Hi
I am getting loads of DOS hits from rcyber (89.248.163.0/24).
I use syslogs fed into Graylog, Elastic Search & Grafana to monitor the router.

The setting for DOS are enabled, and the threshold set to 21 Packets / Sec, with the timeout set to 65365 seconds.
Reading up on the way the router (2860) works, I thought that these settings would prevent the attacker from
initating another attack until the timeout period completed. however I am still getting them few minutes (not a consistent time period between attacks)

The ip address for the attacts is consistent.

Can anyone advise a solution?

A quick check on Domain Tools shows this :

inetnum: 89.248.163.0 - 89.248.163.127
netname: NET-3-163
descr: RECYBER PROJECT NETBLOCK
remarks: +

---

remarks: | This net-block is not trying to hack you, we are only scanning
remarks: | for LEGIT purposes ONLY. This scanning is done by multiple
remarks: | security organizations.
remarks: | Please use https://www.recyber.net/opt-out
remarks: | to have your ip-address and/or netblock/as number white-listed
remarks: | and excluded from this project.
remarks: | If you have any further questions please contact
remarks: +

---

Instead of wasting your time in the router GUI you can ask them to stop scanning your IP.

Hi
Other information suggests that they do not stop their activities.
In addition, change your ip address, and they will find it eventually (typically within 4 hours)
I would believe it was 'legit' if they scanned far less that the current DOS attack's of approx every four minutes.
Raising the threshold to max does not deter them.

Ask all you like - most of these will not reply or stop scanning. I've only ever found a couple of outfits that both reply and action no-scan requests.

Best thing it to just block them outright unless you can filter there AS at an upstream level.

Hi

Thats the issue, the Vigor 2860 just seems to allow them to fill up the log.
DOS is switched on, block's are active, however as I stated in my original post I expected the Vigor to not allow any more accesses until the timeout terminated.
Either I failed to understand the documentation, I am doing something incorrectly with the setup, or the Vigor has an issue.
This is the purpose of my post.
As a note, hopefully I will be moving to an area with fttp, the 2860 will in all probability not be suitable for the new throughput, so I will be looking
for a replacement router, it may not be a Draytek product that I recommend to the other users.
I have no inclination to contact rcyber other than via LEO(NL)

aimdev wrote:
I use syslogs fed into Graylog, Elastic Search & Grafana to monitor the router.

I don't suppose you've got any detail or high level steps on how to do this? I'm very familiar with self-hosting but can't find anything as a starter for 10 for Draytek routers.