Reply

Re: DoS Attacks....

LoboTommy
Luminary

DoS Attacks....

So, i read up thaht router is blicking DOS attacks, and that the logs tell me it's doing its job. However, I have found it consistant, that every time router blocks a DOS attack, the mesh looses connection.

Got any great fixes for that?

 

[DoS Attack: TCP/UDP Chargen] from source: 209.249.181.91, port 123, Monday, April 29, 2019 19:26:16
[DoS Attack: ACK Scan] from source: 31.13.72.8, port 443, Monday, April 29, 2019 19:25:13
[DoS Attack: ACK Scan] from source: 31.13.72.8, port 443, Monday, April 29, 2019 19:11:26
[DoS Attack: RST Scan] from source: 85.10.206.164, port 999, Monday, April 29, 2019 18:54:10
[DoS Attack: TCP/UDP Chargen] from source: 185.94.111.1, port 51975, Monday, April 29, 2019 18:51:02
[DoS Attack: ACK Scan] from source: 216.108.251.184, port 443, Monday, April 29, 2019 16:48:29
[DoS Attack: ACK Scan] from source: 31.13.72.8, port 443, Monday, April 29, 2019 16:44:56
[DoS Attack: SYN/ACK Scan] from source: 195.161.41.101, port 80, Monday, April 29, 2019 15:55:15
[DoS Attack: SYN/ACK Scan] from source: 195.161.41.101, port 80, Monday, April 29, 2019 15:47:52
[DoS Attack: ACK Scan] from source: 31.13.72.53, port 443, Monday, April 29, 2019 15:35:52
[DoS Attack: SYN/ACK Scan] from source: 123.234.4.79, port 40379, Monday, April 29, 2019 15:27:25
[DoS Attack: SYN/ACK Scan] from source: 184.107.50.64, port 443, Monday, April 29, 2019 14:14:41
[DoS Attack: SYN/ACK Scan] from source: 43.228.66.7, port 18090, Monday, April 29, 2019 12:48:24
[DoS Attack: RST Scan] from source: 156.195.60.164, port 525, Monday, April 29, 2019 12:02:31
[DoS Attack: ACK Scan] from source: 216.108.251.184, port 443, Monday, April 29, 2019 11:59:13
[DoS Attack: SYN/ACK Scan] from source: 118.180.56.227, port 80, Monday, April 29, 2019 11:53:58
[DoS Attack: SYN/ACK Scan] from source: 183.57.82.228, port 80, Monday, April 29, 2019 11:50:38
[DoS Attack: UDP Port Scan] from source: 77.247.109.137, port 5128, Monday, April 29, 2019 11:46:32
[DoS Attack: SYN/ACK Scan] from source: 223.111.24.98, port 80, Monday, April 29, 2019 11:44:00
[DoS Attack: RST Scan] from source: 89.248.174.203, port 46855, Monday, April 29, 2019 11:29:23
[DoS Attack: RST Scan] from source: 89.248.174.203, port 44103, Monday, April 29, 2019 10:22:49
[DoS Attack: SYN/ACK Scan] from source: 118.178.155.195, port 80, Monday, April 29, 2019 09:43:13
[DoS Attack: RST Scan] from source: 89.248.174.203, port 41736, Monday, April 29, 2019 09:32:53
[DoS Attack: TCP/UDP Echo] from source: 82.221.105.7, port 27221, Monday, April 29, 2019 09:14:11
[DoS Attack: RST Scan] from source: 177.53.110.104, port 45405, Monday, April 29, 2019 09:08:57
[DoS Attack: SYN/ACK Scan] from source: 43.227.222.43, port 8000, Monday, April 29, 2019 09:02:59
[DoS Attack: TCP/UDP Chargen] from source: 184.105.139.77, port 38876, Monday, April 29, 2019 07:47:35
[DoS Attack: SYN/ACK Scan] from source: 120.55.31.87, port 80, Monday, April 29, 2019 07:37:34
[DoS Attack: RST Scan] from source: 85.10.206.164, port 999, Monday, April 29, 2019 06:01:59
[DoS Attack: SYN/ACK Scan] from source: 52.184.30.33, port 8787, Monday, April 29, 2019 05:05:54
[DoS Attack: TCP/UDP Chargen] from source: 212.38.166.242, port 42008, Monday, April 29, 2019 04:36:15
[DoS Attack: RST Scan] from source: 85.10.206.164, port 999, Monday, April 29, 2019 03:52:00
[DoS Attack: TCP/UDP Chargen] from source: 134.209.162.52, port 33926, Monday, April 29, 2019 03:30:28
[DoS Attack: TCP/UDP Chargen] from source: 52.73.169.169, port 32789, Monday, April 29, 2019 03:06:28
[DoS Attack: RST Scan] from source: 85.10.206.164, port 999, Monday, April 29, 2019 00:55:38
[DoS Attack: TCP/UDP Chargen] from source: 89.248.168.51, port 48615, Sunday, April 28, 2019 23:07:40
[DoS Attack: SYN/ACK Scan] from source: 104.31.150.7, port 80, Sunday, April 28, 2019 22:54:56
[DoS Attack: RST Scan] from source: 195.154.36.30, port 30015, Sunday, April 28, 2019 21:52:55
[DoS Attack: SYN/ACK Scan] from source: 137.74.157.130, port 22, Sunday, April 28, 2019 21:23:14
[DoS Attack: SYN/ACK Scan] from source: 109.200.202.23, port 80, Sunday, April 28, 2019 19:34:08
[DoS Attack: RST Scan] from source: 50.7.196.162, port 80, Sunday, April 28, 2019 19:18:54

My setup: (Fiber 500Mb/500Mb)>FMG-3542(Bridge mode)>RBR20
Additional NG HW: 3xOrbi RBS20
Model: RBR20|Orbi AC2200 Tri-band WiFi Router
Message 1 of 10
CrimpOn
Guru

Re: DoS Attacks....

My experience is exactly the opposite.  Orbi logs show 50-80 DoS attempts of various kinds every day, and my Orbi system never goes down.  Never loses Internet and the satellite never loses sync with the router.

 

When things are happening that simply "can't happen", the general recommendation is to do a reset, and if that doesn't work to do a "factory reset".  Some people even recommend reloading the firmware and doing a reset.

I love my Orbi.
Message 2 of 10
LoboTommy
Luminary

Re: DoS Attacks....

No way I am doing anothet full round of factory resets.
I had my ISP setup a new IP for me, seems problems went away for now.
But it was consistent. For every log of a DOS attack, satelites lost sync. I was logged in to router and watched it happend more or less live (at about 19:26, last logentry)
My setup: (Fiber 500Mb/500Mb)>FMG-3542(Bridge mode)>RBR20
Additional NG HW: 3xOrbi RBS20
Message 3 of 10
SW_
Prodigy
Prodigy

Re: DoS Attacks....

Hi @LoboTommy,

 

Try disabling all logging activities, i.e. untick all the boxes.  If Orbi is too busy with logging activities due to these attacks, internet/WiFi traffic could be negatively affected.  If disabling loggings doesn't resolve the issue, you can tick all those boxes again.  Good luck!

 

Message 4 of 10
FURRYe38
Guru

Re: DoS Attacks....

Did you do a back up configuration to file? If you did then resets would be easy. Smiley Wink


@LoboTommy wrote:
No way I am doing anothet full round of factory resets.
I had my ISP setup a new IP for me, seems problems went away for now.
But it was consistent. For every log of a DOS attack, satelites lost sync. I was logged in to router and watched it happend more or less live (at about 19:26, last logentry)

 

My Setup ISP SparkLight | Internet Cable 1000↓/50↑ CM1200 Modem |  Wifi Router Orbi RBK853 (Router Mode), Wired Backhaul and RBK752 | Switches NG GS105/8, GS308v3, GS110MX and XS505M | 

Additional NG HW: C7800/CAX80/CM1100/CM1200/CM2000, Orbi: CBK40, CBK752, RBK50, RBK853, RBK752, RBK953, SXK30 | NightHawk: R7000, R7800, R7960P, R8000, R8500, RAXE500, RAX50, XR450, EX7500/EX7700

Message 5 of 10
ekhalil
Master

Re: DoS Attacks....

I usually enter the IP addresses of the DoS attacks that I see in the logs in the Drop IP Tables, and that helps in preventing further attacks.

Unfortunately, the changes are not persistent and need to be entered after every restart 😞

Here are my "favourite" DoS IP addresses, I see some of them are the same as the ones listed by @LoboTommy :

The list is in ascending IP addresses order (to be able to keep track of new entries) 🙂 :

 

iptables -I INPUT -i eth0 -s 2.234.127.59 -j DROP

iptables -I INPUT -i eth0 -s 5.9.141.218 -j DROP

iptables -I INPUT -i eth0 -s 5.152.174.78 -j DROP

iptables -I INPUT -i eth0 -s 8.23.224.120 -j DROP

iptables -I INPUT -i eth0 -s 13.74.191.167 -j DROP

iptables -I INPUT -i eth0 -s 17.242.150.30 -j DROP

iptables -I INPUT -i eth0 -s 17.242.150.71 -j DROP

iptables -I INPUT -i eth0 -s 17.252.105.4 -j DROP

iptables -I INPUT -i eth0 -s 17.252.105.11 -j DROP

iptables -I INPUT -i eth0 -s 17.252.105.86 -j DROP

iptables -I INPUT -i eth0 -s 17.252.105.88 -j DROP

iptables -I INPUT -i eth0 -s 17.252.105.138 -j DROP

iptables -I INPUT -i eth0 -s 17.252.105.142 -j DROP

iptables -I INPUT -i eth0 -s 17.252.105.144 -j DROP

iptables -I INPUT -i eth0 -s 17.252.105.151 -j DROP

iptables -I INPUT -i eth0 -s 17.252.108.18 -j DROP

iptables -I INPUT -i eth0 -s 17.252.108.31 -j DROP

iptables -I INPUT -i eth0 -s 17.252.108.32 -j DROP

iptables -I INPUT -i eth0 -s 17.253.52.125 -j DROP

iptables -I INPUT -i eth0 -s 23.101.61.34 -j DROP

iptables -I INPUT -i eth0 -s 23.234.36.31 -j DROP

iptables -I INPUT -i eth0 -s 27.148.157.87 -j DROP

iptables -I INPUT -i eth0 -s 31.11.33.224 -j DROP

iptables -I INPUT -i eth0 -s 31.13.72.8 -j DROP

iptables -I INPUT -i eth0 -s 31.13.72.48 -j DROP

iptables -I INPUT -i eth0 -s 31.220.5.58 -j DROP

iptables -I INPUT -i eth0 -s 35.243.118.183 -j DROP

iptables -I INPUT -i eth0 -s 37.47.238.176 -j DROP

iptables -I INPUT -i eth0 -s 41.216.186.79 -j DROP

iptables -I INPUT -i eth0 -s 45.67.15.69 -j DROP

iptables -I INPUT -i eth0 -s 46.228.172.141 -j DROP

iptables -I INPUT -i eth0 -s 47.75.18.80 -j DROP

iptables -I INPUT -i eth0 -s 51.15.13.28 -j DROP

iptables -I INPUT -i eth0 -s 51.38.94.165 -j DROP

iptables -I INPUT -i eth0 -s 51.68.70.109 -j DROP

iptables -I INPUT -i eth0 -s 52.9.108.157 -j DROP

iptables -I INPUT -i eth0 -s 52.230.13.254 -j DROP

iptables -I INPUT -i eth0 -s 54.36.126.48 -j DROP

iptables -I INPUT -i eth0 -s 54.219.9.206 -j DROP

iptables -I INPUT -i eth0 -s 58.216.107.91 -j DROP

iptables -I INPUT -i eth0 -s 63.143.52.86 -j DROP

iptables -I INPUT -i eth0 -s 66.147.235.214 -j DROP

iptables -I INPUT -i eth0 -s 81.26.227.3 -j DROP

iptables -I INPUT -i eth0 -s 85.10.206.164 -j DROP

iptables -I INPUT -i eth0 -s 85.62.35.156 -j DROP

iptables -I INPUT -i eth0 -s 86.88.28.153 -j DROP

iptables -I INPUT -i eth0 -s 89.248.168.51 -j DROP

iptables -I INPUT -i eth0 -s 90.161.220.80 -j DROP

iptables -I INPUT -i eth0 -s 94.198.137.12 -j DROP

iptables -I INPUT -i eth0 -s 101.69.121.81 -j DROP

iptables -I INPUT -i eth0 -s 103.9.177.50 -j DROP

iptables -I INPUT -i eth0 -s 103.46.13.95 -j DROP

iptables -I INPUT -i eth0 -s 104.18.55.172 -j DROP

iptables -I INPUT -i eth0 -s 104.24.102.104 -j DROP

iptables -I INPUT -i eth0 -s 104.24.107.230 -j DROP

iptables -I INPUT -i eth0 -s 104.194.10.209 -j DROP

iptables -I INPUT -i eth0 -s 107.191.33.88 -j DROP

iptables -I INPUT -i eth0 -s 109.196.247.252 -j DROP

iptables -I INPUT -i eth0 -s 112.26.214.108 -j DROP

iptables -I INPUT -i eth0 -s 113.113.92.90 -j DROP

iptables -I INPUT -i eth0 -s 118.187.15.101 -j DROP

iptables -I INPUT -i eth0 -s 123.129.223.140 -j DROP

iptables -I INPUT -i eth0 -s 142.93.224.70 -j DROP

iptables -I INPUT -i eth0 -s 158.69.225.26 -j DROP

iptables -I INPUT -i eth0 -s 141.212.123.31 -j DROP

iptables -I INPUT -i eth0 -s 144.76.99.209 -j DROP

iptables -I INPUT -i eth0 -s 151.101.86.113 -j DROP

iptables -I INPUT -i eth0 -s 173.249.59.64 -j DROP

iptables -I INPUT -i eth0 -s 174.136.12.130 -j DROP

iptables -I INPUT -i eth0 -s 176.227.171.58 -j DROP

iptables -I INPUT -i eth0 -s 176.227.172.33 -j DROP

iptables -I INPUT -i eth0 -s 178.128.195.200 -j DROP

iptables -I INPUT -i eth0 -s 183.213.21.3 -j DROP

iptables -I INPUT -i eth0 -s 184.105.139.69 -j DROP

iptables -I INPUT -i eth0 -s 184.105.139.89 -j DROP

iptables -I INPUT -i eth0 -s 184.105.139.101 -j DROP

iptables -I INPUT -i eth0 -s 185.50.106.229 -j DROP

iptables -I INPUT -i eth0 -s 185.94.111.1 -j DROP

iptables -I INPUT -i eth0 -s 185.199.111.153 -j DROP

iptables -I INPUT -i eth0 -s 188.130.7.85 -j DROP

iptables -I INPUT -i eth0 -s 188.165.36.150 -j DROP

iptables -I INPUT -i eth0 -s 190.2.130.116 -j DROP

iptables -I INPUT -i eth0 -s 193.19.118.187 -j DROP

iptables -I INPUT -i eth0 -s 193.19.119.242 -j DROP

iptables -I INPUT -i eth0 -s 193.228.143.13 -j DROP

iptables -I INPUT -i eth0 -s 193.228.143.14 -j DROP

iptables -I INPUT -i eth0 -s 195.54.122.198 -j DROP

iptables -I INPUT -i eth0 -s 195.154.36.30 -j DROP

iptables -I INPUT -i eth0 -s 202.36.54.224 -j DROP

iptables -I INPUT -i eth0 -s 203.101.184.121 -j DROP

iptables -I INPUT -i eth0 -s 203.107.42.192 -j DROP

iptables -I INPUT -i eth0 -s 203.107.42.193 -j DROP

iptables -I INPUT -i eth0 -s 206.189.27.197 -j DROP

iptables -I INPUT -i eth0 -s 208.85.241.142 -j DROP

iptables -I INPUT -i eth0 -s 212.8.253.226 -j DROP

My Setup Internet Fiber ONT 250↓/250↑ISP Telenor | Wifi Router Orbi RBR850 + RBS850 + 2x RBS750 + 3xRBS350, Wired/Wireless BH / Orbi RBR50 + 6x RBS50 + RBS40V + RBS50Y, Wired/Wireless BH | Switches NG GS208Time Zone CET (Sweden)

Message 6 of 10
CrimpOn
Guru

Re: DoS Attacks....


@ekhalil wrote:

I usually enter the IP addresses of the DoS attacks that I see in the logs in the Drop IP Tables, and that helps in preventing further attacks.


Is the concept here that iptables processing takes place before firewall processing?  i.e. the firewall software doesn't "see" these packets, and thus does not record them?  They are still arriving, but just not processed?  If the Orbi is not responding to these packets, how much workload does this eliminate?

I love my Orbi.
Message 7 of 10
LoboTommy
Luminary

Re: DoS Attacks....

Where is that? Like, here? (See attached picture)
How do you set it up?
My setup: (Fiber 500Mb/500Mb)>FMG-3542(Bridge mode)>RBR20
Additional NG HW: 3xOrbi RBS20
Message 8 of 10
CrimpOn
Guru

Re: DoS Attacks....


@LoboTommy wrote:
Where is that? Like, here? (See attached picture)

Orbi's web and smartphone apps do not provide a way to enter this information.  These commands are entered by using the 'debug' page to enable telnet, opening a telnet session to the router, and then entering these lines.  (Most often by copying them from a text file and pasting them into the telnet window.) Since Orbi is built on OpenWRT, which is turn built on a version of Linux, there are dozens of things that someone proficient in Linux can do.

 

My guess is that 99% of Orbi owners have no idea the debug facility exists and have never used telnet.

I love my Orbi.
Message 9 of 10
LoboTommy
Luminary

Re: DoS Attacks....

So, in simple terms for a common man. What do I do? Step by step....? 😉
My setup: (Fiber 500Mb/500Mb)>FMG-3542(Bridge mode)>RBR20
Additional NG HW: 3xOrbi RBS20
Message 10 of 10
Top Contributors
Discussion stats
  • 9 replies
  • 9354 views
  • 1 kudo
  • 5 in conversation
Announcements

Orbi WiFi 6E