Do you check your router logs?

If not, maybe you should.

I have a Netgear NightHawk router. Like many, if not most routers, it keeps a simple log of events. I have my router email me a copy of this log once a week.

Going through my log today, I noticed a few DoS attacks, specifically, "DoS Attack: ACK Scan" attempts - all from different IP addresses. These are actually fairly common and typically harmless as most are just bots hackers randomly testing to see if they can gain access through an open port. If not, they quickly move on. This would be similar to a simple car thief moving through a crowded parking lot, checking for unlocked doors, keys in the ignition and obvious valuables sitting in view on the back seat. If the doors are locked, and no visible keys or valuables, they quickly move on.

As seen here: What is [DoS Attack: ACK Scan] ? these type attacks happen all the time and typically are not something to worry about. And this is true UNLESS your router is being constantly bombarded with 100s or 1000s of such attacks. In that event, you might suspect you (your router/network) is being targeted specifically. And in that event, you need to make sure your router's firmware is current and you may want to contact your ISP and request a different IP address. Probably a good idea to make sure your OS and security software on all your connected devices are current too.

Also noted in that article is to verify "Port Scan and DoS Protection" is enabled in your router's Admin menu. Note that verbiage is for Netgear routers. Other brands may word it slightly different but the intent should be the same. For the record, "Port Scan and DoS Protection" is enabled by default in my Netgear and I suspect in most home routers - but again, best to verify.

Anyway, the reason why I was prompted to create this thread today is because the following log entry from my most recent log really caught my interest,

[DoS attack: ACK Scan] attack packets in last 20 sec from ip [193.176.79.44], Monday, Jul 22,2024 12:59:05​

When I looked into that IP address, I got the following Whois report: Whois IP 193.176.79.44.

FTR, I keep a spreadsheet database of these attacks on my network. Now I have had "attacks" from Russia before. But none like this. Note "Zolotaya dolina" is a former Russian Air Force airbase and the owner of the site claims to be from the "Russian Federation". Now, as noted, I've had multiple "attacks" from "Russia", the last as recently as 3 weeks ago. But this is the first from the "Russian Federation".

Does that mean I was attacked by a state sponsored hacker? No clue! But in light of recent current events, it sure makes me wonder.

If curious, I have also been hit by sites in Belgium, Brazil, Canada, China, Germany, Japan, Lithuania, Montenegro, Peru, Poland, Portugal, Sweden, Turkey, UK, Ukraine, USA and Vietnam.
 
RU in an address only indicates the country
Huh? :confused: I don't understand your point. This has nothing to do with any url address. No where did I mention anything about a url or RU being in an address.

In fact, nothing in the WhoIs report mentions anything about a url - except to report abuse to the ISP (betget.ru) the source IP address the hack attempt went through. Do note that ISP information is provided by WhoIs.

I wasn't even talking about an email where the url might matter. The thread was about a direct hacking attempt on my network/router from what "appears to be" a state sponsored entity!

I was pointing out the person (or organization) that made the hack attempt was from a "former" [supposedly] government facility, specifically a Russian Air Force base and the "Russian Federation".

Could it be a private citizen in Germany with zero ties to Russia or the Russian government spoofing the IP? Sure! Not the point. The whole point of my post was to remind folks to check their router logs.

***

P.S. Why did I say Germany above? Only because the top level 193.176.1.0 IP address points to Görlitz, Deutschland and is registered to an individual with the nice German name :rolleyes: of Yaroslav Kravchenko!
 
OK, I read your Post #1 as being concerned or just giving us info that I was adding a little to. If concerned, change router PW and new SSID PW for network.
 
If concerned, change router PW and new SSID PW for network.
:( This has absolutely nothing to do with a bad guy sitting in his car across the street, or a whiz kid in an apartment next door, trying to access our router's admin menu or get into our wireless networks. Nor will that have any effect on a smart-aleck visiting nephew, or a daughter's visiting boyfriend connecting via Ethernet.

Doing either of those things you just suggested will have absolutely no effect, or impose any deterrence whatsoever on anyone perpetrating a DoS attack on our routers from across town, or on the other side of the planet!

So again, I am sorry to say I have no clue your intent because it's not adding anything, but confusion to the topic - which is a reminder to check one's router's logs.
 
Thanks for that old, but still applicable article.

Note because of its size, and the fact most browsers automatically offer to translate, I removed the post that included the translated version to keep the topic here focused on the point of the thread - reviewing our router logs. I hope everyone understands.
 
Back
Top