Reply

Router can't handle web load balancing?

IrvSp
Master

Router can't handle web load balancing?

Again yesterday I got hit with 'attacks' according to the router log:

==========
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [24.143.206.49], Sunday, Jan 18,2015 10:53:18
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [24.143.206.18], Sunday, Jan 18,2015 10:53:17
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [24.143.206.49], Sunday, Jan 18,2015 10:53:17
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [24.143.206.18], Sunday, Jan 18,2015 10:53:15
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [93.184.216.151], Sunday, Jan 18,2015 10:48:08
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [31.13.73.12], Sunday, Jan 18,2015 10:48:06
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [93.184.216.151], Sunday, Jan 18,2015 10:48:02
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [184.29.176.76], Sunday, Jan 18,2015 10:47:45
==========

One is from FaceBook that I was on. One specific link did NOT work? It returned a 'not sign', the red circle with a slash in it. Figured Web of Trust or my A/V - F/W closed it off. I knew it was a scam site purporting to give you a chance to get a voucher from Qantas. Either that or it was taken down already.

When I saw the log today I sent to abuse@....com of the offending owners of the IP Addresses. Got one back already:

=============
Thank you for contacting EdgeCast Networks with your issue. The IP address 93.184.216.151 that you have supplied is assigned to a load balancer of web traffic. When it receives requests for port 80 or 443 it will route those requests to thousands of servers behind the load balancer for very large websites. We do not initiate connections or scans.
==============

So it seems a request went out to an IP Address and the ISP's load balancer routed it to a different IP Address (the attacking one I assume) and the R7000 shut it off since it didn't send anything there? The 'end result' to me is the web page didn't load?

Would turning OFF Nat Filtering 'fix this'? Will it open me up to other 'problems' though?
Message 1 of 6
fordem
Mentor

Re: Router can't handle web load balancing?

I think you're misinterpreting their reply.... First - webserver load balancing is a time tested, transparent process - if the webserver's reply appeared to come from an address other than the one it was sent to, your router (and everyone else's) would simply discard it, and no pages from that website would ever load on any computer. Second - you have been told that the 93.184.216.151 address is the load balancer, but based on your logs, the 93.185.216.151 address IS the attacking one, so it cannot be one of the "different" ip addresses the request was routed to. It is not unusual for "FIN" packets (packets with the FIN flag set) to be sent by a server that you have recently visited, FIN packets are used to "tear down" or terminate the tcp connection that was used. My recommendation on DoS attack logs is to simply ignore them or disable the logging if you can - for two reasons - the first being that if you're on the receiving end of an actual DoS attack, you will know, even without the logs, because your internet connection will simply "drop dead", denying you the use of the connection, and the second, that you can't protect against it from your end.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 2 of 6
IrvSp
Master

Re: Router can't handle web load balancing?

fordem wrote:


My recommendation on DoS attack logs is to simply ignore them or disable the logging if you can - for two reasons - the first being that if you're on the receiving end of an actual DoS attack, you will know, even without the logs, because your internet connection will simply "drop dead", denying you the use of the connection, and the second, that you can't protect against it from your end.


OK, how would you do that on the R7000? Is it setting NAT to open?

I thought during an attack ONLY the attacking address was turned off for 20 seconds or so?

Isn't that what happened though? The reply from a different IP Address was discarded and assumed to be the FIN SCAN attack?

In any event, somehow the router considered this an attack and if so either didn't shut-off my internet or did it just for that address.
Message 3 of 6
fordem
Mentor

Re: Router can't handle web load balancing?

Where are you getting the idea that the router shuts off your internet? As far as I know, all that happens is the "attack" is logged, and in my opinion detecting a "fin scan" as a DoS attack should be considered a "false positive".

A denial of service attack is any attack that can deny the user the use of the internet connection, and there are many ways to achieve this - any process that utilizes router resources can do it, you'll commonly see "ack scans" & "fin scans" being logged, these are older methods that would cause the router to assign connection resources to the connections, so that when enough of these "bogus" connections are made, the router would be unable to allow actual connections to be made.

These older DoS attack vectors have largely been eliminated by improvements to firmware, which for example will "time out" the "bogus" connection and release the resources in much less time than before, so the hackers have turned to other methods.

A much easier way to create a denial of service attack is to simply "flood" the connection with a large volume of data - your ISP link has a finite limit, y mb/sec and all an attacker needs to do is send more data than the link can pass - service WILL be denied.

Regarding the fin attack logged, the fin packet would have come from the address logged, if the router could associate the fin packet with a previous connection, it should not log it as an attack, it would consider it part of the connection "tear down" process - what most likely happened there is the website sent a fin packet to tear down the connection, the router received it and acknowledged, and that ACK never made it to the website - this will create a scenario where the router sees the connection as terminated, but the website does not, and so it sends a few more fin packets, which the router detects as an attack.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 4 of 6
IrvSp
Master

Re: Router can't handle web load balancing?

fordem wrote:
Where are you getting the idea that the router shuts off your internet? As far as I know, all that happens is the "attack" is logged, and in my opinion detecting a "fin scan" as a DoS attack should be considered a "false positive".



Good question? I 'think' I saw someplace that the router will disable that address for 20 seconds? Now I can't find that anywhere?

Still have not answered the question I asked about 'secure' and 'open' NAT? Will that stop the reporting of these and what are the consequences of using 'open'?
Message 5 of 6
fordem
Mentor

Re: Router can't handle web load balancing?

I have no idea on secure & open NAT, to me - NAT is NAT - it's just a method of sharing a single public ip address amongst several hosts with private ip addresses. Open NAT is apparently of importance to gamers, and may be of specific value to those with multiple game consoles behind the same router - I doubt that it has anything to do with the logging or detection of DoS attacks, and I don't expect it to change anything.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 6 of 6
Top Contributors
Discussion stats
  • 5 replies
  • 2792 views
  • 0 kudos
  • 2 in conversation
Announcements

Orbi WiFi 6E