DOS Attacks logged on my Router

[A Quincy Joker]

[DoS attack: ACK Scan] from source 151.101.198.2,port 443 Friday, Aug 10,2018 21:57:33
[DoS attack: ACK Scan] from source 63.251.252.12,port 443 Friday, Aug 10,2018 21:57:07
[DoS attack: ACK Scan] from source 151.101.198.2,port 443 Friday, Aug 10,2018 21:57:03
[DoS attack: ACK Scan] from source 63.251.252.12,port 443 Friday, Aug 10,2018 21:56:53
[DoS attack: ACK Scan] from source 151.101.198.2,port 443 Friday, Aug 10,2018 21:56:48
[DoS attack: ACK Scan] from source 63.251.252.12,port 443 Friday, Aug 10,2018 21:56:41
[DoS attack: ACK Scan] from source 151.101.198.2,port 443 Friday, Aug 10,2018 21:56:41
[DoS attack: ACK Scan] from source 63.251.252.12,port 443 Friday, Aug 10,2018 21:56:38
[DoS attack: ACK Scan] from source 151.101.198.2,port 443 Friday, Aug 10,2018 21:56:33
[DoS attack: ACK Scan] from source 23.4.226.210,port 443 Friday, Aug 10,2018 21:56:32
[DoS attack: ACK Scan] from source 23.196.36.144,port 443 Friday, Aug 10,2018 21:56:32
[DoS attack: ACK Scan] from source 184.25.241.213,port 443 Friday, Aug 10,2018 21:56:32
[DoS attack: ACK Scan] from source 23.4.226.210,port 443 Friday, Aug 10,2018 21:56:31
[DoS attack: ACK Scan] from source 184.25.241.213,port 443 Friday, Aug 10,2018 21:56:31
[DoS attack: ACK Scan] from source 23.196.36.144,port 443 Friday, Aug 10,2018 21:56:31
[DoS attack: ACK Scan] from source 184.25.241.213,port 443 Friday, Aug 10,2018 21:56:30
[DoS attack: ACK Scan] from source 184.86.19.58,port 443 Friday, Aug 10,2018 21:56:30
[DoS attack: ACK Scan] from source 23.196.36.144,port 443 Friday, Aug 10,2018 21:56:30
[DoS attack: ACK Scan] from source 23.4.231.238,port 443 Friday, Aug 10,2018 21:56:29
[DoS attack: ACK Scan] from source 184.86.19.58,port 443 Friday, Aug 10,2018 21:56:29
[DoS attack: ACK Scan] from source 184.25.241.213,port 443 Friday, Aug 10,2018 21:56:29
[DoS attack: ACK Scan] from source 23.4.231.238,port 443 Friday, Aug 10,2018 21:56:28
[DoS attack: ACK Scan] from source 184.25.241.213,port 443 Friday, Aug 10,2018 21:56:28
[DoS attack: ACK Scan] from source 23.4.231.238,port 443 Friday, Aug 10,2018 21:56:27
[DoS attack: ACK Scan] from source 184.25.241.213,port 443 Friday, Aug 10,2018 21:56:27
[DoS attack: ACK Scan] from source 104.69.8.99,port 443 Friday, Aug 10,2018 21:56:07
[DoS attack: ACK Scan] from source 23.196.36.144,port 443 Friday, Aug 10,2018 21:55:39
Wednesday, Dec 31,1969 16:00:00
Wednesday, Dec 31,1969 16:00:00
-------------------------------------------------------------------------------------------------------------------------------
So my internet has been slow the past couple of weeks and I was beginning to blame my hardware and physical connections, which I replaced, but it wasn't an ethernet issue. My Netgear R7900P Router is up-to-date. This connection issue has been across several devices, I've spoken to the ISP about their speeds, but have said I should be receiving full coverage.

I've taken the liberty to use whois.domaintools.com to lookup the IP address sources, but at this point I don't know what to do with this information it very well might be spoofed.

Any suggestions?

Thank you for your time.

-Quincy

 

[bill001g]

You can do nothing about it. Although it says DoS these routers call everything a DoS attack I think just for drama. A ACK scan is more of someone looking for open ports to hack.

It depends how much bandwidth you have. This is not really a lot of traffic it would only have a impact if you had a slower dsl connection.

It also has fairly large gaps in the time. You have places where it is a 30 seconds or a minute with none of this "attack" traffic.

But there is nothing you can do and the ISP does not really care. If it is really a DoS attack whoever is doing it will get tired of paying the service they rent.

Turn the modem off over night you might get a different IP address but that will not stop the scanning from hackers they tend to scan large blocks of ip addresses.

 

[camieabz]

You could report the IPs to the ISP, with date and time of attack. Most likely the are compromised systems doing the bidding of the program. At best the ISP will contact the IP user, but never tell you.

I would take some time to audit the devices on your network for HTTPS / SSL security (port 443). It's possible that a device on your network initiated a session with a dodgy site (especially if you have several users who are not so security savvy).

 

[A Quincy Joker]

You can do nothing about it. Although it says DoS these routers call everything a DoS attack I think just for drama. A ACK scan is more of someone looking for open ports to hack.

It depends how much bandwidth you have. This is not really a lot of traffic it would only have a impact if you had a slower dsl connection.

It also has fairly large gaps in the time. You have places where it is a 30 seconds or a minute with none of this "attack" traffic.

But there is nothing you can do and the ISP does not really care. If it is really a DoS attack whoever is doing it will get tired of paying the service they rent.

Turn the modem off over night you might get a different IP address but that will not stop the scanning from hackers they tend to scan large blocks of ip addresses.

So essentially, there is more than likely a person scanning for open ports they can attempt to hack such as Port 443 or any of the other ports such as 21, 22, 23 for FTP etc.?

If so, would these be performed online or would it be more of a "drive-by" in my neighborhood where someone posts up for a couple of hours trying to backdoor into my network? There's several networks nearby as well so I wouldn't know who it was. I have just recently removed my SSID from broadcasting and changed a couple of security settings to improve security.

I have MAC filtering enabled and even if they did find the password, Access Control would kick in and block them automatically.

 

[A Quincy Joker]

You could report the IPs to the ISP, with date and time of attack. Most likely the are compromised systems doing the bidding of the program. At best the ISP will contact the IP user, but never tell you.

I would take some time to audit the devices on your network for HTTPS / SSL security (port 443). It's possible that a device on your network initiated a session with a dodgy site (especially if you have several users who are not so security savvy).

Do you have any steps I could take in the auditing process for devices on my network? I was switching on and off between Cloudflare's VPN services 1.1.1.1 and OpenDNS to restrict certain content and test network speeds with each. I recently decided to go back to my ISP's DNS settings and haven't had a problem since.

I also purchased PIA (Private Internet Access) to hide my IP address from potential sniffers etc. The problem is I expected to receive a VPN configuration such as an IP Address I could easily plug into my router settings so my network would receive the benefits of the privacy protection.

Thank you for your time, any and all help is appreciated.

 

[bill001g]

They are coming from the internet, in your case most these ip are in hosting center. Could be someone is renting a server or more likely the servers are compromised and being used to attack.

If someone connects via your wifi the router will not even see or log it. This firewall function only works for traffic passing between the lan and the wan and the wifi is considered lan.

Removing the SSID and mac filtering are wastes of time. Anyone who would have skills to hack wifi can see your network without the SSID and can spoof mac addresses. Spoofing mac is trivial compared to cracking keys.

Wifi is extremely secure as long as you use some reasonable password. Even a crappy password would take too long to hack since it must be done by brute force guessing rather than a offline attempt like is done with password hash files.

The only huge exposure in WiFi is WPS. This is a tool for people so lazy they can't even be bothered to type in a password. It is a feature that should have been removed years ago when the exploit was discovered but because people are too lazy to even think to open a user manual the feature has stayed. Luckily it is trivial to disable but it would be nice if more routers had it disabled by default.....but then the lazy people would actually have to do something.

 

[A Quincy Joker]

So at most I should change the password every few months like I should with a variation of complexity that makes it hard to crack without the use of brute force attacks?

The WPS feature was automatically turned off after I disabled SSID broadcast as it seems to have been a dependency for it. Before when I had first set up my router to WPA2 and AES, it gave me the option to disable WPS, which I did, but users were still able to come up to the router and click the WPS button, which I found stupid coming from Netgear products, and connect that way.

Thanks again bill001g for answering my questions.

 

[bill001g]

It depends if you ever need to tell someone your wifi password. If it is a secret that only you or a very small number of people know it does not have to be changed. The time involved to crack even a fairly insecure key is huge much more than even a month. Good keys are not in theory crackable in someone lifetime.

The password/key is only used for the initial communication where the 2 devices generate a unique key for the session using the mac addresses and random numbers. This common key is used to encrypt these messages. The key itself is never sent even in a encrypted form over the communication path. It is designed to be very hard to attack. Most this discussion is theoretical. The script kiddies will just drive down the block and find the people with WPS enabled or open systems rather than take the time to mess with your stuff.