After buying and switching to an new Router, we have constant DOS attacks from our supposed service provider aswell as Google, Github and our service provider, with the same 4 IP addresses every that are slightly different to our IP address, exactly every 30-40 seconds using Fraggle Attack from port 2190, with occasional ACK scans using port 443, I have tried changing the DNS server (aswell as using the service provider DNS), resetting settings and rebooting the router, nothing has worked.
[DoS attack: Fraggle Attack] from source ~~.155.210.36,port 2190 Thursday, Aug 26,2021 09:11:06
[DoS attack: Fraggle Attack] from source ~~.155.211.248,port 2190 Thursday, Aug 26,2021 09:11:06
[DoS attack: Fraggle Attack] from source ~~.155.211.15,port 2190 Thursday, Aug 26,2021 09:10:44
[DoS attack: Fraggle Attack] from source ~~.155.210.176,port 2190 Thursday, Aug 26,2021 09:10:44
[DoS attack: ACK Scan] from source 185.199.109.154,port 443 Thursday, Aug 26,2021 09:05:06
[DoS attack: ACK Scan] from source 173.194.73.108,port 993 Thursday, Aug 26,2021 09:09:26
[DoS attack: ACK Scan] from source 34.120.243.77,port 443 Thursday, Aug 26,2021 09:02:33
I have read Netgear's DoS protection is full of false positives and many users also experience attacks from port 2190, but this never happened(at this scale)with our older router
Re: Barrage of DoS attacks from legitimate sources
They are most certainly false positives, I was just wondering if there was an way to at the very least minimize the frequency of them, as this didnt happen with our last R7000 router.
Re: Barrage of DoS attacks from legitimate sources
It is not that they didn't happen with the old router, it is that the router just ignored or simply couldnt identify them.
Identifying an attack can be difficult apart from the obvious, e.g., if an IP is flooding you (saturating the WAN connection) with unrequested traffic then it will clearly be able to tell that a DOS attack is happening.
There is no way to make it 100% acurate since there is no way to tell since there is no way to tell the intent behind the traffic, thus they tend to air on the side of mistrust, especially if something happens like an IP that you did not initiate any communication with, is trying to send SNMP traffic to you.
The router will drop the unrequested traffic anyway in both cases, but the newer router be able to identify the type of traffic and estimate if it could have been malicious or not.
A good way to understand it, is to think of the term used in podcasts such as Security Now; the term is Internet Background Radiation.
Basically tons of unrequested traffic from the various botnets, milions of infected PCs, even some ancient windows 98 systems that are still plugged in someway and is trying to spread the malware that it was infected with, where they simply scan the entire IP range endlessly and try to find vulnerable syastems.
Re: Barrage of DoS attacks from legitimate sources
In the end I ended up disabling the inbuilt DoS and Port scan protection as we already have Netger Armor, which also have it and its detecting nothing, we never suspected it was an actual attack as it was regular and not nearly the thousands you usually recieve in an actual DoS attack.
Re: Barrage of DoS attacks from legitimate sources
The DOS protection is while basic should still be left on. Its purpose is designed to provide protection while having an extremely low CPU usage. Armor goes more in-depth in its analysis, but has a higher CPU usage.
Think of the different functons like a multi stage filter. Many high end air filters will have many layers, and while all but the last layer can be removed and you will still get the fitering, that super fine filter will clog quickly. While not an exactly fitting analogy, it shoudl give some idea of how the various protections can work together.
The common security provided by default with the base firmware essentially handles the internet background radiation. Armor handles anything that makes it through as well as testing for CVEs to alert you to any vulnerable devices where you can take additional precautions, such as using service blocking to block any ports a vulnerable device will not need to use for normal operation, or potentially even moving vulnerable IOT devices to a different VLAN or guest WiFi to segment them from other LAN drvices.
Re: Barrage of DoS attacks from legitimate sources
As much as I would want to keep it enabled, ive done personal port scans on the most commonly scanned/abused ports, and all have been stealthed, and Armor has found no vulnerabilities on all our devices, and on the 2 computers we regularly, one has Bitdefender Total Security, and one with an Endpoint solution, with both having port scan protection we see little reason to have the inbuilt router protection enaled.
Re: Barrage of DoS attacks from legitimate sources
@Retired_Member wrote:
In the end I ended up disabling the inbuilt DoS and Port scan protection as we already have Netger Armor, which also have it and its detecting nothing, we never suspected it was an actual attack as it was regular and not nearly the thousands you usually recieve in an actual DoS attack.
It may not be the protection that is the issue so much as the reporting.
Netgear's firmware is great at creating false reports of DoS attacks. Many of them are no such thing.
If these events are slowing down your router, that may be because it is using up processor time as it writes the events to your logs. Anything that uses processor power – event logging, QoS management, traffic metering – may cause slowdowns. Disable loggingof DoS attacks and see if that reduces the problem. This does not prevent the router from protecting you from the outside world.
Re: Barrage of DoS attacks from legitimate sources
@Retired_Member wrote:
At first I did disable the logs, but I ended up just disabling the protection, I guess ill re-enable if if thats the case.
Others do the same thing on the basis that the protection really doesn't achieve much in the way of added security that you don't get in other ways. But there are people who run a mile at the very mention of disabling anything that comes with the "security" word.
I just mentioned it because reports here suggest that it is the logging that puts the strain on the router's processor. So, I'd go with your strategy. Try it and see what works best for you.
Re: Barrage of DoS attacks from legitimate sources
The logging certainly is extra work for the CPU, but if you view the process handling it either through telnet or the serial header, the usage will be rounded down to 0.0% since stats on running processes do not measure down to enough decimal places to measure the utulization. The basic protections are inaccurate but extremely low resource utilization. Even if you connect a system to the WAN port and actually perform a DOS attack the usage is far too low for it accurately display even as it logs a ton of stuff.
Beyond that, with DOS protection, there is nothing you can really do to stop it, but you can prevent actions that will amplify the attack. If it is an extremely basic attack where they are simply saturating the WAN connection with just randomly generated packets, then it really won't make any real difference whether the DOS protection is on or off; same applies to even far higher end equipment.
