× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
× Introducing the new Orbi 770 Series Mesh System. To learn more click here.
Orbi WiFi 7 RBE973
Reply

Barrage of DoS attacks from legitimate sources

Retired_Member
Not applicable

Barrage of DoS attacks from legitimate sources

After buying and switching to an new Router, we have constant DOS attacks from our supposed service provider aswell as Google, Github and our service provider, with the same 4 IP addresses every that are slightly different to our IP address, exactly every 30-40 seconds using Fraggle Attack from port 2190, with occasional ACK scans using port 443, I have tried changing the DNS server (aswell as using the service provider DNS), resetting settings and rebooting the router, nothing has worked.

 

[DoS attack: Fraggle Attack] from source ~~.155.210.36,port 2190 Thursday, Aug 26,2021 09:11:06
[DoS attack: Fraggle Attack] from source ~~.155.211.248,port 2190 Thursday, Aug 26,2021 09:11:06
[DoS attack: Fraggle Attack] from source ~~.155.211.15,port 2190 Thursday, Aug 26,2021 09:10:44
[DoS attack: Fraggle Attack] from source ~~.155.210.176,port 2190 Thursday, Aug 26,2021 09:10:44
 
 
[DoS attack: ACK Scan] from source 185.199.109.154,port 443 Thursday, Aug 26,2021 09:05:06
[DoS attack: ACK Scan] from source 173.194.73.108,port 993 Thursday, Aug 26,2021 09:09:26
[DoS attack: ACK Scan] from source 34.120.243.77,port 443 Thursday, Aug 26,2021 09:02:33
 
I have read Netgear's DoS protection is full of false positives and many users also experience attacks from port 2190, but this never happened (at this scale) with our older router
Message 1 of 17
DexterJB
NETGEAR Moderator

Re: Barrage of DoS attacks from legitimate sources

Hi @Retired_Member, which model and firmware version is your NETEGAR device?

Message 2 of 17
Retired_Member
Not applicable

Re: Barrage of DoS attacks from legitimate sources

 


@DexterJB wrote:

Hi @Retired_Member, which model and firmware version is your NETEGAR device?


RAX50, Firmware Version  V1.0.2.82_2.0.50

Message 3 of 17
DarrenM
Sr. NETGEAR Moderator

Re: Barrage of DoS attacks from legitimate sources

They could be false positives are the DOS attacks causing any performance issues?

 

DarrenM

Message 4 of 17
Retired_Member
Not applicable

Re: Barrage of DoS attacks from legitimate sources

They are most certainly false positives, I was just wondering if there was an way to at the very least minimize the frequency of them, as this didnt happen with our last R7000 router.

Message 5 of 17
Razor512
Prodigy

Re: Barrage of DoS attacks from legitimate sources

It is not that they didn't happen with the old router, it is that the router just ignored or simply couldnt identify them.

 

Identifying an attack can be difficult apart from the obvious, e.g., if an IP is flooding you (saturating the WAN connection) with unrequested traffic then it will clearly be able to tell that a DOS attack is happening.

 

There is no way to make it 100% acurate since there is no way to tell since there is no way to tell the intent behind the traffic, thus they tend to air on the side of mistrust, especially if something happens like an IP that you did not initiate any communication with, is trying to send SNMP traffic to you.

The router will drop the unrequested traffic anyway in both cases, but the newer router be able to identify the type of traffic and estimate if it could have been malicious or not.

 

A good way to understand it, is to think of the term used in podcasts such as Security Now; the term is Internet Background Radiation.

Basically tons of unrequested traffic from the various botnets, milions of infected PCs, even some ancient windows 98 systems that are still plugged in someway and is trying to spread the malware that it was infected with, where they simply scan the entire IP range endlessly and try to find vulnerable syastems.

Message 6 of 17
Retired_Member
Not applicable

Re: Barrage of DoS attacks from legitimate sources

In the end I ended up disabling the inbuilt DoS and Port scan protection as we already have Netger Armor, which also have it and its detecting nothing, we never suspected it was an actual attack as it was regular and not nearly the thousands you usually recieve in an actual DoS attack.

Message 7 of 17
Razor512
Prodigy

Re: Barrage of DoS attacks from legitimate sources

The DOS protection is while basic should still be left on. Its purpose is designed to provide protection while having an extremely low CPU usage. Armor goes more in-depth in its analysis, but has a higher CPU usage.

 

Think of the different functons like a multi stage filter. Many high end air filters will have many layers, and while all but the last layer can be removed and you will still get the fitering, that super fine filter will clog quickly. While not an exactly fitting analogy, it shoudl give some idea of how the various protections can work together.

 

The common security provided by default with the base firmware essentially handles the internet background radiation. Armor handles anything that makes it through as well as testing for CVEs to alert you to any vulnerable devices where you can take additional precautions, such as using service blocking to block any ports a vulnerable device will not need to use for normal operation, or potentially even moving vulnerable IOT devices to a different VLAN or guest WiFi to segment them from other LAN drvices.

Message 8 of 17
Retired_Member
Not applicable

Re: Barrage of DoS attacks from legitimate sources

As much as I would want to keep it enabled, ive done personal port scans on the most commonly scanned/abused ports, and all have been stealthed, and Armor has found no vulnerabilities on all our devices, and on the 2 computers we regularly, one has Bitdefender Total Security, and one with an Endpoint solution, with both having port scan protection we see little reason to have the inbuilt router protection enaled.

Message 9 of 17

Re: Barrage of DoS attacks from legitimate sources


@Retired_Member wrote:

In the end I ended up disabling the inbuilt DoS and Port scan protection as we already have Netger Armor, which also have it and its detecting nothing, we never suspected it was an actual attack as it was regular and not nearly the thousands you usually recieve in an actual DoS attack.


It may not be the protection that is the issue so much as the reporting.

 

Netgear's firmware is great at creating false reports of DoS attacks. Many of them are no such thing.

 

If these events are slowing down your router, that may be because it is using up processor time as it writes the events to your logs. Anything that uses processor power – event logging, QoS management, traffic metering – may cause slowdowns. Disable logging of DoS attacks and see if that reduces the problem. This does not prevent the router from protecting you from the outside world.

 

Message 10 of 17
Retired_Member
Not applicable

Re: Barrage of DoS attacks from legitimate sources

At first I did disable the logs, but I ended up just disabling the protection, I guess ill re-enable if if thats the case.


Message 11 of 17

Re: Barrage of DoS attacks from legitimate sources


@Retired_Member wrote:

At first I did disable the logs, but I ended up just disabling the protection, I guess ill re-enable if if thats the case.



Others do the same thing on the basis that the protection really doesn't achieve much in the way of added security that you don't get in other ways. But there are people who run a mile at the very mention of disabling anything that comes with the "security" word.

 

I just mentioned it because reports here suggest that it is the logging that puts the strain on the router's processor. So, I'd go with your strategy. Try it and see what works best for you.

 

 

 

 

 

Message 12 of 17
Razor512
Prodigy

Re: Barrage of DoS attacks from legitimate sources

The logging certainly is extra work for the CPU, but if you view the process handling it either through telnet or the serial header, the usage will be rounded down to 0.0% since stats on running processes do not measure down to enough decimal places to measure the utulization. The basic protections are inaccurate but extremely low resource utilization. Even if you connect a system to the WAN port and actually perform a DOS attack the usage is far too low for it accurately display even as it logs a ton of stuff.

Beyond that, with DOS protection, there is nothing you can really do to stop it, but you can prevent actions that will amplify the attack. If it is an extremely basic attack where they are simply saturating the WAN connection with just randomly generated packets, then it really won't make any real difference whether the DOS protection is on or off; same applies to even far higher end equipment.

Message 13 of 17
Retired_Member
Not applicable

Re: Barrage of DoS attacks from legitimate sources

I ended up re-disabling it, as even with the logging disabled it was clearly taking a toll on network speed.

 

Message 14 of 17

Re: Barrage of DoS attacks from legitimate sources


@Retired_Member wrote:

I ended up re-disabling it, as even with the logging disabled it was clearly taking a toll on network speed.

 


Has this solved the speed issue?

 

Message 15 of 17
Retired_Member
Not applicable

Re: Barrage of DoS attacks from legitimate sources

Disabling the logging? no. disabling the protection? yes.

Message 16 of 17

Re: Barrage of DoS attacks from legitimate sources


@Retired_Member wrote:

Disabling the logging? no. disabling the protection? yes.


Great feedback. Much appreciated. Thanks for taking the trouble to report back. It should help future victims.

 

 

 

Message 17 of 17
Top Contributors
Discussion stats
  • 16 replies
  • 4635 views
  • 1 kudo
  • 5 in conversation
Announcements

Orbi 770 Series