Reply

Disable Port Scan and DoS Protection

MatM
Guide

Disable Port Scan and DoS Protection

How much security Issue is it on a home network to disable this setting?

I see sometimes on my xbox some packets are dropped because of DDos but the pakets are from Microsoft. I don't think they DDOS me 🙂

Would you disable this setting on a home router or not? I read somewhere that a home Router is not able to protect from DDOS so the setting could be disabled.
Message 1 of 8

Accepted Solutions
Babylon5
NETGEAR Employee Retired

Re: Disable Port Scan and DoS Protection

It can be useful, but that depends on the situation and how you interpret the data. As Fordem points out it really only gives an indication of what is happening, and if you really were the target of a DoS attack it might help in diagnosing what is going on. However DoS attacks on individuals are extremely rare, it takes effort to set up and would be wasteful to use ‘just for a laugh’. What we often see on these forums is people who are concerned at the log listings they see, and are after some explanation / reassurance that all is OK.

So personally I would say not completely useless, and unfortunately often misinterpreted and a source of paranoia.

Just to add a little perspective to this, before I used a NAT router I had a PC connected directly to a cable modem running Zone Alarm. I used to see hundreds or thousands of hits per day, so many that I also had a utility for analysing the logs. After a few months of regularly inspecting the logs I got completely bored with the whole process. I can’t really describe how pointless it was but I would say that it’s similar to walking into a noisy bar and trying to listen to every conversation to see if anyone is talking about me.

After installing a NAT router the Zone Alarm reports dropped to zero, I no longer use it. I spent a while looking at the router logs (a small business grade router) and eventually gave up on that, I don’t even bother with the log e-mails anymore. Occasionally I have an issue with an IP camera on my LAN attempting to ‘spam’ an IP address, my router protects in both directions and blocks that from happening, this is about the best use I have for that log, to see when the camera is having one of its 'episodes'.
____________________________
Working on behalf of Netgear
My name is Andy

View solution in original post

Message 7 of 8

All Replies
01R
Luminary
Luminary

Re: Disable Port Scan and DoS Protection

they are not from microsoft when i play other players try to lag me to death doin those attacks but i report all of them
Message 2 of 8

Re: Disable Port Scan and DoS Protection

Advanced > Setup > WAN Setup > Disable Port Scan and DoS Protection...


Why would you want to disable this? The FW in the R7000 has protection from these threats. While it is unlikely you would be targeted for this kind of attack, having this protection can't hurt as some other tools can make use of similar vulnerabilities. (Example aggressive port scanners or applications that pound the WAN with requests hoping to defeat security). You'd be better off disabling UPnP and forwarding just the few individual or range of ports needed manually for your xbox to function properly.


Have more questions, just ask. 🙂
~Comcast 1 Gbps/50 Mbps SB8200 > R8000P
~R8000P FW:1.4.1.68 ~R7000 FW:1.0.9.42
~R6400 FW:1.0.1.52 ~Orbi-AC3000 FW:2.5.1.8
~EX3700 FW:1.0.0.84

Message 3 of 8
MatM
Guide

Re: Disable Port Scan and DoS Protection

shadowsports, UPnP is disabled - I have only some ports forwarded. I thought I can disable this setting because it needs extra processing times for every packet? I read that in home routers you can't defeat DDOS Attacks so its unneccesary to run this service. Is it wrong? (sorry for my english)
Message 4 of 8
fordem
Mentor

Re: Disable Port Scan and DoS Protection

Let me put it this way - port scans are a fact of life and whilst your router does block them - IT CAN'T STOP THEM. A hacker can port scan any address s/he chooses want, regardless of what is at that address, even if there is nothing at that address - it would be an exercise in futility, and a waste of resources, but it can be done. The same goes for a DoS (Denial of Service) attack - there are several different forms of DoS attack, and over time router firmware and PC operating systems have been modified to reduce vulnerability, but if a hacker is intent on "DoSing" you, there's nothing you can do to prevent it - you have an internet connection with limited bandwidth, all s/he needs to do is flood that connection with more traffic than it can accommodate, and because your router is at the downstream end. there's nothing you can do to mitigate - imagine if you will, that your internet connection is a garden hose, and I connect a fire hose to it - the amount of water my firehose will push through your garden hose will just overwhelm it. By all means disable DoS & portscan protection - neither one is effective and having them disabled does not increase your exposure in any way.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 5 of 8
MatM
Guide

Re: Disable Port Scan and DoS Protection

so "Port Scan and DoS Protection" makes no sense on home Routers?
Message 6 of 8
Babylon5
NETGEAR Employee Retired

Re: Disable Port Scan and DoS Protection

It can be useful, but that depends on the situation and how you interpret the data. As Fordem points out it really only gives an indication of what is happening, and if you really were the target of a DoS attack it might help in diagnosing what is going on. However DoS attacks on individuals are extremely rare, it takes effort to set up and would be wasteful to use ‘just for a laugh’. What we often see on these forums is people who are concerned at the log listings they see, and are after some explanation / reassurance that all is OK.

So personally I would say not completely useless, and unfortunately often misinterpreted and a source of paranoia.

Just to add a little perspective to this, before I used a NAT router I had a PC connected directly to a cable modem running Zone Alarm. I used to see hundreds or thousands of hits per day, so many that I also had a utility for analysing the logs. After a few months of regularly inspecting the logs I got completely bored with the whole process. I can’t really describe how pointless it was but I would say that it’s similar to walking into a noisy bar and trying to listen to every conversation to see if anyone is talking about me.

After installing a NAT router the Zone Alarm reports dropped to zero, I no longer use it. I spent a while looking at the router logs (a small business grade router) and eventually gave up on that, I don’t even bother with the log e-mails anymore. Occasionally I have an issue with an IP camera on my LAN attempting to ‘spam’ an IP address, my router protects in both directions and blocks that from happening, this is about the best use I have for that log, to see when the camera is having one of its 'episodes'.
____________________________
Working on behalf of Netgear
My name is Andy
Message 7 of 8
DrMopp
Aspirant

Re: Disable Port Scan and DoS Protection

Babylon5 wrote:
....What we often see on these forums is people who are concerned at the log listings they see, and are after some explanation / reassurance that all is OK.

So personally I would say not completely useless, and unfortunately often misinterpreted and a source of paranoia.


One of those people seeking reassurance here! I wouldn't be concerned about the log entries themselves if they had no effect, but I have frequent, short disconnections from the network (on multiple PC's and both wireless and wired adapters) following the DOS entries in the log. Netgear support have identified line noise as the problem but my ISP disagrees - you don't think the DOS attack/port scan entries are relevant to the issue?
Message 8 of 8
Top Contributors
Discussion stats
  • 7 replies
  • 80191 views
  • 3 kudos
  • 6 in conversation
Announcements

Orbi WiFi 6E