×

Introducing the Orbi 970 Series Mesh System with WiFi 7(BE) technology. For more information visit the NETGEAR Press Room.

Orbi WiFi 7 RBE973
Reply

DoS Attack Trivia

CrimpOn
Guru

DoS Attack Trivia

Users sometimes post questions about whether the Denial of Service (DoS) attacks that Orbi posts to the log are causing their Orbi's to fail.  I have kept logs for quite some time, and thought it would be interesting to see what my Orbi has logged for the past year (Sept 2020 through Aug 2021).  Here are the results of the 28,054 logged attacks:

 

                Count  Percent
ACK Scan.......  3,183  11.346
ARP Attack.....    109   0.389
Ascend Kill....     35   0.125
ICMP Scan......     40   0.143
NULL Scan......      4   0.014
Ping Flood.....     10   0.036
RST Scan.......  2,573   9.172
SYN/ACK Scan... 21,340  76.068
SYN/RST Scan...     30   0.107
TCP/UDP Chargen    360   1.283
TCP/UDP Echo...    366   1.305
WinNuke Attack.      7   0.025

 

Only three types of attack make up 96% of the log entries.  Logs vary tremendously from day to day.  There were two periods of extreme activity (Sept 2020 and July 2021) where someone was hammering incessantly, with a peak of 2,123 hits in one day.  Only 5 days recorded more than 500 attacks over the entire year. The median was 53. (a little over two an hour.)

 

Although upsetting to witness, these reports in the log are only that: reports. None of these connection attempts were accepted, and the Orbi never paused, disconnected, or failed in any way. As an interesting side note, there was a user recently who reported his Orbi rebooting frequently (which he attributed to DoS attacks) and he found that unchecking the "Log DoS Attacks", clearing the log, and then re-enabling the function made the problem go away.

 

Just trivia.

Message 1 of 6
Oldguy18
Aspirant

Re: DoS Attack Trivia

Thanks for the summary and tips. Our SSR60 keeps logging a wide variety of DOS attacks, with no apparent ill effect.

Only lately have there been ARP attacks from ... one of the satellites? If this was just a problem with NG's algorithm, isn't it odd? You'd think they would be able to account for their own equipment.

Or does it actually mean that something's up with the satellite?

Any advice would be appreciated.

 

Message 2 of 6
CrimpOn
Guru

Re: DoS Attack Trivia


@Oldguy18 wrote:

Only lately have there been ARP attacks from ... one of the satellites? If this was just a problem with NG's algorithm, isn't it odd? You'd think they would be able to account for their own equipment.

Or does it actually mean that something's up with the satellite?


I  hav no information on how the Orbi Dos Analysis works.  In a technical sense, I believe they have put hooks into the Linux 'iptables' software that processes packets into and out of the Orbi.

 

If the Orbi Pro (SRR60) has the same features as the residential Orbi (RBR50), and the reports of ARP attacks from inside the LAN occur a lot, I would use the option on the debug page to Enable LAN/WAN packet capture and then use Wireshark to see how many packets there are and verify that they are in fact coming from a satellite and what IP is being asked about.  The point of ARP packets is to make the connection between an IP address and the ethernet MAC address of a device.  If a satellite is constantly asking "Who has this IP? Who has this IP?", I would want to know which IP it's asking about.  Maybe there's a misconfiguration somewhere and a device constantly wants something but has the wrong IP address for it.

Message 3 of 6
Oldguy18
Aspirant

Re: DoS Attack Trivia

Thanks for the suggestions -- it hadn't occurred to me that the ARP might be legit -- I guess the 'DOS Attack' message put me off. Can't seem to find a 'debug' page on my router's interface. Is there somewhere else I should be looking?

Message 4 of 6
CrimpOn
Guru

Re: DoS Attack Trivia

On the residential Orbi product, there is a web page http://orbilogin.net/debug.htm that has some interesting information and options. I have never had access to the "Pro" model to learn if it has a similar feature.

 

Message 5 of 6
Oldguy18
Aspirant

Re: DoS Attack Trivia

That works, thanks -- there's just no launch from the main UI.

 

Message 6 of 6
Top Contributors
Discussion stats
  • 5 replies
  • 1026 views
  • 4 kudos
  • 2 in conversation
Announcements

Orbi WiFi 7