This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
I have a Nighthawk, R6700 v2 wireless router. When looking at the access log, I have a question on what is appearing there. Are the items displayed simply items that attempted connection, or are they items that actually connected to the router? I have IP addresses which are blocked, and I see some of those addresses listed in the log. I have not seen IP addresses in the access log stating that an IP has been blocked. This leads to my question if the Nighthawk just blocks IP's silently, without listing this in the log, and the items in the log are just showing items that tried to connect.
DoS attacks are blocked, period, but are logged. You should not have "Disable Port Scan and DoS Protection" checked on the Advanced tab, on left Setup, WAN setup page. If you uncheck that box you lose that protection and they will get in. No need to block that IP Address as long as that box is unchecked, router never lets them in to even be blocked.
If they ARE legitimate and the router rejected a valid packet, TCP/IP is smart enough to regenerate the packet and it eventually gets to you. If logging in, you might notice it took longer.
Multiple DoS entry seconds apart are more than likely to be a real attack, although in some cases it is just someone trying ping you I think. If they are very fast, seconds apart, the router is supposed to shutdown entry for everything for a few minutes, but I have NEVER seen that happen.
[DoS attack: ACK Scan] from source: 52.46.133.39:443
[DoS attack: ACK Scan] from source: 72.21.207.87:443
Those are what they say they are, DoS (Denial of Service) attacks. From the list IP Address... HOWEVER, NG routers are NOTORIOUS for logging false attacks. Usually happens when the router is busy (under load) or just lost an outgoing packet to track.
I checked them both and they are Amazon, and port 443 is generally used for Log In even...
99.99% sure those are false positives, and with the timestamp you can probably remember logging into Amazon at that time.
O.k., thanks. The ones that I get primarily concerned about are the same type of commentary, but with IP addresses from Russia, China, Turkey, Ukraine, etc. There are the typical port scans, which you can do nothing about, but I am more concerned with the blocking of bad, foreign parties. I had one, from China, two nights ago, which produced at least twenty 'DOS' listings, in a row, in the log. I have that IP as a blocked IP address, was not sure how the router was handling it. I had presumed that if I blocked an IP, it would not show up in the log, as the router would not have allowed access. That came down to the question for me that if an IP was showing up in the access log, did that mean the router HAD allowed access to the IP.
DoS attacks are blocked, period, but are logged. You should not have "Disable Port Scan and DoS Protection" checked on the Advanced tab, on left Setup, WAN setup page. If you uncheck that box you lose that protection and they will get in. No need to block that IP Address as long as that box is unchecked, router never lets them in to even be blocked.
If they ARE legitimate and the router rejected a valid packet, TCP/IP is smart enough to regenerate the packet and it eventually gets to you. If logging in, you might notice it took longer.
Multiple DoS entry seconds apart are more than likely to be a real attack, although in some cases it is just someone trying ping you I think. If they are very fast, seconds apart, the router is supposed to shutdown entry for everything for a few minutes, but I have NEVER seen that happen.
THANKS!! That answers all of my questions. The selections that you mentioned, for blocking, are active and working. I can ignore all of entries, as the router is taking care of what I was worried about. Happiness is!!
It can be entertaining to trace some of those "DOS attacks".
People turn up here with long lists of IP addresses of people they think are attacking them. A quick whois reveals that they often come from Google, Microsoft and places like their own ISP.
Yes, you are correct on that! I spent time looking at my log, doing the standard 'whois', to see what my connection activity was. I learned to recognize the 'standard' ranges from Google, Carbonite, Amazon, and other standard sites, for which I made connections with. I also learned to identify folks that I was not interested in.
For anyone that is looking for a good toolset site to use (and I know there are many out there), a good one is here: https://www.ultratools.com/ .
If you are in a hurry, and don't want to be bothered with the 'home page' crap of the toolset site, you can just go to: https://www.ultratools.com/tools/ipWhoisLookupResult . Don't be thrown off by the comment that you will see in a box "Sorry, there was a problem.
The domain/hostname is invalid. ".
All you need to do is enter a valid IP address in the box below that and you are good to go.
Yes, you are correct on that! I spent time looking at my log, doing the standard 'whois', to see what my connection activity was. I learned to recognize the 'standard' ranges from Google, Carbonite, Amazon, and other standard sites, for which I made connections with. I also learned to identify folks that I was not interested in.
For anyone that is looking for a good toolset site to use (and I know there are many out there), a good one is here: https://www.ultratools.com/ .
Unfortunately you can't always tell as many sites will use 3rd party IP Address as well... Akamai is one. Many are not in the US either.
