Hi, I've been getting these Dos attacks from the same ip for a couple days then turned on DoS protection and went away for a day until today I got these DoS attacks. The ip I'm talking about are the ping of death and teardrop below
Description
Count
Last Occurrence
Target
Source
[DoS attack: Teardrop or derivative] from 194.0.58.16, port 0
3
Mon Jun 14 20:41:15 2021
168.46.189.51:0
194.0.58.16:0
[DoS attack: Ping Of Death] from 194.0.58.16, port 0
2
Mon Jun 14 20:15:47 2021
168.46.189.51:0
194.0.58.16:0
[DoS attack: TCP- or UDP-based Port Scan] from 75.75.75.75, port 53
1
Mon Jun 14 19:29:55 2021
75.75.75.75:53
[DoS attack: Ping Of Death] from 194.0.58.16, port 0
1
Mon Jun 14 19:20:51 2021
168.46.189.51:0
194.0.58.16:0
[DoS attack: TCP- or UDP-based Port Scan] from 75.75.75.75, port 53
1
Mon Jun 14 18:50:47 2021
75.75.75.75:53
[DoS attack: TCP- or UDP-based Port Scan] from 75.75.75.75, port 53
1
Mon Jun 14 18:04:08 2021
75.75.75.75:53
[DoS attack: TCP- or UDP-based Port Scan] from 60.2.114.170, port 6000
Hi, I've been getting these Dos attacks from the same ip for a couple days then turned on DoS protection and went away for a day until today I got these DoS attacks.
Are you "reporting in" or asking for help?
Netgear's firmware is great at creating false reports of DoS attacks. Many of them are no such thing.
If these events are slowing down your router, that may be because it is using up processor time as it writes the events to your logs. Anything that uses processor power – event logging, QoS management, traffic metering – may cause slowdowns. Disable logging of DoS attacks and see if that reduces the problem. This does not prevent the router from protecting you from the outside world.
I'm sorry my question is if these are DoS attacks toward me or are they using me as a bot to attack someone else? I ask because it seems one is my own isp but the other is a ip from RIPE Network Coordination and it's target is Texas Department of Information Resources.
I'm sorry my question is if these are DoS attacks toward me or are they using me as a bot to attack someone else?
OK. See my answer.
Most people ignore these false alarms.
If you think about it, the alerts just say "we repelled this attack on your system". That there was no attack, just means that the router foiled a non-existent onslaught.
Do note that blocking these DoS attacks is rather expensive CPU-wise as iptables is not the biggest speed monster. It's more expensive than loggin them.
I'm running for years with DoS protection disabled and have had no problems. Given the amount of false positives, I question @michaelkenward claim that the router will protect you if DoS is turned on.
Given the amount of false positives, I question @michaelkenward claim that the router will protect you if DoS is turned on.
Who said that? Read it again.
First you probably mean "off".
I did not say that you should turn off "DoS". What I suggested was disabling the logging of Known DoS attacks and Port Scans.That is on the Logs page of the controls.
Here's the exact wording I used:
Disable logging of DoS attacks and see if that reduces the problem.
Emphasis added.
This is not the same as Disable Port Scan and DoS Protection which appears on a completely different WAN Setup page in the router's controls.
In the same way, disabling the logging of Router operation (startup, get time etc) does not mean that you are turning off router operation.
Given the amount of false positives, I question @michaelkenward claim that the router will protect you if DoS is turned on.
Who said that? Read it again.
First you probably mean "off".
I did not say that you should turn off "DoS". What I suggested was disabling the logging of Known DoS attacks and Port Scans.That is on the Logs page of the controls.
Here's the exact wording I used:
Disable logging of DoS attacks and see if that reduces the problem.
Emphasis added.
This is not the same as Disable Port Scan and DoS Protection which appears on a completely different WAN Setup page in the router's controls.
In the same way, disabling the logging of Router operation (startup, get time etc) does not mean that you are turning off router operation.
"If these events are slowing down your router, that may be because it is using up processor time as it writes the events to your logs."
Your words.
Blocking with iptables is more expensive than logging. Turning off loging and the amount of false positives will not "protect" you from anything much. You may relieve the CPU by turning loging off, but iptables is still there putting a strain on the CPU.
So what should I do? I have these logs with both the DoS protection on and off. Here is the recent logs of today. There are more but these most recent:
[DoS attack: Teardrop or derivative] from 194.0.58.16, port 0
6
Tue Jun 15 18:19:33 2021
193.51.234.217:0
194.0.58.16:0
[DoS attack: Ping Of Death] from 194.0.58.16, port 0
15
Tue Jun 15 17:18:47 2021
193.51.234.217:0
194.0.58.16:0
[DoS attack: Teardrop or derivative] from 194.0.58.16, port 0
So what should I do? I have these logs with both the DoS protection on and off.
It seems that it is not "DoS protection" that creates the log, but something else.
My advice was to TURN OFF LOGGING of Dos Attacks. (See above.) This is not the same as Disable Port Scan and DoS Protection which is possibly what you have done.
In the Administration area of Advanced management, go to the Logs section. Uncheck Known DoS attacks and Port Scans.
