Reply
Highlighted
Aspirant

Router Disconnects after Smurf Dos ?

I have owned the WNDR4500 V1 router for a year now and its been working well, until recently. when about one time every 2 - 4 weeks (varies), for once occurrence interval the router looses the internet connection. (verified on the pc that has a direct wired connect to the router and the cable modem lights indicate internet connection is active and the cabled modem log indicates everything was normal - no errors during the timeframe of the internet disconnection)

When this occurs, I have to login to the router and either click on the red icon or reboot the router and then the internet connection is re-established and stays up for at least another 3-4 weeks.

... Well the interesting thing is when I check the router log, when this occurs, it always happens exactly when the router log has a message indicating that a " SMURF DOS attack was detected". I am convinced that when a SMURF DOS attack occur the Router disconnects itself from the internet and never automatically re-connects. I have to do it manually.

... Now, since the router has been working good for the past year, until recent (with maybe a 1 or 2 times a month disconnect from the internet), I never bothered upgrading the Firmware from the original version that came with the Router -- the Version is 1.0.0.70.

Questions:
.... 1. So, has anyone else experienced Internet Disconnects when a SMURF Dos is reported in the Router Logs ?
... 2. And, does anyone know whether a later version of the Firmware hardened the router to prevent the the router from disconnecting upon a SMURF Dos interception/blocking ?
Message 1 of 8
Highlighted
Virtuoso

Re: Router Disconnects after Smurf Dos ?

Smurf DoS attack
Ping is a software tool that is available on most operating systems and commonly used to check if a specified computer is reachable. When the ping tool is executed, an ICMP echo request packet is sent to the destination computer. If the destination computer receives the TCP packet, it replies to confirm the ping request. In the case of a Smurf denial-of-service attack, the ping's packet return IP address is forged with the IP of the targeted computer. The ping is issued to the entire IP broadcast address. This technique causes every computer to respond to the bogus ping packets and reply to the targeted computer, which floods it. This technique is called a Smurf attack because the DoS tool that is used to perform the attack is called Smurf. One way to reduce risk of this attack is to disable IP-directed broadcast, which is often not used or needed. Some operating systems are configured to prevent the computer from responding to ICMP packets.
VPN Case Study

VPNCASESTUDY.COM

"Our Second To None VPN Related Setup Case Study[/COLOR][/URL]

"One Stop Solution To Your Netgear VPN Connectivity"

*Visit the site for Non-VPN related Doc & Links* [Windows & Mac user/support]





June Mizoguchi-
Message 2 of 8
Highlighted
Aspirant

Re: Router Disconnects after Smurf Dos ?

jmizoguchi,

Okay, but I still have a couple of basic questions, then for you:

1. Is it normal for the WNDR4500 to disconnect, from the internet when getting this type of SMURF Dos attack ?

2. So, is the WNDR4500 suppose to Disconnect from the Internet in response to a SMURF dos ? .
.... Shouldn't the WNDR4500 should ignore/block/defend against the SMURF Dos and still keep the Router connected to the Internet ?

One way to reduce risk of this attack is to disable IP-directed broadcast,

3. How do I disable IP-directed broadcast, in the WNDR4500 ?
Message 3 of 8
Highlighted
Virtuoso

Re: Router Disconnects after Smurf Dos ?

Message 4 of 8
Highlighted
Mentor

Re: Router Disconnects after Smurf Dos ?

JosephB wrote:
1. Is it normal for the WNDR4500 to disconnect, from the internet when getting this type of SMURF Dos attack ?


Faced with a genuine DoS attack, you will most likely lose the use of your internet connection, and depending on the nature of your connection, the router may simply crash, some will stay up, and reconnect after the attack ceases.

2. So, is the WNDR4500 suppose to Disconnect from the Internet in response to a SMURF dos ? .
.... Shouldn't the WNDR4500 should ignore/block/defend against the SMURF Dos and still keep the Router connected to the Internet ?


Yes and No - in reality, a "downstream" router (the one at the user end of the connection) cannot defend against a DoS attack, that defense has to be mounted at the "upstream" or ISP side - for the sake of discussion, let's say you have an 8mb/s cable connection, and your router is blocking the attack - what the DoS attack will do is simply overload the 8mb/s capability of the connection rendering it useless.

3. How do I disable IP-directed broadcast, in the WNDR4500 ?


It's already disabled - the IETF mandates that routers be shipped with it disabled to prevent the router from being used to create DoS attacks.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 5 of 8
Highlighted
Aspirant

Re: Router Disconnects after Smurf Dos ?

fordem,
Yes and No - in reality, a "downstream" router (the one at the user end of the connection) cannot defend against a DoS attack, that defense has to be mounted at the "upstream" or ISP side - for the sake of discussion, let's say you have an 8mb/s cable connection, and your router is blocking the attack - what the DoS attack will do is simply overload the 8mb/s capability of the connection rendering it useless

1. So it is an issue for the ISP to deal with ? ... and if it occurs in the future again, I should notify my ISP, is this correct ?

2. It would be more bearable, if it occurs in the future again, for the Router to auto reconnnect after the attack is over. .... There is no Firmware update for the WNDR4500 to have it "auto reconnect" after the DoS attack is over ?

3. Are there any other models of netgear router or other brands that you have worked with that will "auto reconnect" after a DoS is over ? ... How about asus, etc ?
.... I mean to have to go to the main pc to reboot is a major pain and if I am not home, then what I have to setup remote accessto the router to reboot it ?

4. Has this type of smurf DoS ever happened to your router setup, causing the router to disconnect ? ... How have you dealt with it ?
Message 6 of 8
Highlighted
Mentor

Re: Router Disconnects after Smurf Dos ?

I don't know if you noticed I used the term "genuine DoS attack" - in my opinion DoS attacks on consumers are extremely rare - it require resources to mount such an attack, and because of IETF dictates such as the disabling of ip direct broadcast, it has become increasingly difficult to acquire these resources.

Just to give you one example - prior to the disabling of ip direct broadcast - always on consumer routers could be used as "smurf amplifiers" to mount a smurf attack without their owners even being aware that it was happening, with direct broadcast disabled, the mischief maker has to create a "zombie" network by infecting systems with a virus that allows him to take control, a much more challenging task.

Having acquired these resources, there would be little incentive to waste them on a residential consumer - let's face it - denying you the use of your internet connection may frustrate you, but, you're only one user, using the same resources to attack an online business would have a much greater effect, especially on cyber Monday - so unless you were unfortunate enough to have been a target for a test attack, the chances of your being singled out are slim to nil, although, there are instances where individuals have been targeted because of who they are.

You are correct in your understanding that only the ISP can take action on this, but whether or not you can get them to take action is a different matter - you can try calling them, I don't how far it will get you - it may depend on who takes your call, their level of knowledge and experience, and how seriously they take you - if they have been monitoring their network, which they should do, but not everyone does, they will have seen the "disturbance" and may be more inclined to take you seriously.

Fortunately - I have an excellent professional relationship with the senior administrators at my ISP so when I call they usually give me a hearing - I have experienced a DoS attack, but as far as I know I was not specifically targeted - it was not a smurf attack, although it was a reflective attack (a smurf attack is what is known as a distributed reflective DoS attack or DRDoS attack), and was caused by a misconfigured router at a different location in the ISP network.

I called the ISP and asked them to look at my connection and if they could explain why I was being flooded with traffic intended for another ip address, and in less than a minute the flood stopped - they simply disconnected the other router and called the subscriber - this cycle was repeated several times over the next week - the subscriber would call them, tell them he had fixed the problem, they would reconnect him, things would work fine for a few hours, and then the problem would surface, and I would loose my connection and call them again - I believe the final solution was that they programmed their DSLAMs to filter traffic differently.

I'm sorry I can't suggest another router (or brand) that won't crash - in fact - whether or not it crashes may depend on the severity of the attack and the speed of your connection, the router I was using at the time of the attack was a Linksys BEFSR11 - back then it was old, now it's long obsolete

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 7 of 8
Highlighted
Aspirant

Re: Router Disconnects after Smurf Dos ?

fordem,
thanks for this detailed answer and info !
if it happens again I will call my isp.
Message 8 of 8
Discussion stats
  • 7 replies
  • 14511 views
  • 0 kudos
  • 4 in conversation
Announcements