- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Re: DoS Attack: SYN/ACK Scan
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DoS Attack: SYN/ACK Scan
I keep seeing below logs in my Orbi router. What does "DoS Attack: SYN/ACK Scan" signifies? Also am not sure why it prints "DHCP IP: <ip>" for all connected devices? DHCP has a lease time of 24hrs?
Appreciate any help on this
Firmware: V2.5.1.16
Please see attachment. Thanks!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DoS Attack: SYN/ACK Scan
You need to do a whois lookup on the
157.240.22.54 IP address.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DoS Attack: SYN/ACK Scan
@nagendraprasath wrote:I keep seeing below logs in my Orbi router. What does "DoS Attack: SYN/ACK Scan" signifies? Also am not sure why it prints "DHCP IP: <ip>" for all connected devices? DHCP has a lease time of 24hrs?
The Orbi log contains a wide variety of items. DHCP assignment record every time a device uses DHCP to ask Orbi to assign it an IP address. With a "lease time" of one day (24 hours), the DHCP standard call for the device to request a renewal when the lease is half-expired. They are entirely normal. I know of no method to make the Orbi cease logging these events.
The Orbi firewall refuses all connection attempts except those specifically authorized by the user (see "Port Forwarding" and Remote Management). The firewall also has some (mysterious) mechanism for determining that a "pattern" of connection requests falls into a recognizable catagory of "scan" or "Denial of Service" attack. There is an option to have Orbi not include those conclusions in the log. As an analogy, suppose my practice is to never answer the telephone unless I recognize the calling number. Calls may come in, but if I do not recognize the caller, I never answer. I could keep a record of all the "Caller ID's" that I did not answer. If I seem to get many calls from the same number, I might even decide to highlight them ("aha, the Heart Foundation still wants a donation from me.") and assign them a category ("public appeals for money"). That's what Orbi's firewall is logging.
There are suggestions that Orbi is too aggressive in describing things as "DoS Attacks" or "ACK Scans". Alas, Netgear publishes nothing about how the firewall makes these determinations.
If they bother you, you can turn off the notices.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DoS Attack: SYN/ACK Scan
Thanks for your response. Yes, i did. they belong to facebook, amazon, google...
Today i see below one and the ip address resolves to facebook and port 443 is https. What am not understanding what exactly the log is trying to convey. Does it mean one of my PC/smarphone connected to facebook? but then why under "Dos Attach: Ack Scan"
[DoS Attack: ACK Scan] from source: 157.240.22.54, port 443, Sunday, June 07, 2020 17:51:12
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DoS Attack: SYN/ACK Scan
Thanks for your respone. I agree your comment about DHCP. Is there a way to increase DHCP lease beyond 24 hrs?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DoS Attack: SYN/ACK Scan
While I (personally) sort of like seeing that my devices are renewing their IP leases twice a day, my impression is that the default lease probably can be changed. According to what I find by searching the web, a DHCP lease can be as long as 135 years. This one article recommends various lease times for specific situations:
https://www.informit.com/articles/article.aspx?p=30874&seqNum=3
Notice that they are describing a situation where different DHCP "pools" are used for different purposes (student labs vs. servers, etc.)
Orbi has only a single DHCP pool.
When I telnet into my Orbi and display parameters using the command
nvram show | grep dhcp
(display all the parameters and pass them through the program "grep" to list only those with the string "dhcp" in it)
One of the lines that shows up is this:
dhcpc_lease_time=86400
86,400 seconds is one day (60x60x24). So, in theory, one could change that to a different value by typing:
config set dhcpc_lease_time=864000
config commit
This would create a lease time of 10 days. Please understand:
- I would for certain make a backup of the Orbi configuration in case this goes horribly wrong and I am forced to Factory Reset the Orbi.
- I have not done this myself
• What is the difference between WiFi 6 and WiFi 7?
• Yes! WiFi 7 is backwards compatible with other Wifi devices? Learn more