NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Barrage of DoS attacks from legitimate sources
After buying and switching to an new Router, we have constant DOS attacks from our supposed service provider aswell as Google, Github and our service provider, with the same 4 IP addresses every that...
They are most certainly false positives, I was just wondering if there was an way to at the very least minimize the frequency of them, as this didnt happen with our last R7000 router.
It is not that they didn't happen with the old router, it is that the router just ignored or simply couldnt identify them.
Identifying an attack can be difficult apart from the obvious, e.g., if an IP is flooding you (saturating the WAN connection) with unrequested traffic then it will clearly be able to tell that a DOS attack is happening.
There is no way to make it 100% acurate since there is no way to tell since there is no way to tell the intent behind the traffic, thus they tend to air on the side of mistrust, especially if something happens like an IP that you did not initiate any communication with, is trying to send SNMP traffic to you.
The router will drop the unrequested traffic anyway in both cases, but the newer router be able to identify the type of traffic and estimate if it could have been malicious or not.
A good way to understand it, is to think of the term used in podcasts such as Security Now; the term is Internet Background Radiation.
Basically tons of unrequested traffic from the various botnets, milions of infected PCs, even some ancient windows 98 systems that are still plugged in someway and is trying to spread the malware that it was infected with, where they simply scan the entire IP range endlessly and try to find vulnerable syastems.
In the end I ended up disabling the inbuilt DoS and Port scan protection as we already have Netger Armor, which also have it and its detecting nothing, we never suspected it was an actual attack as it was regular and not nearly the thousands you usually recieve in an actual DoS attack.
The DOS protection is while basic should still be left on. Its purpose is designed to provide protection while having an extremely low CPU usage. Armor goes more in-depth in its analysis, but has a higher CPU usage.
Think of the different functons like a multi stage filter. Many high end air filters will have many layers, and while all but the last layer can be removed and you will still get the fitering, that super fine filter will clog quickly. While not an exactly fitting analogy, it shoudl give some idea of how the various protections can work together.
The common security provided by default with the base firmware essentially handles the internet background radiation. Armor handles anything that makes it through as well as testing for CVEs to alert you to any vulnerable devices where you can take additional precautions, such as using service blocking to block any ports a vulnerable device will not need to use for normal operation, or potentially even moving vulnerable IOT devices to a different VLAN or guest WiFi to segment them from other LAN drvices.
As much as I would want to keep it enabled, ive done personal port scans on the most commonly scanned/abused ports, and all have been stealthed, and Armor has found no vulnerabilities on all our devices, and on the 2 computers we regularly, one has Bitdefender Total Security, and one with an Endpoint solution, with both having port scan protection we see little reason to have the inbuilt router protection enaled.
Retired_Member wrote:
In the end I ended up disabling the inbuilt DoS and Port scan protection as we already have Netger Armor, which also have it and its detecting nothing, we never suspected it was an actual attack as it was regular and not nearly the thousands you usually recieve in an actual DoS attack.
It may not be the protection that is the issue so much as the reporting.
Netgear's firmware is great at creating false reports of DoS attacks. Many of them are no such thing.
If these events are slowing down your router, that may be because it is using up processor time as it writes the events to your logs. Anything that uses processor power – event logging, QoS management, traffic metering – may cause slowdowns. Disable logging of DoS attacks and see if that reduces the problem. This does not prevent the router from protecting you from the outside world.
At first I did disable the logs, but I ended up just disabling the protection, I guess ill re-enable if if thats the case.
