Discussion stats
  • 5 replies
  • 223 views
  • 1 kudo
  • 3 in conversation
Announcements

Top Contributors
Reply
Highlighted

DoS Attack: SYN/ACK Scan

I keep seeing below logs in my Orbi router. What does "DoS Attack: SYN/ACK Scan" signifies? Also am not sure why it prints "DHCP IP: <ip>" for all connected devices? DHCP has a lease time of 24hrs?

Appreciate any help on this

Firmware: V2.5.1.16

 

Please see attachment. Thanks!

Model: RBR50|Orbi AC3000 Tri-band WiFi Router
Message 1 of 6
Highlighted
Guru

Re: DoS Attack: SYN/ACK Scan

You need to do a whois lookup on the 

157.240.22.54 IP address. 


My Setup (Cable 900Mbps/50Mbps)>CAX80>Orbi RBK50 v2.5.1.16(Router Mode)
Additional NG HW: C7800/CM1100/CM1200, Orbi CBK40, Orbi RBK50/RBK853, R7800, R7960P, EX7500/EX7700, XR450 and WNHDE111
Message 2 of 6
Highlighted
Master

Re: DoS Attack: SYN/ACK Scan


@nagendraprasath wrote:

I keep seeing below logs in my Orbi router. What does "DoS Attack: SYN/ACK Scan" signifies? Also am not sure why it prints "DHCP IP: <ip>" for all connected devices? DHCP has a lease time of 24hrs?


The Orbi log contains a wide variety of items.  DHCP assignment record every time a device uses DHCP to ask Orbi to assign it an IP address.  With a "lease time" of one day (24 hours), the DHCP standard call for the device to request a renewal when the lease is half-expired.  They are entirely normal.  I know of no method to make the Orbi cease logging these events. 

 

The Orbi firewall refuses all connection attempts except those specifically authorized by the user (see "Port Forwarding" and Remote Management).  The firewall also has some (mysterious) mechanism for determining that a "pattern" of connection requests falls into a recognizable catagory of "scan" or "Denial of Service" attack.  There is an option to have Orbi not include those conclusions in the log.  As an analogy, suppose my practice is to never answer the telephone unless I recognize the calling number.  Calls may come in, but if I do not recognize the caller, I never answer.  I could keep a record of all the "Caller ID's" that I did not answer.  If I seem to get many calls from the same number, I might even decide to highlight them ("aha, the Heart Foundation still wants a donation from me.") and assign them a category ("public appeals for money").  That's what Orbi's firewall is logging.

 

There are suggestions that Orbi is too aggressive in describing things as "DoS Attacks" or "ACK Scans".  Alas, Netgear publishes nothing about how the firewall makes these determinations.

 

If they bother you, you can turn off the notices.

I love my Orbi.
Message 3 of 6
Highlighted

Re: DoS Attack: SYN/ACK Scan

Thanks for your response. Yes, i did. they belong to facebook, amazon, google... 

Today i see below one and the ip address resolves to facebook and port 443 is https. What am not understanding what exactly the log is trying to convey. Does it mean one of my PC/smarphone connected to facebook? but then why under "Dos Attach: Ack Scan"

 

[DoS Attack: ACK Scan] from source: 157.240.22.54, port 443, Sunday, June 07, 2020 17:51:12
Message 4 of 6
Highlighted

Re: DoS Attack: SYN/ACK Scan

Thanks for your respone. I agree your comment about DHCP.  Is there a way to increase DHCP lease beyond 24 hrs? 

Message 5 of 6
Highlighted
Master

Re: DoS Attack: SYN/ACK Scan

While I (personally) sort of like seeing that my devices are renewing their IP leases twice a day, my impression is that the default lease probably can be changed.  According to what I find by searching the web, a DHCP lease can be as long as 135 years.  This one article recommends various lease times for specific situations:

https://www.informit.com/articles/article.aspx?p=30874&seqNum=3 

Notice that they are describing a situation where different DHCP "pools" are used for different purposes (student labs vs. servers, etc.)

Orbi has only a single DHCP pool.

 

When I telnet into my Orbi and display parameters using the command

nvram show | grep dhcp

(display all the parameters and pass them through the program "grep" to list only those with the string "dhcp" in it)

One of the lines that shows up is this:

dhcpc_lease_time=86400

86,400 seconds is one day (60x60x24).  So, in theory, one could change that to a different value by typing:

config set dhcpc_lease_time=864000

config commit

This would create a lease time of 10 days.  Please understand:

  • I would for certain make a backup of the Orbi configuration in case this goes horribly wrong and I am forced to Factory Reset the Orbi.
  • I have not done this myself

 

I love my Orbi.
Message 6 of 6