---

@TheEther wrote:

The address filters aren't buying you anything.

---

Does that mean that it is a waste of time looking for a device that allows a user to block an even bigger list of addresses?

---

handy142 wrote:

i think my modem wasnt filtering anything

It's time to stop thinking that.  Perhaps you don't realize that your DGND3300 has built-in firewall and NAT functions that block all unsolicited incoming traffic.  Your modem is technically a combination modem and router.

untill i started to block them the report as above shows my modem recived the request(s)

Actually, that report is literally a log about your modem blocking those request(s).  The modem was figuratively saying, "Hey, I'm letting you know that I identified a DoS attack from address A.B.C.D and blocked it."

 

once i block thenm my modem would ignore the IP and not process that request

---

Do you understand, now, why your address filters aren't buying you anything?  The modem already did its job of blocking the request without your help.

michaelkenward wrote:

---

@TheEther wrote:

The address filters aren't buying you anything.

---

 

Does that mean that it is a waste of time looking for a device that allows a user to block an even bigger list of addresses?

 

---

In the context of preventing DoS attacks, yes, it's a waste of time.  As I mentioned above, the built-in firewall and NAT components already prevent these attacks from reaching your home network.

I didn't mention this before, but there's also a pretty good chance that address filters will disable hardware acceleration, force the main CPU to handle all traffic and potentially slow down your Internet connection.

---

@TheEther wrote:

I didn't mention this before, but there's also a pretty good chance that address filters will disable hardware acceleration, force the main CPU to handle all traffic and potentially slow down your Internet connection.

---

Oh dear. This gets more complicated by the minute.

Thanks for the tutorial. Very helpful.

*facepalm* look can we get back to topic please ?

can you recomend a router that can do what ive asked or not ?

i dont care if its wack a mole, i am convinced what i am doing is the correct thing to do

please can you help me ?

---

@handy142 wrote:
i am convinced what i am doing is the correct thing to do

 

---

There lies your problem.

ok this is how i see it 

my modem recives a UDP packet from XXX.XXX.XXX.XX:  and logs it 

it has to process the request. as the request is deemed by my router as a "valid" request.

As this can be one or many requests (flood attack) which can slow down or even stop a connection (DoS) 

since i dont belive my modem does not stop the request (yet) but logs the fact this has happend.

i then add the IP to a block rule effectivly stopping the modem processing any requests from that IP.

side thought ....

i wonder if its 109 active rules or 109 in total ... 

Let's suppose your modem/router receives a UDP packet with source address x.x.x.x and source port y to destination address m.m.m.m and destination port n.

To process it, your modem/router looks up its NAT table for an existing session that matches x.x.x.x, y and n.  If no session exists, then it checks for any port forwarding entries that match n.  If none exist, then it checks if a DMZ is configured.  If not, it drops the packet.  

Most of this work is highly optimized and is really no sweat for the modem/router to perform.  Adding address filters is not only going to save an immaterial amount of processing but it will slow down the entire packet processing pipeline because the modem/router will be forced to disable hardware acceleration and pass all packets through the CPU for deep packet inspection.

---

@TheEther wrote:

 

Let's suppose your modem/router receives a UDP packet with source address x.x.x.x and source port y to destination address m.m.m.m and destination port n.

 

To process it, your modem/router looks up its NAT table for an existing session that matches x.x.x.x, y and n.  If no session exists, then it checks for any port forwarding entries that match n.  If none exist, then it checks if a DMZ is configured.  If not, it drops the packet.  

 

Most of this work is highly optimized and is really no sweat for the modem/router to perform.  Adding address filters is not only going to save an immaterial amount of processing but it will slow down the entire packet processing pipeline because the modem/router will be forced to disable hardware acceleration and pass all packets through the CPU for deep packet inspection.

 

---

thats not how i see it useing one packet  as example (rember this will be part of a flood acctack so there is more then one to process)

-1-  my modem recives the packet from x.x.x.x - checks the firewall rules first and its not on a block list

- 2- the packet is recocised as a requst to my modem

-3-  the modem would then process the request (not shure if a responce would be sent back but lets say no for now)

-------------------------------------------- if on list ----------------------------------------------------------------------------

-1a -my modem recives the packet from x.x.x.x - checks the firewall rules first and IS on a block list

-2b- the packet would not have to be processed as its on the list and the request is ignored

thats how i see it (roughly)

---

handy142 wrote: 

---

thats not how i see it useing one packet  as example (rember this will be part of a flood acctack so there is more then one to process)

-1-  my modem recives the packet from x.x.x.x - checks the firewall rules first and its not on a block list

- 2- the packet is recocised as a requst to my modem

It's not really a request.  A request implies that the packet is something that modem would send a response to.  Most packets that are not dropped by the modem will transit through to a device on the home network.

-3-  the modem would then process the request (not shure if a responce would be sent back but lets say no for now)

It would process it in the manner I described (i.e. NAT lookup, port forwarding and DMZ check).  The end result is same as your case below with the block list;  the packet is dropped by the modem and is not sent to your home network.

-------------------------------------------- if on list ----------------------------------------------------------------------------

-1a -my modem recives the packet from x.x.x.x -

Because a block list is present, the modem redirects the packet to the slower, non-optimized packet processing path.  All packets, including good traffic, must go through this slower path.  If no block list is present, the modem will process the packet much more efficiently.

checks the firewall rules first and IS on a block list

 

-2b- the packet would not have to be processed as its on the list and the request is ignored

 

thats how i see it (roughly)

---

In both cases, the packet is blocked by the modem.  Do you now see why a block list has no added value here?