[BUG?] DoS Attack: Ascend Kill on DNS

[gisuck]

You probably shouldn't detect and kill outbound traffic as DoS, especially if it's DNS.

 

[Netduma Fraser]

I wouldn't worry about the logs, it's very verbose and primarily aimed at the developers. Are you actually having any issues?

[Zippy]

Fraser while those may mean nothing you should give a better explanation to why and what is happening. Those logs shouldn't just be aimed towards the developers. If you were to give an answer  like that on SNB you would be laughed out of the room! I see this type of answer on a lot of things here without any clarification or good explanation. Regardless if there not even anything to worry about. When things like this pop up in the logs and we get replies back like this how can we even help you guys track down possible issues if these logs are only meant to be towards the developers. Every other router ive helped with on issues the first thing we look at is the logs. And we share our knowledge with what is going on in the logs with people and the developers. Here there isn't anything of the sort. While DumaOS may be different. It shouldn't exclude this type of info because then it shouldn't be in the logs.. You need to start to share knowledge on what these mean then the average nothing to worry about. No one can learn or help with that type of reply.. You cant build a better product like this..

Zippy.

[Netduma Fraser]

If there is an issue it will likely present itself on the interface or on the connection and then we can get the user to grab the logs for us, there shouldn't be any issues that are not obviously apparent and just show in the logs. I can ask the developers to post a breakdown of common log entries so people can better understand them.

[Zippy]

4 hours ago, Netduma Fraser said:

If there is an issue it will likely present itself on the interface or on the connection and then we can get the user to grab the logs for us, there shouldn't be any issues that are not obviously apparent and just show in the logs. I can ask the developers to post a breakdown of common log entries so people can better understand them.

Thank you Fraser. Please don't take offence to my question but if and when the developers have time to explain a few of these log entries I feel it would be beneficial to myself and others alike. Even though some of these log entries have similarities to other routers ive experienced its always nice to share some of this type of info. While I agree the logs wont tell us an issue one can see if there is something that leads up to an issue that the logs might help pin point or send us in the correct direction..

Zippy.

[Guest Killhippie]

They are standard Netgear logs showing more than likely a bunch of IP's were port scanned by someone  somewhere or just malformed TCP packet. Ascend Kill" is a DoS targeting an Ascend/3com router from 1999! These happen every day.  and have been seen on Netgear forums before https://community.netgear.com/t5/General-WiFi-Routers-Non/DoS-Attack-Ascend-Kill/m-p/1505210

If people used their preferred search engine by typing the name of the attack (or copy and pasting it heaven forbid) they would see what's going on. As in this case Also if its in the logs then its been blocked. Once again people need to understand DHCP lease renewal and search about Netgear logs (which are paranoid) and learn a bit about what's going on, Its really not that hard to do.

[Netduma Alex]

We're aware that the logs are confusing and we've got a more simple version of the log on the roadmap, more of a list of recent activities.

[Guest Killhippie]

45 minutes ago, Netduma Alex said:

We're aware that the logs are confusing and we've got a more simple version of the log on the roadmap, more of a list of recent activities.

I have to say I don't want a simplified log, these are also is Netgears logs and DumaOS's mixed in, you can already change what you see in the logs but if the router becomes gimped this that's yet another nail in its coffin for me. These logs have been in Netgear routers for years and years they are a good ways to trouble shoot (like the router dropping packets its not meant to for instance), at least make it a Opt in feature (im sure it will be on by default somehow) so some of us can see the full log. <sigh>  ☹️

[Netduma Alex]

Yeah well maybe hiding the more complicated logs behind a few more steps might help. It's just because the default logs mislead many people into thinking somebody is trying to DDoS them.

[Guest Killhippie]

21 hours ago, Netduma Alex said:

Yeah well maybe hiding the more complicated logs behind a few more steps might help. It's just because the default logs mislead many people into thinking somebody is trying to DDoS them.

I think some of the default logs can already be turned off from what I remember, I know the DumaOS ones can in the Netgear settings section. If this router (and I have used this term before) becomes a 'Fisher price toy' with a basic GUI just to make support easier and for users who cant it appears use a search engine its will make this router a bit of a toy in my view.
 I imagine its only those that may have had more basic ISP based routers that are getting freaked out possibly by seing "DoS" in the logs (just a guess) or maybe the age demographic plays a part. Anyway maybe a sticky so they know how to read and interpret those logs would help? Educate people, don't hide or remove things.

 Netgear never removed those logs because over the last decade or so those questions have been asked so many times on their forums its mind boggling, so why should Netduma? You cant call it a Pro gaming router if the Pro part is just a flashy GUI that has no actual basic routing features or proper logs. That's almost a double negative!

[Netduma Alex]

Fair point. The logs that people find so confusing are actually NETGEAR logs, the DumaOS logs on the R1 are a lot less confusing... Or at least not so alarming.

We don't want to simplify our interface to the point of it being useless, but there are lots of people who want a more simple solution. I think one solution might be to put some settings behind a "hidden settings" checkbox or something. There are some settings that you don't want your non-expert user to be fiddling with it in case they break something...

Balancing these two demographics will be tricky in the future, I imagine.