×

Introducing the Orbi 970 Series Mesh System with WiFi 7(BE) technology. For more information visit the NETGEAR Press Room.

Orbi WiFi 7 RBE973
Reply

DoS Attacks....

LoboTommy
Luminary

DoS Attacks....

So, i read up thaht router is blicking DOS attacks, and that the logs tell me it's doing its job. However, I have found it consistant, that every time router blocks a DOS attack, the mesh looses connection.

Got any great fixes for that?

 

[DoS Attack: TCP/UDP Chargen] from source: 209.249.181.91, port 123, Monday, April 29, 2019 19:26:16
[DoS Attack: ACK Scan] from source: 31.13.72.8, port 443, Monday, April 29, 2019 19:25:13
[DoS Attack: ACK Scan] from source: 31.13.72.8, port 443, Monday, April 29, 2019 19:11:26
[DoS Attack: RST Scan] from source: 85.10.206.164, port 999, Monday, April 29, 2019 18:54:10
[DoS Attack: TCP/UDP Chargen] from source: 185.94.111.1, port 51975, Monday, April 29, 2019 18:51:02
[DoS Attack: ACK Scan] from source: 216.108.251.184, port 443, Monday, April 29, 2019 16:48:29
[DoS Attack: ACK Scan] from source: 31.13.72.8, port 443, Monday, April 29, 2019 16:44:56
[DoS Attack: SYN/ACK Scan] from source: 195.161.41.101, port 80, Monday, April 29, 2019 15:55:15
[DoS Attack: SYN/ACK Scan] from source: 195.161.41.101, port 80, Monday, April 29, 2019 15:47:52
[DoS Attack: ACK Scan] from source: 31.13.72.53, port 443, Monday, April 29, 2019 15:35:52
[DoS Attack: SYN/ACK Scan] from source: 123.234.4.79, port 40379, Monday, April 29, 2019 15:27:25
[DoS Attack: SYN/ACK Scan] from source: 184.107.50.64, port 443, Monday, April 29, 2019 14:14:41
[DoS Attack: SYN/ACK Scan] from source: 43.228.66.7, port 18090, Monday, April 29, 2019 12:48:24
[DoS Attack: RST Scan] from source: 156.195.60.164, port 525, Monday, April 29, 2019 12:02:31
[DoS Attack: ACK Scan] from source: 216.108.251.184, port 443, Monday, April 29, 2019 11:59:13
[DoS Attack: SYN/ACK Scan] from source: 118.180.56.227, port 80, Monday, April 29, 2019 11:53:58
[DoS Attack: SYN/ACK Scan] from source: 183.57.82.228, port 80, Monday, April 29, 2019 11:50:38
[DoS Attack: UDP Port Scan] from source: 77.247.109.137, port 5128, Monday, April 29, 2019 11:46:32
[DoS Attack: SYN/ACK Scan] from source: 223.111.24.98, port 80, Monday, April 29, 2019 11:44:00
[DoS Attack: RST Scan] from source: 89.248.174.203, port 46855, Monday, April 29, 2019 11:29:23
[DoS Attack: RST Scan] from source: 89.248.174.203, port 44103, Monday, April 29, 2019 10:22:49
[DoS Attack: SYN/ACK Scan] from source: 118.178.155.195, port 80, Monday, April 29, 2019 09:43:13
[DoS Attack: RST Scan] from source: 89.248.174.203, port 41736, Monday, April 29, 2019 09:32:53
[DoS Attack: TCP/UDP Echo] from source: 82.221.105.7, port 27221, Monday, April 29, 2019 09:14:11
[DoS Attack: RST Scan] from source: 177.53.110.104, port 45405, Monday, April 29, 2019 09:08:57
[DoS Attack: SYN/ACK Scan] from source: 43.227.222.43, port 8000, Monday, April 29, 2019 09:02:59
[DoS Attack: TCP/UDP Chargen] from source: 184.105.139.77, port 38876, Monday, April 29, 2019 07:47:35
[DoS Attack: SYN/ACK Scan] from source: 120.55.31.87, port 80, Monday, April 29, 2019 07:37:34
[DoS Attack: RST Scan] from source: 85.10.206.164, port 999, Monday, April 29, 2019 06:01:59
[DoS Attack: SYN/ACK Scan] from source: 52.184.30.33, port 8787, Monday, April 29, 2019 05:05:54
[DoS Attack: TCP/UDP Chargen] from source: 212.38.166.242, port 42008, Monday, April 29, 2019 04:36:15
[DoS Attack: RST Scan] from source: 85.10.206.164, port 999, Monday, April 29, 2019 03:52:00
[DoS Attack: TCP/UDP Chargen] from source: 134.209.162.52, port 33926, Monday, April 29, 2019 03:30:28
[DoS Attack: TCP/UDP Chargen] from source: 52.73.169.169, port 32789, Monday, April 29, 2019 03:06:28
[DoS Attack: RST Scan] from source: 85.10.206.164, port 999, Monday, April 29, 2019 00:55:38
[DoS Attack: TCP/UDP Chargen] from source: 89.248.168.51, port 48615, Sunday, April 28, 2019 23:07:40
[DoS Attack: SYN/ACK Scan] from source: 104.31.150.7, port 80, Sunday, April 28, 2019 22:54:56
[DoS Attack: RST Scan] from source: 195.154.36.30, port 30015, Sunday, April 28, 2019 21:52:55
[DoS Attack: SYN/ACK Scan] from source: 137.74.157.130, port 22, Sunday, April 28, 2019 21:23:14
[DoS Attack: SYN/ACK Scan] from source: 109.200.202.23, port 80, Sunday, April 28, 2019 19:34:08
[DoS Attack: RST Scan] from source: 50.7.196.162, port 80, Sunday, April 28, 2019 19:18:54

Model: RBR20|Orbi AC2200 Tri-band WiFi Router
Message 1 of 10
CrimpOn
Guru

Re: DoS Attacks....

My experience is exactly the opposite.  Orbi logs show 50-80 DoS attempts of various kinds every day, and my Orbi system never goes down.  Never loses Internet and the satellite never loses sync with the router.

 

When things are happening that simply "can't happen", the general recommendation is to do a reset, and if that doesn't work to do a "factory reset".  Some people even recommend reloading the firmware and doing a reset.

Message 2 of 10
LoboTommy
Luminary

Re: DoS Attacks....

No way I am doing anothet full round of factory resets.
I had my ISP setup a new IP for me, seems problems went away for now.
But it was consistent. For every log of a DOS attack, satelites lost sync. I was logged in to router and watched it happend more or less live (at about 19:26, last logentry)
Message 3 of 10
SW_
Prodigy
Prodigy

Re: DoS Attacks....

Hi @LoboTommy,

 

Try disabling all logging activities, i.e. untick all the boxes.  If Orbi is too busy with logging activities due to these attacks, internet/WiFi traffic could be negatively affected.  If disabling loggings doesn't resolve the issue, you can tick all those boxes again.  Good luck!

 

Message 4 of 10
FURRYe38
Guru

Re: DoS Attacks....

Did you do a back up configuration to file? If you did then resets would be easy. Smiley Wink


@LoboTommy wrote:
No way I am doing anothet full round of factory resets.
I had my ISP setup a new IP for me, seems problems went away for now.
But it was consistent. For every log of a DOS attack, satelites lost sync. I was logged in to router and watched it happend more or less live (at about 19:26, last logentry)

 

Message 5 of 10
ekhalil
Master

Re: DoS Attacks....

I usually enter the IP addresses of the DoS attacks that I see in the logs in the Drop IP Tables, and that helps in preventing further attacks.

Unfortunately, the changes are not persistent and need to be entered after every restart 😞

Here are my "favourite" DoS IP addresses, I see some of them are the same as the ones listed by @LoboTommy :

The list is in ascending IP addresses order (to be able to keep track of new entries) 🙂 :

 

iptables -I INPUT -i eth0 -s 2.234.127.59 -j DROP

iptables -I INPUT -i eth0 -s 5.9.141.218 -j DROP

iptables -I INPUT -i eth0 -s 5.152.174.78 -j DROP

iptables -I INPUT -i eth0 -s 8.23.224.120 -j DROP

iptables -I INPUT -i eth0 -s 13.74.191.167 -j DROP

iptables -I INPUT -i eth0 -s 17.242.150.30 -j DROP

iptables -I INPUT -i eth0 -s 17.242.150.71 -j DROP

iptables -I INPUT -i eth0 -s 17.252.105.4 -j DROP

iptables -I INPUT -i eth0 -s 17.252.105.11 -j DROP

iptables -I INPUT -i eth0 -s 17.252.105.86 -j DROP

iptables -I INPUT -i eth0 -s 17.252.105.88 -j DROP

iptables -I INPUT -i eth0 -s 17.252.105.138 -j DROP

iptables -I INPUT -i eth0 -s 17.252.105.142 -j DROP

iptables -I INPUT -i eth0 -s 17.252.105.144 -j DROP

iptables -I INPUT -i eth0 -s 17.252.105.151 -j DROP

iptables -I INPUT -i eth0 -s 17.252.108.18 -j DROP

iptables -I INPUT -i eth0 -s 17.252.108.31 -j DROP

iptables -I INPUT -i eth0 -s 17.252.108.32 -j DROP

iptables -I INPUT -i eth0 -s 17.253.52.125 -j DROP

iptables -I INPUT -i eth0 -s 23.101.61.34 -j DROP

iptables -I INPUT -i eth0 -s 23.234.36.31 -j DROP

iptables -I INPUT -i eth0 -s 27.148.157.87 -j DROP

iptables -I INPUT -i eth0 -s 31.11.33.224 -j DROP

iptables -I INPUT -i eth0 -s 31.13.72.8 -j DROP

iptables -I INPUT -i eth0 -s 31.13.72.48 -j DROP

iptables -I INPUT -i eth0 -s 31.220.5.58 -j DROP

iptables -I INPUT -i eth0 -s 35.243.118.183 -j DROP

iptables -I INPUT -i eth0 -s 37.47.238.176 -j DROP

iptables -I INPUT -i eth0 -s 41.216.186.79 -j DROP

iptables -I INPUT -i eth0 -s 45.67.15.69 -j DROP

iptables -I INPUT -i eth0 -s 46.228.172.141 -j DROP

iptables -I INPUT -i eth0 -s 47.75.18.80 -j DROP

iptables -I INPUT -i eth0 -s 51.15.13.28 -j DROP

iptables -I INPUT -i eth0 -s 51.38.94.165 -j DROP

iptables -I INPUT -i eth0 -s 51.68.70.109 -j DROP

iptables -I INPUT -i eth0 -s 52.9.108.157 -j DROP

iptables -I INPUT -i eth0 -s 52.230.13.254 -j DROP

iptables -I INPUT -i eth0 -s 54.36.126.48 -j DROP

iptables -I INPUT -i eth0 -s 54.219.9.206 -j DROP

iptables -I INPUT -i eth0 -s 58.216.107.91 -j DROP

iptables -I INPUT -i eth0 -s 63.143.52.86 -j DROP

iptables -I INPUT -i eth0 -s 66.147.235.214 -j DROP

iptables -I INPUT -i eth0 -s 81.26.227.3 -j DROP

iptables -I INPUT -i eth0 -s 85.10.206.164 -j DROP

iptables -I INPUT -i eth0 -s 85.62.35.156 -j DROP

iptables -I INPUT -i eth0 -s 86.88.28.153 -j DROP

iptables -I INPUT -i eth0 -s 89.248.168.51 -j DROP

iptables -I INPUT -i eth0 -s 90.161.220.80 -j DROP

iptables -I INPUT -i eth0 -s 94.198.137.12 -j DROP

iptables -I INPUT -i eth0 -s 101.69.121.81 -j DROP

iptables -I INPUT -i eth0 -s 103.9.177.50 -j DROP

iptables -I INPUT -i eth0 -s 103.46.13.95 -j DROP

iptables -I INPUT -i eth0 -s 104.18.55.172 -j DROP

iptables -I INPUT -i eth0 -s 104.24.102.104 -j DROP

iptables -I INPUT -i eth0 -s 104.24.107.230 -j DROP

iptables -I INPUT -i eth0 -s 104.194.10.209 -j DROP

iptables -I INPUT -i eth0 -s 107.191.33.88 -j DROP

iptables -I INPUT -i eth0 -s 109.196.247.252 -j DROP

iptables -I INPUT -i eth0 -s 112.26.214.108 -j DROP

iptables -I INPUT -i eth0 -s 113.113.92.90 -j DROP

iptables -I INPUT -i eth0 -s 118.187.15.101 -j DROP

iptables -I INPUT -i eth0 -s 123.129.223.140 -j DROP

iptables -I INPUT -i eth0 -s 142.93.224.70 -j DROP

iptables -I INPUT -i eth0 -s 158.69.225.26 -j DROP

iptables -I INPUT -i eth0 -s 141.212.123.31 -j DROP

iptables -I INPUT -i eth0 -s 144.76.99.209 -j DROP

iptables -I INPUT -i eth0 -s 151.101.86.113 -j DROP

iptables -I INPUT -i eth0 -s 173.249.59.64 -j DROP

iptables -I INPUT -i eth0 -s 174.136.12.130 -j DROP

iptables -I INPUT -i eth0 -s 176.227.171.58 -j DROP

iptables -I INPUT -i eth0 -s 176.227.172.33 -j DROP

iptables -I INPUT -i eth0 -s 178.128.195.200 -j DROP

iptables -I INPUT -i eth0 -s 183.213.21.3 -j DROP

iptables -I INPUT -i eth0 -s 184.105.139.69 -j DROP

iptables -I INPUT -i eth0 -s 184.105.139.89 -j DROP

iptables -I INPUT -i eth0 -s 184.105.139.101 -j DROP

iptables -I INPUT -i eth0 -s 185.50.106.229 -j DROP

iptables -I INPUT -i eth0 -s 185.94.111.1 -j DROP

iptables -I INPUT -i eth0 -s 185.199.111.153 -j DROP

iptables -I INPUT -i eth0 -s 188.130.7.85 -j DROP

iptables -I INPUT -i eth0 -s 188.165.36.150 -j DROP

iptables -I INPUT -i eth0 -s 190.2.130.116 -j DROP

iptables -I INPUT -i eth0 -s 193.19.118.187 -j DROP

iptables -I INPUT -i eth0 -s 193.19.119.242 -j DROP

iptables -I INPUT -i eth0 -s 193.228.143.13 -j DROP

iptables -I INPUT -i eth0 -s 193.228.143.14 -j DROP

iptables -I INPUT -i eth0 -s 195.54.122.198 -j DROP

iptables -I INPUT -i eth0 -s 195.154.36.30 -j DROP

iptables -I INPUT -i eth0 -s 202.36.54.224 -j DROP

iptables -I INPUT -i eth0 -s 203.101.184.121 -j DROP

iptables -I INPUT -i eth0 -s 203.107.42.192 -j DROP

iptables -I INPUT -i eth0 -s 203.107.42.193 -j DROP

iptables -I INPUT -i eth0 -s 206.189.27.197 -j DROP

iptables -I INPUT -i eth0 -s 208.85.241.142 -j DROP

iptables -I INPUT -i eth0 -s 212.8.253.226 -j DROP

Message 6 of 10
CrimpOn
Guru

Re: DoS Attacks....


@ekhalil wrote:

I usually enter the IP addresses of the DoS attacks that I see in the logs in the Drop IP Tables, and that helps in preventing further attacks.


Is the concept here that iptables processing takes place before firewall processing?  i.e. the firewall software doesn't "see" these packets, and thus does not record them?  They are still arriving, but just not processed?  If the Orbi is not responding to these packets, how much workload does this eliminate?

Message 7 of 10
LoboTommy
Luminary

Re: DoS Attacks....

Where is that? Like, here? (See attached picture)
How do you set it up?
Message 8 of 10
CrimpOn
Guru

Re: DoS Attacks....


@LoboTommy wrote:
Where is that? Like, here? (See attached picture)

Orbi's web and smartphone apps do not provide a way to enter this information.  These commands are entered by using the 'debug' page to enable telnet, opening a telnet session to the router, and then entering these lines.  (Most often by copying them from a text file and pasting them into the telnet window.) Since Orbi is built on OpenWRT, which is turn built on a version of Linux, there are dozens of things that someone proficient in Linux can do.

 

My guess is that 99% of Orbi owners have no idea the debug facility exists and have never used telnet.

Message 9 of 10
LoboTommy
Luminary

Re: DoS Attacks....

So, in simple terms for a common man. What do I do? Step by step....? 😉
Message 10 of 10
Top Contributors
Discussion stats
  • 9 replies
  • 10604 views
  • 1 kudo
  • 5 in conversation
Announcements

Orbi WiFi 7