DoS attacks
Thread Starter
Joined: Apr 2008
Posts: 565
Likes: 21
From: Passed away on Sept 6th
DoS attacks
I wonder if anyone else is experiencing this.
I have set my Netgear router to email me about DoS attacks & Port Scans. Up to a few weeks back I might get four or five a week. Recently I’ve had many, many more, up to twenty a day, with the Router settings unchanged. Like:
TCP Packet - Source: xx.xx.xx.xxx.xxxxx Destination: xx.xx.xx.xxx.xxxxx - [DOS]
The source varies, but many seem to originate from China.
Anyone else had a huge increase? I’m not worried (should I be?) as the router is doing its job. But I’m puzzled.
I have set my Netgear router to email me about DoS attacks & Port Scans. Up to a few weeks back I might get four or five a week. Recently I’ve had many, many more, up to twenty a day, with the Router settings unchanged. Like:
TCP Packet - Source: xx.xx.xx.xxx.xxxxx Destination: xx.xx.xx.xxx.xxxxx - [DOS]
The source varies, but many seem to originate from China.
Anyone else had a huge increase? I’m not worried (should I be?) as the router is doing its job. But I’m puzzled.
Joined: Aug 2002
Posts: 3,663
Likes: 0
From: Earth
I have set my Netgear router to email me about DoS attacks & Port Scans.
The source varies, but many seem to originate from China.
Anyone else had a huge increase?
Anyone else had a huge increase?
20 per day = "huge increase" ?? It's automated portscans by script-kiddies. Maybe your IP range has come up for scanning in their lists again.
I’m not worried (should I be?)
What you need to look out for is the targetted DoS attacks that eat up your bandwidth .... anything else is just the usual internet "noise". But generally any half intelligent ISP will cut off customers who become bandwidth sucking targets in an "ask questions later" policy style.
Put in additional layers of security if you are worried. Or if you want to keep yourself busy on a rainy day, report them to their ISPs abuse department (just don't expect any magic action to be suddenly taken).
Last edited by mixture; 14th September 2010 at 12:03.
Thread Starter
Joined: Apr 2008
Posts: 565
Likes: 21
From: Passed away on Sept 6th
Thanks, mix and Gert. Not fussed really, just curious... and rather than switch off the logging, I just have the alerts auto-diverted into their own folder. So no worries, as I say.
Official PPRuNe Chaplain
Joined: Apr 2001
Posts: 3,498
Likes: 0
From: Witnesham, Suffolk
I think my Draytek logs 'em but I gave up reading 'em long ago. The critical bit is that it protects me from the effects of these plonqueurs. I've got all the security turned on, apart from the stuff that would stop me accessing the interweb.
Joined: Jun 2003
Posts: 13,787
Likes: 0
From: EuroGA.org
I don't think there is any way to hack a standard NAT router.
Unless you have open ports. These will be quickly discovered with a sniffer and the port will then be hit with a dictionary attack. At work we get this constantly (all day).
Most Draytek routers have port 443 open - even if you disable remote admin. This is a bug. You should port forward all port 443 traffic to an internal IP on which no computer is connected... otherwise all those packets will be sent to your computer which should reject them but it may not if you have an unpatched copy of windoze (which is how many attacks have been done).
Unless you have open ports. These will be quickly discovered with a sniffer and the port will then be hit with a dictionary attack. At work we get this constantly (all day).
Most Draytek routers have port 443 open - even if you disable remote admin. This is a bug. You should port forward all port 443 traffic to an internal IP on which no computer is connected... otherwise all those packets will be sent to your computer which should reject them but it may not if you have an unpatched copy of windoze (which is how many attacks have been done).
Joined: Aug 2002
Posts: 3,663
Likes: 0
From: Earth
IO540
Wash your mouth out with soap young man.
For a start, in the non "hacker" territory, UpNp can work all sorts of nasty magic behind your back.
And in the "hacker" territory, NAT is considered "security by obscurity", it is not a recognised form of security. Shock horror, not even its designers intended it to be a security measure
Examples of possible routes in :
(1) Remember a router is basically a miniature computer plus OS. Break the OS and you break the router (and/or can get access to re-configure to enable bypass) Pleanty of examples of DoS and other attacks against routers (for one of many examples, google "Cute Little Cisco NAT DoS")
(2) Malicious packets can be passed through NAT device and cause issues during reassembly. Similarly, tricks can be played with TCP flags.
(3) All sorts of spoofing attacks.
The list could go on. But the point is, NAT != Security.
I don't think there is any way to hack a standard NAT router.
For a start, in the non "hacker" territory, UpNp can work all sorts of nasty magic behind your back.
And in the "hacker" territory, NAT is considered "security by obscurity", it is not a recognised form of security. Shock horror, not even its designers intended it to be a security measure
Examples of possible routes in :
(1) Remember a router is basically a miniature computer plus OS. Break the OS and you break the router (and/or can get access to re-configure to enable bypass) Pleanty of examples of DoS and other attacks against routers (for one of many examples, google "Cute Little Cisco NAT DoS")
(2) Malicious packets can be passed through NAT device and cause issues during reassembly. Similarly, tricks can be played with TCP flags.
(3) All sorts of spoofing attacks.
The list could go on. But the point is, NAT != Security.
Administrator
Joined: Mar 2001
Aviation Qualifications: PPL
Posts: 8,121
Likes: 686
From: Twickenham, home of rugby
Mixture,
No doubt you are right, but bear in mind that the lowliest soho router offers NAT plus SPI* plus port filtering, and often some degree of IP address filtering as well.
I'm not saying that a typical soho router is unbreakable, just that it is much stronger than NAT-only.
SD
* Stateful Packet Inspection, which addresses the TCP flag issue mentioned (for the less technically minded).
No doubt you are right, but bear in mind that the lowliest soho router offers NAT plus SPI* plus port filtering, and often some degree of IP address filtering as well.
I'm not saying that a typical soho router is unbreakable, just that it is much stronger than NAT-only.
SD
* Stateful Packet Inspection, which addresses the TCP flag issue mentioned (for the less technically minded).
Joined: Aug 2002
Posts: 3,663
Likes: 0
From: Earth
Saab
Fair point. I thought I'd already gone a bit past the necessary in terms of technical detail without having to add potential for conditional exceptions.
Probably one counter-argument to yours would be along the packet filter vs proxy firewall lines. However, I think I'll have to agree a concession for your average home user / PPRuNe reader and just simplify and say "you're right".
Fair point. I thought I'd already gone a bit past the necessary in terms of technical detail without having to add potential for conditional exceptions.
Probably one counter-argument to yours would be along the packet filter vs proxy firewall lines. However, I think I'll have to agree a concession for your average home user / PPRuNe reader and just simplify and say "you're right".
