DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
DOS attacks
- aimdev
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 41
- Thank you received: 0
23 May 2023 05:25 #102497
by aimdev
DOS attacks was created by aimdev
Hi
I am getting loads of DOS hits from rcyber (89.248.163.0/24).
I use syslogs fed into Graylog, Elastic Search & Grafana to monitor the router.
The setting for DOS are enabled, and the threshold set to 21 Packets / Sec, with the timeout set to 65365 seconds.
Reading up on the way the router (2860) works, I thought that these settings would prevent the attacker from
initating another attack until the timeout period completed. however I am still getting them few minutes (not a consistent time period between attacks)
The ip address for the attacts is consistent.
Can anyone advise a solution?
I am getting loads of DOS hits from rcyber (89.248.163.0/24).
I use syslogs fed into Graylog, Elastic Search & Grafana to monitor the router.
The setting for DOS are enabled, and the threshold set to 21 Packets / Sec, with the timeout set to 65365 seconds.
Reading up on the way the router (2860) works, I thought that these settings would prevent the attacker from
initating another attack until the timeout period completed. however I am still getting them few minutes (not a consistent time period between attacks)
The ip address for the attacts is consistent.
Can anyone advise a solution?
Please Log in or Create an account to join the conversation.
- adrianh54
- Offline
- Member
Less
More
- Posts: 428
- Thank you received: 0
23 May 2023 06:12 #102498
by adrianh54
Replied by adrianh54 on topic Re: DOS attacks
A quick check on Domain Tools shows this :
Instead of wasting your time in the router GUI you can ask them to stop scanning your IP.
inetnum: 89.248.163.0 - 89.248.163.127
netname: NET-3-163
descr: RECYBER PROJECT NETBLOCK
remarks: +
remarks: | This net-block is not trying to hack you, we are only scanning
remarks: | for LEGIT purposes ONLY. This scanning is done by multiple
remarks: | security organizations.
remarks: | Please usehttps://www.recyber.net/opt-out
remarks: | to have your ip-address and/or netblock/as number white-listed
remarks: | and excluded from this project.
remarks: | If you have any further questions please contact
remarks: +
Instead of wasting your time in the router GUI you can ask them to stop scanning your IP.
Please Log in or Create an account to join the conversation.
- aimdev
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 41
- Thank you received: 0
23 May 2023 06:22 #102499
by aimdev
Replied by aimdev on topic Re: DOS attacks
Hi
Other information suggests that they do not stop their activities.
In addition, change your ip address, and they will find it eventually (typically within 4 hours)
I would believe it was 'legit' if they scanned far less that the current DOS attack's of approx every four minutes.
Raising the threshold to max does not deter them.
Other information suggests that they do not stop their activities.
In addition, change your ip address, and they will find it eventually (typically within 4 hours)
I would believe it was 'legit' if they scanned far less that the current DOS attack's of approx every four minutes.
Raising the threshold to max does not deter them.
Please Log in or Create an account to join the conversation.
- iamq-yesiam
- Offline
- Junior Member
Less
More
- Posts: 68
- Thank you received: 0
24 May 2023 18:11 #102502
by iamq-yesiam
Replied by iamq-yesiam on topic Re: DOS attacks
Ask all you like - most of these will not reply or stop scanning. I've only ever found a couple of outfits that both reply and action no-scan requests.
Best thing it to just block them outright unless you can filter there AS at an upstream level.
Best thing it to just block them outright unless you can filter there AS at an upstream level.
Please Log in or Create an account to join the conversation.
- aimdev
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 41
- Thank you received: 0
24 May 2023 18:27 #102504
by aimdev
Replied by aimdev on topic Re: DOS attacks
Hi
Thats the issue, the Vigor 2860 just seems to allow them to fill up the log.
DOS is switched on, block's are active, however as I stated in my original post I expected the Vigor to not allow any more accesses until the timeout terminated.
Either I failed to understand the documentation, I am doing something incorrectly with the setup, or the Vigor has an issue.
This is the purpose of my post.
As a note, hopefully I will be moving to an area with fttp, the 2860 will in all probability not be suitable for the new throughput, so I will be looking
for a replacement router, it may not be a Draytek product that I recommend to the other users.
I have no inclination to contact rcyber other than via LEO(NL)
Thats the issue, the Vigor 2860 just seems to allow them to fill up the log.
DOS is switched on, block's are active, however as I stated in my original post I expected the Vigor to not allow any more accesses until the timeout terminated.
Either I failed to understand the documentation, I am doing something incorrectly with the setup, or the Vigor has an issue.
This is the purpose of my post.
As a note, hopefully I will be moving to an area with fttp, the 2860 will in all probability not be suitable for the new throughput, so I will be looking
for a replacement router, it may not be a Draytek product that I recommend to the other users.
I have no inclination to contact rcyber other than via LEO(NL)
Please Log in or Create an account to join the conversation.
- pharcyder
- Offline
- Member
Less
More
- Posts: 165
- Thank you received: 1
29 May 2023 14:04 #102518
by pharcyder
I don't suppose you've got any detail or high level steps on how to do this? I'm very familiar with self-hosting but can't find anything as a starter for 10 for Draytek routers.
Replied by pharcyder on topic Re: DOS attacks
aimdev wrote:
I use syslogs fed into Graylog, Elastic Search & Grafana to monitor the router.
I don't suppose you've got any detail or high level steps on how to do this? I'm very familiar with self-hosting but can't find anything as a starter for 10 for Draytek routers.
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek