Thank you for the write-up. It's good that your telnet problem is otherwise resolved.

One thing I would like to suggest, on the newer routers such as the Vigor 2925, Vigor 2860 and Vigor 2960/3900, there is Brute Force protectionfor the management interfaces, which will ban IPs from accessing the router after a password failure. Where it's necessary to open SSH or Telnet to the internet, I recommend using that to block these types of attack.
It's mentioned in the latter half of this guide: http://www.draytek.co.uk/support/guides/kb-mngt-protection

Top marks to pol098 for the excellent write up, great to see everything so well summarised !
Thanks also to admin3 for the link to the Draytek KB article, this was something I certainly wasn't aware of - I guess 3.8.4 firmware(s) must be getting closer to final releases then (have betas on four routers at the moment)
Cheers
Simon

admin3 wrote: ... on the newer routers such as the Vigor 2925, Vigor 2860 and Vigor 2960/3900, there is Brute Force protection for the management interfaces, which will ban IPs from accessing the router after a password failure.
It's mentioned in the latter half of this guide: http://www.draytek.co.uk/support/guides/kb-mngt-protection

Thanks, that's useful (not to me until I upgrade my 2820Vn!) Basically (summarising information from the link) it is supported on newer routers from firmware 3.8.4, and on the 3900 & 2960 from firmware 1.1.0. It allows a number n of login attempts and a blocking time t to be set; after n failed logins, the originating IP address is blocked for time t, a very useful protection. It would be useful additionally for such attempts to be logged (maybe in the syslog?), and optionally to be notified, so that one is aware of as well as protected against attacks.

The purpose of this post is to suggest a way to detect port scanning attacks. I don't know if this will work, or the threshold to set; I would need sustained attacks to check, and they've stopped(!)

The last 2820 firmware, and firmware for other routers, has a Firewall > Denial of Service Defense page. Most of the options are to detect true DoS, which is not terribly useful for a residential router as no protection is available. However, there is an option to check for port scans, and a brute force attack on a port might trigger this (though nothing could be done about it, except close ports etc.) For true DoS Draytek suggest a threshold of 2000 packets/second for a 24Mbps connection. I don't know what to use here, a much lower value seems to make sense as ports aren't addressed that often in real life. I would start with 200 packets/second, and reduce it if I got no false positives. To detect port scans System Maintenance > Syslog/Mail alert has to be set to enable Firewall log, and the syslog has to be sent either to a Syslog server or a USB memory stick (files can be transferred elsewhere from the memory stick, and opened with the Draytek Syslog program, a standalone program that does not need to be installed).

A day or so after disabling Internet maintenance I briefly enabled it to see if the attacks continued; I was mostly unable to make a telnet connection, so they seemed to be continuing. Several days later, after enabling DoS detection, I enabled Internet maintenance again, but the attacks seemed to have stopped (perhaps my IP address had been on a list of targets, and was removed after a few days' failure?) Good news for me, but I can't test logging.

Followup: I originally reported this issue, which advice here showed was almost certainly due to a brute-force attack on my router's telnet port. Recently I moved to a 2860Vn, which has the facility to block an IP address after 5 (configurable; 5 is my choice) failed login attempts for a specified time. It also allows blocked addresses to be listed - the impossibility of detecting, let alone logging, attempts was a big shortcoming of the 2820. Experimentally I made my telnet port accessible from the Internet. Within a minute or two an IP address in Turkey and one in Vietnam had been blocked for attempts to connect via telnet. Maybe the fast attacks were due to my address being on a list of previous vulnerability. Another address in Vietnam followed soon (change IP to get round block?) I conclude that attacks on open ports must be very common, even for addresses of no interest (a successful attack will do me no harm). [Just had an attempt from China. Then Ukraine.]

A possible precaution is to set DNS addresses to be used on computers on the network; then even hijacking the router's DNS settings will be harmless. But much better to disable Internet access to router maintenance when possible, and to block unsuccessful addresses (using a router like the 2860), use non-standard ports, and SSH when remote connection is important. Best wishes
Later: firmware 3.8.4.3_VT3

Interestingly, I've just installed firmware 3.8.4.1 on 2952 and 3.8.4 on 2925 and neither of these seem to have the "Brute force" option mention in the linked page