Wireless router logs reporting loads of DoS attack attempts

1

We're having intermittent connectivity issues with our ADSL at the office. We've been dealing with our ISP for weeks and they don't know how to fix our problem.

What happens is that at multiple times during the day, our connection becomes horribly slow, then drops, and for quite a few minutes, we're unable to reconnect to our wireless Netgear router.

When I manage to log in to our Netgear management console, the log file indicates a bunch of DoS attack attempts:

[UPnP set event:DeletePortMapping] from source 192.168.0.2, Thursday, July 25,2013 14:22:19         
[UPnP set event:AddPortMapping] from source 192.168.0.2, Thursday, July 25,2013 14:22:15         
[UPnP set event:DeletePortMapping] from source 192.168.0.2, Thursday, July 25,2013 14:22:13         
[DHCP IP: (192.168.0.2)] to MAC address 68:A8:6D:22:A3:54, Thursday, July 25,2013 14:22:05         
[DoS attack: ACK Scan] from source: 46.33.69.202:80, Thursday, July 25,2013 14:12:07         
[DoS attack: ACK Scan] from source: 8.18.45.90:80, Thursday, July 25,2013 14:10:15         
[UPnP set event:AddPortMapping] from source 192.168.0.16, Thursday, July 25,2013 14:04:58         
[UPnP set event:AddPortMapping] from source 192.168.0.16, Thursday, July 25,2013 14:04:57         
[UPnP set event:DeletePortMapping] from source 192.168.0.16, Thursday, July 25,2013 14:04:56         
[UPnP set event:DeletePortMapping] from source 192.168.0.16, Thursday, July 25,2013 14:04:54         
[DHCP IP: (192.168.0.16)] to MAC address 34:51:C9:AA:38:40, Thursday, July 25,2013 14:03:26         
[DoS attack: ACK Scan] from source: 99.3.43.180:61897, Thursday, July 25,2013 14:00:45         
[DoS attack: ACK Scan] from source: 199.30.80.32:80, Thursday, July 25,2013 13:58:22         
[DoS attack: ACK Scan] from source: 199.30.80.32:80, Thursday, July 25,2013 13:57:54

Could this be what is causing connection stability issues? Is there any way to circumvent it?

What about turning off "Enable SSID Broadcast", will that offer some security by obscurity?

josef.van.niekerk

Posted 2013-07-25T13:45:10.900

Reputation: 1 553

I'll let someone else more knowledgeable about this to answer, but I don't believe disabling SSID broadcast will do much to stop the DoS attacks, all that does is make your router "undiscoverable" by scanners, one could still connect directly to it if they know your SSID and credentials – Jason Bristol – 2013-07-25T14:33:00.913

What's the model of your router? – Darth Android – 2013-07-25T15:08:04.033

Even if you disable broadcasting your SSID it wouldn't solve your problems. Besides your not actually being attacked because the time between the two messages is to great. Your router is simply treating ever ACK scan as an attack. – Ramhound – 2013-07-25T15:33:40.560

Answers

2

The DoS or DDoS attacks are coming to your public IP with attempts to port scan your network for a response on an open port (ACK Scan is looking for a port to acknowledge ICMP).

Disabling your SSIS will stop people from scanning for your private Wi-Fi from the outside, and you will need to reconfigure your devices to connect to this network by creating a new connection, manually entering your SSID into the new connection settings, and tell it to connect even if the network appears offline.

This however will not stop DoS and DDoS attacks from registering against your public IP address, you would have to have echo reply disabled on your modem. If you have access to your modem BIOS you may be able to change it yourself, if not your ISP can likely do it for you.

Are you able to connect to the network, but have no web access? Or does your network no longer appear as an available network?

Pretzel

Posted 2013-07-25T13:45:10.900

Reputation: 468

Hi Pretzel, We often lose connectivity to the router itself. Usually this corresponds with a UPnP set event:DeletePortMapping and UPnP set event:AddPortMapping in the logs. Often I try connecting to the WiFi and my Mac is throwing a timeout error message attempting to connect to the wifi. It normally comes back after about 5-10 minutes. – josef.van.niekerk – 2013-07-25T14:43:26.940

Are you using uPNP for any devices? Anything else in your logs such as login attempts? – Pretzel – 2013-07-25T14:49:49.163

Not sure about uPNP, and no login attempts other than my own. – josef.van.niekerk – 2013-07-25T18:54:50.197

In your netgear BIOS under advanced settings there should be a setting for uPNP, if you are not using uPNP (universal plug and play) disable it. Also, if you have remote management active and are not using that as well it would be best to disable it. Disabling uPNP may rectify this situation. – Pretzel – 2013-07-25T19:28:43.780

I've turned uPNP off, will keep an eye on the logs. Also disabled SSID broadcasting. – josef.van.niekerk – 2013-07-29T13:30:40.430

If there is no change please update. – Pretzel – 2013-07-29T13:48:19.810

Will check again tomorrow when at the office. Will update as soon as I see what's happening! ;) – josef.van.niekerk – 2013-07-29T19:43:38.247

Log still showing DoS attempts. Discovered a redundant machine that was plugged into the router, that is littered with malware. Cleared the logs and keeping an eye on it. – josef.van.niekerk – 2013-07-30T09:15:16.600

Was it the IP address making uPNP requests? – Pretzel – 2013-07-30T13:03:03.943

Asked: 2013-07-25T13:45:10.900

Viewed: 4 018 times

Active: 2016-12-15T18:20:16.613