I wonder if anyone else is experiencing this.
I have set my Netgear router to email me about DoS attacks & Port Scans. Up to a few weeks back I might get four or five a week. Recently I’ve had many, many more, up to twenty a day, with the Router settings unchanged. Like:

TCP Packet - Source: xx.xx.xx.xxx.xxxxx Destination: xx.xx.xx.xxx.xxxxx - [DOS]

The source varies, but many seem to originate from China.
Anyone else had a huge increase? I’m not worried (should I be?) as the router is doing its job. But I’m puzzled.

I have set my Netgear router to email me about DoS attacks & Port Scans.

Do you enjoy deluges of emails ? :cool:

The source varies, but many seem to originate from China.
Anyone else had a huge increase?

"Seem to originate" is the operative word...could easily be virus infested zombies under C&C.

20 per day = "huge increase" ?? It's automated portscans by script-kiddies. Maybe your IP range has come up for scanning in their lists again.

I’m not worried (should I be?)

Not much you can do about it. It's a fact of life on the internet. Practice safe computing, keep everything patched up (including the router), review the router config once in a while to make sure nothing has been tampered with (at least obviously tampered with that is !). A cheap Netgear router probably doesn't have much ability to do much else apart form be a bystander.

What you need to look out for is the targetted DoS attacks that eat up your bandwidth .... anything else is just the usual internet "noise". But generally any half intelligent ISP will cut off customers who become bandwidth sucking targets in an "ask questions later" policy style.

Put in additional layers of security if you are worried. Or if you want to keep yourself busy on a rainy day, report them to their ISPs abuse department (just don't expect any magic action to be suddenly taken).

Not much you can do about it.
Oh Yes There Is.

You can turn off the logging. Then what you don't see you won't worry about. This works fine for 99.999% of the internet's population.

Thanks, mix and Gert. Not fussed really, just curious... and rather than switch off the logging, I just have the alerts auto-diverted into their own folder. So no worries, as I say.

I think my Draytek logs 'em but I gave up reading 'em long ago. The critical bit is that it protects me from the effects of these plonqueurs. I've got all the security turned on, apart from the stuff that would stop me accessing the interweb.

I don't think there is any way to hack a standard NAT router.

Unless you have open ports. These will be quickly discovered with a sniffer and the port will then be hit with a dictionary attack. At work we get this constantly (all day).

Most Draytek routers have port 443 open - even if you disable remote admin. This is a bug. You should port forward all port 443 traffic to an internal IP on which no computer is connected... otherwise all those packets will be sent to your computer which should reject them but it may not if you have an unpatched copy of windoze (which is how many attacks have been done).

IO540

I don't think there is any way to hack a standard NAT router.

Wash your mouth out with soap young man.

For a start, in the non "hacker" territory, UpNp can work all sorts of nasty magic behind your back.

And in the "hacker" territory, NAT is considered "security by obscurity", it is not a recognised form of security. Shock horror, not even its designers intended it to be a security measure

Examples of possible routes in :
(1) Remember a router is basically a miniature computer plus OS. Break the OS and you break the router (and/or can get access to re-configure to enable bypass) Pleanty of examples of DoS and other attacks against routers (for one of many examples, google "Cute Little Cisco NAT DoS")
(2) Malicious packets can be passed through NAT device and cause issues during reassembly. Similarly, tricks can be played with TCP flags.
(3) All sorts of spoofing attacks.

The list could go on. But the point is, NAT != Security.

Mixture,

No doubt you are right, but bear in mind that the lowliest soho router offers NAT plus SPI* plus port filtering, and often some degree of IP address filtering as well.

I'm not saying that a typical soho router is unbreakable, just that it is much stronger than NAT-only.

SD

* Stateful Packet Inspection, which addresses the TCP flag issue mentioned (for the less technically minded).

Saab

Fair point. I thought I'd already gone a bit past the necessary in terms of technical detail without having to add potential for conditional exceptions.

Probably one counter-argument to yours would be along the packet filter vs proxy firewall lines. However, I think I'll have to agree a concession for your average home user / PPRuNe reader and just simplify and say "you're right".

:ok: