• November 01, 2024, 06:17:30 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: Anyway to detect/stop DDOS attacks with the 655?  (Read 8837 times)

westify

  • Level 1 Member
  • *
  • Posts: 14
Anyway to detect/stop DDOS attacks with the 655?
« on: March 22, 2013, 09:39:16 PM »

Simply wondering if there's anyway i can detect the IP of DDOS attacks and if there's a simple way to prevent it.  I've heard different suggestions from blocking incoming ping requests to blocking specific IP ranges but i have no idea if this will effect anything else in the process

running 2.03 firmware
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Anyway to detect/stop DDOS attacks with the 655?
« Reply #1 on: March 23, 2013, 09:38:35 AM »

Are you experiencing these attacks?
Do the logs say anything?

Make sure SPI is enabled and Disable WAN Ping Respond is the main items to check for.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

westify

  • Level 1 Member
  • *
  • Posts: 14
Re: Anyway to detect/stop DDOS attacks with the 655?
« Reply #2 on: March 24, 2013, 02:21:46 AM »

Unfortunately i am, i have had SPI enabled and recently enabled anti spoof checking due to a suggestion of another user however i can't find the WAN ping respond option you mentioned.  Will disabling this effect anything involved in normal usage?

I didn't check the log during the time of attacks so it seems to only have irrelevant information from the last 12 hours or so.
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Anyway to detect/stop DDOS attacks with the 655?
« Reply #3 on: March 24, 2013, 07:53:49 AM »

It wont effect anything. If you seem to be expiriencing this attack. You may want to contact your ISP and get there help aswell. They should be able to tell if there is something going on and help block it if there is a problem.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

Hard Harry

  • Guest
Re: Anyway to detect/stop DDOS attacks with the 655?
« Reply #4 on: March 24, 2013, 03:13:37 PM »

Don't think the ISP can help you. Unless you can show the attacker is on the same ISP as you, can't do anything. And even then, its only their responsibility to stop the attacker, no so much stop him from attacking you. Your best bet is to change your IP. If your using DHCP just change the MAC address. Go to Setup > Internet > Manual Internet Connection Setup > Click "Clone your PC's Mac Address" then change it. Doesn't matter what you change it to, as long as its different, then save the settings, reboot the modem, then reboot the router after the modem comes up. If your on static, or need to keep your IP for some reason, try the suggestions below, but it probably won't get rid of the problem all together and some of them can cause other issues on your network.

To turn off Ping go Advanced > Advanced Network > Uncheck "Enable WAN Ping Respond" but by default it will be off. That will only block ICMP traffic though.

You also want to set NAT Endpoint Filtering to Port and Address Restricted. That will help with SYN overloads, but really there are so many kinds of DDOS attacks that the simple firewall you have on any store bought router will give you mediocre protection at best. Another suggestion, while your on that screen, is to turn off UPnP. There are exploits in UPnP that a attacker can take advantage.

Last, if you want to get fancy, you need to to Status > Internet Sessions. Try to turn off all computers except the one your on, or reduce traffic over the network as mush as possible, this will allow you to narrow down what connection is the threat. If you see a Internet address that keeps throwing traffic at a port your not using, likly thats the IP of the attacker. You can use that IP to get info about the attacker here and here.

What you need is a firewall with a inbound rule. I thought "Inbound Filter" did just that, but that seems to be just a white list/black list function for other features like Access Control and Virtual Server. Might be some way to rig it to work, but I would need more then the basic emulator I have to troubleshoot with. Good luck.
Logged