×

Introducing the Orbi 970 Series Mesh System with WiFi 7(BE) technology. For more information visit the NETGEAR Press Room.

Orbi WiFi 7 RBE973
Reply

Re: Repeated DOS attacks causing dropped connections

GeoffChesh
Aspirant

Repeated DOS attacks causing dropped connections

I have an RBR40 Router and associated satellite, running Firmware v.2.3.5.34 in a Mac/IOS based environment (no Windows Machines on the network).

 

Following a lack of stability in the WiFi connection, I started to investigate the logs, and found a series of DOS attack warnings (similar to the entry below):

 

[DoS Attack: ACK Scan] from source: 102.132.108.61, port 443, Wednesday, January 22, 2020 07:21:47

 

Looking up the ip address, it seems that these are coming from Facebook, and whilst there are not vast numbers of them, the dropped connection that these cause in the router, is starting to interfere with our use of the web. Unfortunately blocking or disabling Facebook is not an option in this house.

 

At the moment, the 'blunt tool' that I have used to cope with these events, is to disable the protection in the Wan Setup screen. I'm just a bit concerned that this wil have other unanticipated consequences for my network.

 

So my questions are .....

 

  1. Are these entries likely to be genuine attempts to compromise my security ?
  2. Should I be bothered about these 'attacks' ?
  3. What other options do I have to prevent the dropped connections ?
  4. Are there any other (realistic) consequences for the network if I leave the protection disabled ? 

Other than these entries, my logs are fairly clear - just reporting NTP syncs, DHCP management and the routine stuff I would expect the router to take care of. I have no 'unexpected' devices on the network, and the Guest Network is operational (secured by a complex password, with just one trusted user connected to it).

 

The network contains the regular mix of laptpos, ipads, phones, internet-enabled TVs, set-top box, video enabled doorbell, remote controlled heating system, smart speakers and a printer. Around 30 devices in total.

 

Connection to the internet is through a Cable router (set to Modem mode only - a Virgin SuperHub 3 (yeuch ....))

 

Thanks in advance

 

Geoff

Message 1 of 9

Re: Repeated DOS attacks causing dropped connections


@GeoffChesh wrote:

 

So my questions are .....

 

  1. Are these entries likely to be genuine attempts to compromise my security ?
  2. Should I be bothered about these 'attacks' ?

 


No and No.

 

These "false positives" of DOS attack are a "feature" of Netgear's crummy logging system. There is a steady stream of messages here about them.

 


@GeoffChesh wrote

What other options do I have to prevent the dropped connections ?

If these really are the cause of the dropped connections – which may or may not be the case – then an easy option is to tell the thing not to log these events.

 


@GeoffChesh wrote:
Are there any other (realistic) consequences for the network if I leave the protection disabled? 

 


What are you doing that you think disables the protection? Telling your router to ignore "Known DoS attacks and Port Scans" does not affect your security. It merely tells the thing to ignore those events.

 

Whether or not this will prevent the dropouts is another matter. One way ion which logging can cause that sort of behaviour is if it puts a lot of strain on the router's processor. Is there really enough going on in your logs to suggest that this might be the case?

 

Other things that can cause a hissy fit on the router are enabling QoS, Traffic Meter and anything else that requires the router to do anything out of the ordinary.

 

Message 2 of 9
CrimpOn
Guru

Re: Repeated DOS attacks causing dropped connections


@michaelkenward wrote:

Other things that can cause a hissy fit on the router are enabling QoS, Traffic Meter and anything else that requires the router to do anything out of the ordinary.

It is not clear to me that the user has any control over QoS on the Orbi product.  There are QoS parameters (nvram show), so one would expect that Orbi is doing "something", but I cannot find a way to affect what.

 

I like the theory that excessive CPU load overwhelms the Orbi and can cause "problems", such as dropped connections.  If turning off features makes the "problem go away", that would be supporting evidence.

Message 3 of 9

Re: Repeated DOS attacks causing dropped connections


@CrimpOn wrote:


It is not clear to me that the user has any control over QoS on the Orbi product.  There are QoS parameters (nvram show), so one would expect that Orbi is doing "something", but I cannot find a way to affect what.

 


I agree. I was just talking generalities to try to illustrate how these things might happen.

 


@CrimpOn wrote:


I like the theory that excessive CPU load overwhelms the Orbi and can cause "problems", such as dropped connections.  If turning off features makes the "problem go away", that would be supporting evidence.


It is a regular explanation around here as to how wifi and stuff can slow down when anything processor intensive is going on on a router. Logging would seem to be another possibility.

 

Again, it is more theory than anything that Netgear has owned up to.

 

I remain to be convinced that this is what is going on here. And it still isn't clear to me what @GeoffChesh has gone to "disable the protection in the Wan".

 

My Orbi is an AP mode, which disables some of the stuff that gets logged. All I see is [Time synchronized with NTP server]. I can't get in deep enough to see if it is possible to disable the protection in the Wan. On the R7800, I see nothing on that front, merely options to disable logging.

 

Any thoughts on that front?

 

Message 4 of 9
GeoffChesh
Aspirant

Re: Repeated DOS attacks causing dropped connections

Thanks for the thoughts folks.

 

To confirm my action so far is to disable the Port Scan and DoS Protection in the Wan Setup screen of the Roiuter's admin. I've attached a screenshot to show what I am on about.

 

This is more than telling the router not to log the events any more (as to my mind, that is just hiding the issue). Elsewhere on the web (and in historic posts on this and other forums), I read a theory that the router's response to suspected DoS attacks, resulted in a break in WiFi connectivity (akin to a mini reset). So I thought thsat if I stopped the router reacting to such events, I would get a more stable connection.

 

However, if there are more enlightened and experienced views out there, I would be pleased to hear them.

 

Regards

Message 5 of 9

Re: Repeated DOS attacks causing dropped connections

OK "Disable Port Scan and DoS Protection" is on my router and invisible on the Orbi as an AP. I have seen various messages here recommending disabling that to fix various issues. But I am not familiar with the threats involved.
Message 6 of 9
Pypeke
Aspirant

Re: Repeated DOS attacks causing dropped connections

I have the same thing on my logs and can't figure out what to do. Dropped connections constantly since October 2019. Netgear's answer is to send me a new router. I don't know what the answer is, but I doubt a new router will help.

 

Does anyone have any ideas?

Message 7 of 9
CrimpOn
Guru

Re: Repeated DOS attacks causing dropped connections

The theory that the Orbi processor becomes overwhelmed and this causes it to drop the interconnection is interesting.  One wonders how that  could be documented.  One possibility is to log the reported CPU usage and see if it reveals anything.  Orbi supports the "sar" command. (which stands for "System Activity Report").  For example, telnet into the Orbi and enter this command:

sar 3 5

(If it returns an error, just run it again.  Apparently the system logging function doesn't start running until a command asks for output.)

 

This is what I got:

01:16:02 CPU %user %nice %system %iowait %steal %idle
01:16:05 all  3.09  0.00   10.86   0.08   0.00  85.96
01:16:08 all  1.93  0.00    8.54   0.00   0.00  89.53
01:16:11 all  0.92  0.00    6.38   0.00   0.00  92.70
01:16:14 all  6.27  0.00   23.81   0.00   0.00  69.92
01:16:17 all  2.10  0.00    8.56   0.00   0.00  89.34
Average: all  2.86  0.00   11.64   0.02   0.00  85.48

This is system activity measured three seconds apart for five times on all four CPU's.

I have NO IDEA what the time is measured from.  It was 5:16 in California when I started and California is 8 hours behind GMT, so 01:16:02 doesn't seem to match anything reasonable.

 

I use Putty for telnet (and SSH to other computers) because it has a provision to log the entire terminal session to a text file. So, if the Orbi suddenly drops internet connection or reboots, there should be evidence of what was going on immediately prior to the "event".  (There are tons of telnet client programs, and each has a different method for recording the session output.  I had to experiment with Putty to figure out how to get it to log each of the seven different computers I access into a different named file, with the date/time added.)

 

My Orbi has DoS protection "on", is logging everything possible, and still appears to be basically "idle."  It is not a good candidate to test the theory.  The act of running the System Activity Report every three seconds puts a load on the Orbi, so without that load, the Orbi is basically doing nothing.

 

There are 3,600 seconds in one hour.  86,400 seconds in one day.  If logging every five seconds is "good enough", then the command

sar 5 17280

would log every five seconds for one day.  I would make note of the clock time the command is entered and the time the command displays.  If the internet connection goes down, then look at the file corresponding to how long since the log started.  Or, if the Orbi reboots, the look at the end of the file since a reboot will terminate the telnet session.  (Geez, is there a maximum time for a telnet session?)

 

Of course, this can be done to "get a feel" for the Orbi.  Run it, say, every five seconds for an hour (sar 5 720) and then look at the results.  (I dump the data part of the text file into Excel and computer max, min, mean, etc).  What happens to the Orbi when HDTV is streaming?  What happens when a VPN session is going?  Watching four IP security cameras?  etc. etc. etc.

Message 8 of 9
GeoffChesh
Aspirant

Re: Repeated DOS attacks causing dropped connections

So far, so good for me.

 

Turning off the DOS protection seems to have stabilised the WiFi connection over the past couple of days, without causing me any unintended consequences. I accept that doesn't help the debate over overwhelming the processor (sorry).

 

I guess the only nervousness I have is that by disabling the DoS protection, I also disable the port scanning protection too. I have one port forwarding  setting in the router and there are traces of it being scanned on a regular (but infrequent) basis. I suppose I need to think about how I ensure that is not being abused/compromised.

Message 9 of 9
Top Contributors
Discussion stats
  • 8 replies
  • 6796 views
  • 0 kudos
  • 4 in conversation
Announcements

Orbi WiFi 7