DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

DOS attacks

  • aimdev
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
23 May 2023 05:25 #102497 by aimdev
DOS attacks was created by aimdev
Hi
I am getting loads of DOS hits from rcyber (89.248.163.0/24).
I use syslogs fed into Graylog, Elastic Search & Grafana to monitor the router.

The setting for DOS are enabled, and the threshold set to 21 Packets / Sec, with the timeout set to 65365 seconds.
Reading up on the way the router (2860) works, I thought that these settings would prevent the attacker from
initating another attack until the timeout period completed. however I am still getting them few minutes (not a consistent time period between attacks)

The ip address for the attacts is consistent.

Can anyone advise a solution?

Please Log in or Create an account to join the conversation.

More
23 May 2023 06:12 #102498 by adrianh54
Replied by adrianh54 on topic Re: DOS attacks
A quick check on Domain Tools shows this :

inetnum: 89.248.163.0 - 89.248.163.127
netname: NET-3-163
descr: RECYBER PROJECT NETBLOCK
remarks: +



remarks: | This net-block is not trying to hack you, we are only scanning
remarks: | for LEGIT purposes ONLY. This scanning is done by multiple
remarks: | security organizations.
remarks: | Please use https://www.recyber.net/opt-out
remarks: | to have your ip-address and/or netblock/as number white-listed
remarks: | and excluded from this project.
remarks: | If you have any further questions please contact
remarks: +



Instead of wasting your time in the router GUI you can ask them to stop scanning your IP.

Please Log in or Create an account to join the conversation.

  • aimdev
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
23 May 2023 06:22 #102499 by aimdev
Replied by aimdev on topic Re: DOS attacks
Hi
Other information suggests that they do not stop their activities.
In addition, change your ip address, and they will find it eventually (typically within 4 hours)
I would believe it was 'legit' if they scanned far less that the current DOS attack's of approx every four minutes.
Raising the threshold to max does not deter them.

Please Log in or Create an account to join the conversation.

More
24 May 2023 18:11 #102502 by iamq-yesiam
Replied by iamq-yesiam on topic Re: DOS attacks
Ask all you like - most of these will not reply or stop scanning. I've only ever found a couple of outfits that both reply and action no-scan requests.

Best thing it to just block them outright unless you can filter there AS at an upstream level.

Please Log in or Create an account to join the conversation.

  • aimdev
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
24 May 2023 18:27 #102504 by aimdev
Replied by aimdev on topic Re: DOS attacks
Hi

Thats the issue, the Vigor 2860 just seems to allow them to fill up the log.
DOS is switched on, block's are active, however as I stated in my original post I expected the Vigor to not allow any more accesses until the timeout terminated.
Either I failed to understand the documentation, I am doing something incorrectly with the setup, or the Vigor has an issue.
This is the purpose of my post.
As a note, hopefully I will be moving to an area with fttp, the 2860 will in all probability not be suitable for the new throughput, so I will be looking
for a replacement router, it may not be a Draytek product that I recommend to the other users.
I have no inclination to contact rcyber other than via LEO(NL)

Please Log in or Create an account to join the conversation.

More
29 May 2023 14:04 #102518 by pharcyder
Replied by pharcyder on topic Re: DOS attacks

aimdev wrote:
I use syslogs fed into Graylog, Elastic Search & Grafana to monitor the router.



I don't suppose you've got any detail or high level steps on how to do this? I'm very familiar with self-hosting but can't find anything as a starter for 10 for Draytek routers.

Please Log in or Create an account to join the conversation.

Moderators: Sami