Custom firewall rules / ip tables

[Skeptical]

I know it's a thing on one of the older Netgear Nighthawks, but on the XR500 I noticed there is not option to add custom firewall rules. It would be useful to stop DDoS attacks from known sites.

The option I'm referencing is located in the content filtering drop down.

[Netduma Fraser]

Hey, welcome to the forum!

You don't normally get a DDoS attack from visiting a website, if you're referring to DoS attacks in the logs those are normal on Netgear routers - they just show connections you've made in some cases and if they show there then they've been blocked successfully if they are malicious. This would be a Netgear feature to add, I assume you're referring to this? 

https://kb.netgear.com/8219/How-to-setup-Inbound-Outbound-firewall-rules-on-NETGEAR-Modem-router-gateways

[Skeptical]

5 hours ago, Netduma Fraser said:

Hey, welcome to the forum!

You don't normally get a DDoS attack from visiting a website, if you're referring to DoS attacks in the logs those are normal on Netgear routers - they just show connections you've made in some cases and if they show there then they've been blocked successfully if they are malicious. This would be a Netgear feature to add, I assume you're referring to this? 

https://kb.netgear.com/8219/How-to-setup-Inbound-Outbound-firewall-rules-on-NETGEAR-Modem-router-gateways

I meant sites as in free web ip stressors that script-kiddies use.

[Newfie]

Hi and welcome

i believe we chatted on Reddit and I suggested you pop in to gain help.

Have you at any point been attacked with a denial of service? How would you block it as it’s a firewall rule and a denial of service simply overwhelms you. For a firewall to block the scan must be initiated, you can’t block address before they hit your firewall so a denial of service still pulls you down as it simply  overwhelms you depending on the type of attack used.

ip table can’t stop DDoS attacks, never has and never will because the attack has reached you.

Under normal usage with a NG router you will never have to worry about firewalls as they work quite happily in the background. 
 

A website address is different to the IP address of a connection. Blocking a website is just stopping your connection accessing the websites address and they host services that include may third party services. 

 

Edited May 30, 2021 by Newfie

[Skeptical]

7 minutes ago, Newfie said:

Hi and welcome

i believe we chatted on Reddit and I suggested you pop in to gain help.

Have you at any point been attacked with a denial of service? How would you block it as it’s a firewall rule and a denial of service simply overwhelms you. For a firewall to block the scan must be initiated, you can’t block address before they hit your firewall so a denial of service still pulls you down as it simply  overwhelms you depending on the type of attack used.

ip table can’t stop DDoS attacks, never has and never will because the attack has reached you.

Under normal usage with a NG router you will never have to worry about firewalls as they work quite happily in the background. 
 

A website address is different to the IP address of a connection. Blocking a website is just stopping your connection accessing the websites address and they host services that include third party services. 

 

Well my friend found the servers that the web stressors use and put them in a ip block table. It's not the website ip, its servers that send the actual DDoS. He says he cannot be hit with attacks from a number of sites.

[Newfie]

Some try using ip tables  but a denial has reached you so it’s not full protection. If ip tables were the forefront of security it would be a feature we all have. Your friend ip tables is TCP protecting which is only part of the issue which is why ip tables can’t protect you fully from a DDoS. Having faith that this system gives you full protection is sadly false.

Whats happening is you are getting caught up in the I might be attacked and need to do something. You don’t need to worry as most routers cover the basic DDoS protection to a point while others offer more complex protection but that’s not found on home routers.

What router does your friend use as you mentioned it was an old NG router?

I saw a bit of the log you posted on Reddit that showed the scan, could you show the full log including the disconnection caused by the attack as you mentioned it stopped services. Note yours is a UDP attack and some services like cloudflare offer protection as it ICMP based. Note also your router picked it up as such so NGs claim to protection is correct.

don’t forget many of these so called attacks are spoofed addresses so they change. If I look at your photo and look them up it’s China however as it’s most likely spoofed there’s no way to truly be sure.

I would also recommend you keep clear of sites that offer free or paid ip stress testing. Even those offering a simple registration. 

 

 

 

[Netduma Fraser]

Good advice from Newfie here. Just to add, if you were legitimately being DDoSed then using a VPN with the HybridVPN could help - they would hit off the VPN IP instead leaving your connection fine so you could then reconnect to another server. 

[Bert]

Custom firewall rules would allow for some interesting things though.

 

Like at the moment when people use 2 routers, the common thing is to set them into DMZ of the first router.

 

However you could also apply a static route from router 1 to router 2. And have full functionality between both networks.

 

Ie 

WAN ->

Router 1: 192.168.1.1 -> network range 192.168.1.0/24

->

Router 2 192.168.88.1 (WAN IP 192.168.1.11) -> network range 192.168.88.0/24

 

You add a static route from 192.168.1.1 to 192.168.88.0/24 via the WAN ip of router 2 and then the 2 ranges can talk to eachother.

 

As it is now for example 192.168.88.0/24 can acces the NAS shares on 192.168.1.1 but it doesn't work the other way around as the firewall on router 2 would block these connections. Also 192.168.88.0/24 can ping 192.168.1.0/24 but not the other way around.

 

I expirimented with this recently by having my old R1 acting as acces point for a PS4 so one could still use the geofiltering possibility. Which it can but if the firewall was turned off other things like file sharing etc would also work. And you would be able to manage the R1 from the 192.168.1.0/24 network.

 

 

[Skeptical]

Well I figured out I don't need the ip tables because I found out my isp allows me to change the third set of numbers in my ip within certain parameters which renders any DDoS non-effective

[Netduma Fraser]

53 minutes ago, Skeptical said:

Well I figured out I don't need the ip tables because I found out my isp allows me to change the third set of numbers in my ip within certain parameters which renders any DDoS non-effective

They allow you to change the end of your public IP address? Could you take a screenshot of this? You can omit the IP of course but please keep the start of it so I can see

[Newfie]

Maybe the op is confused and talking about renewing his public IP address which if it’s dynamic is easy to do however the attack would still have taken place as the router can’t stop traffic and the only way to do that is upstream ie the isp. 
A router can’t stop traffic server side, it can’t connect to external servers and say hey don’t send me this which is why at the end of the day a huge attack that reaches your router will simply swamp your connection. 
most DDoS protection is ISP or held with companies they peer with and home routers don’t have the parameters to off load attacks of such large amounts.

When we saw large attacks a few years back security increased to tackle the issue so companies like Netscout worked in partnership with Cisco to protect businesses. Residential users don’t require this level of protection and companies like this monitor traffic in the peering side so it can mitigate before the attack reaches the network. 
 

https://www.teiss.co.uk/playstation-ddos-hacker-pleads-guilty/

this article also explains why we see more protection against botnets which is why we saw an increase in isolating IoT over the last few years as they tend to be vulnerable. 
However these attacks are aimed at large companies not home users and so security stepped up to build platforms to protect companies or organisations. 
 

the end result is for a home user regardless of what you try a successful attack using large amounts of data can’t be stopped if it reaches your router, there’s no magic cure, but as we see on this forum we are not swamped with users being attacked as there’s no financial gain to do so. 
So Ip tables don’t stop traffic before your router and no IP address can stop traffic before an event but thankfully we have firewalls to help mitigate small scans and I guess NG have this side locked down to prevent end users tampering with rules that they may not understand. 

 

 

[Skeptical]

10 hours ago, Netduma Fraser said:

They allow you to change the end of your public IP address? Could you take a screenshot of this? You can omit the IP of course but please keep the start of it so I can see

https://imgur.com/a/V3Bb717

the first two numbers have to stay the same, if I change the last set of numbers attacks still go through, but if I change the 3rd set of numbers it changes everything.

[Newfie]

4 hours ago, Skeptical said:

https://imgur.com/a/V3Bb717

the first two numbers have to stay the same, if I change the last set of numbers attacks still go through, but if I change the 3rd set of numbers it changes everything.

it’s dynamic but you have a static ip but your provider allows you more than one ipv4 address, how many blocks do they allow out of interest, ie 8, 16, 32 and so on, if purchased what size?

[Skeptical]

7 hours ago, Newfie said:

it’s dynamic but you have a static ip but your provider allows you more than one ipv4 address, how many blocks do they allow out of interest, ie 8, 16, 32 and so on, if purchased what size?

I don't have a dynamic IP address. I manually change it within a range of 132-135.

[Newfie]

That’s what I said but I could have worded it better. you are changing it so you have a few ip addresses given to you. That’s why when you change your address it drops the test you try. 

So now you know you can’t stop traffic to your router what are your concerns now regarding the possibility of such an attack?

What made you try this in the first place, was it something you and your friend came across and you wondered how to stop a DDoS attack? 
 

I would steer clear of the websites that offer this, you don’t want to invite issues as you limited addresses. At the end of the day it’s going to be mighty rare to be DDoS but you could ask your isp what they offer if any protection like cloudflare claims. Personally I’ve never had issues in all the years I played apart from the ones that hit services like Sony. 
just insure you have the router locked down and your network is clean of issues. 
 

 

 

 

[Skeptical]

2 hours ago, trex2600 said:

If you're getting DDOS'd (As in DDOS'd online by skids using DDOS-for-hire services like stressthem.to, webstress.net, etc.), adding custom firewall rules on the router won't stop them from knocking your internet offline. Of course, the router will be aware of these DOS/DDOS attacks and block them from coming into your internal network (LAN), but when it comes to the outside internet (WAN), you can't stop what comes to your router. In other words, if you were to uncheck the "Respond To Ping On Internet Port" box in the "WAN Setup" subsetting in Settings, I can still send Ping requests to your Router (Provided I know your external IP), except the router won't respond to any of these ping requests. I have that setting unchecked too, and after pinging myself for 10+ seconds at a rate of 100 Hz (100 pings per second), my Router still tells me "DOS Attack; Ping Flood; From Source: 69.96.69.96" so you see what I'm saying here. You can't stop 1 gbps of reflected packets from coming to your Router, but you can stop it from getting past your Router. An analogy would be the Trojan War (Except let's pretend they didn't let the horse in). The horse is like the DDOS packet, and the people not in the horse are your internet traffic. The limited number of boats that bring both people and horses from the sea (If there was one) is like your ISP giving you a certain amount of bandwidth. Now imagine millions of horses coming to the door and the defense has to deal with telling the horses no instead of telling the real people yes. The real people probably wouldn't even get on the boat depending on your internet speed, and the ones that do make it to the land will make up less than 1% of the bandwidth. A Router firewall is meant to keep your home devices safe from attacks on the internet, but it doesn't stop these attacks from wasting your internet speed. In fact, if your internet speed was 500 mbps, the other 500 mbps left from the 1 gbps would just clog up the at ISP before it even gets to you. Your ISP would need to implement its own firewall for DDOS attacks since they're the ones the provide you your internet service and determine what protocol ports are blocked, what traffic gets to you, etc. Even then, DDOS attacks can be hard to mitigate, but practices where a sudden spike of UDP packets from known DNS/CLDAP/NTP servers are blocked may keep your internet from dropping completely. If you get DDOS'd, then with a DHCP connection, you need to spoof your router's MAC address and make sure the XR500 is the Router in front connected to the Gateway/Modem/ONT. Usually this works unless the IP is assigned to your Gateway/Modem/ONT. If that, then unplug all internet devices for a long time (1+ hour). If you have a static IP, try to use other ones you bought or purchase a new one that's not known. Any other scenarios, contact your ISP. To avoid getting your IP leaked, use Hybrid VPN on all devices. If you're gaming, you can exclude games that don't use P2P connections from using the VPN.

 

P.S.

You'll know you're getting DDOS'd if the logs are filled with "DOS Attack; UDP Port Scan; From Source: 420.420.420.420" (I know that's not a valid IP, but who cares). Don't visit those DDOS-for-hire services as DDOSing someone without their permission is illegal. DDOS attacks can be used in legit ways to test network protection, but you must obtain consent from the owner first.

Wow that was informational. Yeah I guess I didn't realize that the traffic has to go from my ISP to me first anyways.