[SOLVED] Router detecting port scan and ack flood attack

Aug 3, 2020
4
0
10
Over the past few days, I'm noticing that the log of my wireless router is showing an ACK flood attack from various IP addresses.
The flood attacks are happening all over the day every minute with the same rate. What should I do to stop this? I noticed recent increase in ping over the multiplayer games I play.

Router model - D-Link DIR-605L wireless router.
Internet Connection type is - Static IP

Here is the router log :

Aug 05 12:56:16Whole System ACK Flood Attack from WAN Rule: Default deny
Aug 05 12:55:16Per-source ACK Flood Attack Detect (ip=146.112.41.2) Packet Dropped
Aug 05 12:55:16Whole System ACK Flood Attack from WAN Rule: Default deny
Aug 05 12:54:16Per-source ACK Flood Attack Detect (ip=146.112.41.2) Packet Dropped
Aug 05 12:54:16Whole System ACK Flood Attack from WAN Rule: Default deny

Aug 05 12:53:16Per-source ACK Flood Attack Detect (ip=74.125.24.121) Packet Dropped
Aug 05 12:53:16Whole System ACK Flood Attack from WAN Rule: Default deny

Aug 05 12:52:16Per-source ACK Flood Attack Detect (ip=8.241.150.124) Packet Dropped
Aug 05 12:52:16Whole System ACK Flood Attack from WAN Rule: Default deny
Aug 05 12:51:16Per-source ACK Flood Attack Detect (ip=52.84.226.203) Packet Dropped
Aug 05 12:51:16Whole System ACK Flood Attack from WAN Rule: Default deny
Aug 05 12:50:16Per-source ACK Flood Attack Detect (ip=54.254.189.170) Packet Dropped
Aug 05 12:50:16Whole System ACK Flood Attack from WAN Rule: Default deny




Here are the router settings:

Remote management is disabled.
Anti-spoofing enabled.
Block WAN PING enabled.
URL Blocking disabled.
RTSP ALG enabled.
VPN (IPsec) Pass-Through enabled.
VPN (PPTP) Pass-Through enabled.

VPN (L2TP) Pass-Through enabled.
SPI Enabled
 
Solution
It likely is not causing a problem other than your router is taking extra time to produce a log message. You can check the cpu load many routers.

It is interesting that hop 4 is a private ip address. The router must be configure to not give you the actual IP.

Do not trust just tracert it does not run enough traffic to detect small spikes. You must leave a ping run to the different IP addresses.

The end result is still the same. You can do nothing at all about incoming traffic. This is why hackers can denial of service attack large company servers. You are not important enough for the ISP to even care.....but I still think this is just random noise, You see this kind of traffic on just about everyones internet...
This is where maybe it would be best if the router just did its job and did not tell you and make you worry.

This is just your fairly constant scanning traffic that occurs on the internet. All routers will prevent this traffic from getting to your internal machines unless you use something like DMZ in your router. Some device have a additional firewall feature mostly to protect the router itself against denial of service attacks.

Your router has already handled the traffic and discarded it. There is nothing you can do to prevent it from being sent to you. Your router is the very first device you have control of. The traffic must actually arrive at your router for it to do anything. Anything else would have to be done by the ISP before it is put on the line to be sent to your house.
 
  • Like
Reactions: Ab1gor and Nemesia
Aug 3, 2020
4
0
10
This is where maybe it would be best if the router just did its job and did not tell you and make you worry.

This is just your fairly constant scanning traffic that occurs on the internet. All routers will prevent this traffic from getting to your internal machines unless you use something like DMZ in your router. Some device have a additional firewall feature mostly to protect the router itself against denial of service attacks.

Your router has already handled the traffic and discarded it. There is nothing you can do to prevent it from being sent to you. Your router is the very first device you have control of. The traffic must actually arrive at your router for it to do anything. Anything else would have to be done by the ISP before it is put on the line to be sent to your house.


So is this increasing the ping in multiplayer games? or it's because of a completely different reason?
 
It is likely something else unless your internet connection is tiny.

You have many minutes between these so it is not a constant thing. The traffic is likely not very much so it will not exceed your download capacity.

You will be able to tell pretty easy if you leave a constant ping run to the first ISP router. Run tracert to 8.8.8.8 hop2 should be the first ISP router ip in most cases.
 
Aug 3, 2020
4
0
10
The flood attakcs are in the log and is happening every minute everyday(24 hours) not a break of single minute. it has been like this constant for the past few days. I have mentioned this as well in my post.

Using tracert 8.8.8.8 I noticed the hop 4 has a 192.168.199.XX which is taking 100 ms and after that hits some google Ip 202.78.239.62.

Before 192.168.199.XX all the 3 hops get completed within 10ms
 
It likely is not causing a problem other than your router is taking extra time to produce a log message. You can check the cpu load many routers.

It is interesting that hop 4 is a private ip address. The router must be configure to not give you the actual IP.

Do not trust just tracert it does not run enough traffic to detect small spikes. You must leave a ping run to the different IP addresses.

The end result is still the same. You can do nothing at all about incoming traffic. This is why hackers can denial of service attack large company servers. You are not important enough for the ISP to even care.....but I still think this is just random noise, You see this kind of traffic on just about everyones internet from time to time.

If you really think it is causing a issue see if the ISP will give you a different IP address. You could try leaving your modem and router off overnight and maybe you get a different one.
 
  • Like
Reactions: Ab1gor
Solution