Hi,

I am quite new to the detailed workings of Draytek routers!
We have a new 2860VpN+.
We have 2 ISP's BT Business via the Draytek, and Virgin Media via a gigabit port & via VM SuperHub2.
BT has a static ip, Virgin dynamic ip.

I have split this information up into two posts as it is linked, but I’ve typed too much to put it in one post, & I don’t know what to leave out!

So first:
Router set to undertake logging due to concerns about hacking now that we have a static ip, router is set to email out logs.
Now getting emails with what appears to be incoming, AND (!) outgoing DOS attacks.
Report log does not seem to be the same format as is described in the FAQ's from Draytek.
Please help me to decode the logs & get to the bottom of what is going on please?
What appears to be the outgoing DOS attack log is as follows:
>>>
2014/11/01 20:02:07 -- [DOS][Block][tcp_flag, scanner=fin_wo_ack][192.168.2.19:57380->64.233.167.84:443][TCP][HLen=20, TLen=64, Flag=SF, Seq=2838792689, Ack=0, Win=65535]
2014/11/01 20:02:11 -- [DOS][Block][tcp_flag, scanner=fin_wo_ack][192.168.2.19:57380->64.233.167.84:443][TCP][HLen=20, TLen=48, Flag=SF, Seq=2838792689, Ack=0, Win=65535]
2014/11/01 20:02:19 -- [DOS][Block][tcp_flag, scanner=fin_wo_ack][192.168.2.19:57380->64.233.167.84:443][TCP][HLen=20, TLen=48, Flag=SF, Seq=2838792689, Ack=0, Win=65535]
2014/11/01 20:04:09 -- [DOS][Block][tcp_flag, scanner=fin_wo_ack][192.168.2.19:57380->64.233.167.84:443][TCP][HLen=20, TLen=48, Flag=SF, Seq=2838792689, Ack=0, Win=65535]
2014/11/02 06:34:52 -- [DOS][Block][tcp_flag, scanner=fin_wo_ack][192.168.2.12:57008->173.252.79.23:443][TCP][HLen=20, TLen=52, Flag=F, Seq=2127404732, Ack=0, Win=65535]
<<<
Now the 192.168.2.* ip's I know are an iPhone 5 & 5s, that are allowed to connect to our network.
5GHz wifi is off, the 2.4, hidden SSID, & WPA2 security, I can identify all the MAC addresses connected.
The "target" ip's seem to resolve to Facebook.
Does this log mean that the 2860 has blocked a DOS attack from the phones on FB?
Can anyone suggest what to do, and what the ports are, I have searched, but the ports seem to be general?

Thanks in advance, more to follow...

Hello again,

Second instalment…

Just after this email was received indicating an outgoing DOS attack?
Another came in indicating an incoming blocked DOS attack or a tracert, to our static IP. (a tracert is an ip route trace to our ip, which logs the intermediate hops etc. to our ip, yes?)
I don’t know which ISP the outgoing connections used as the unit is set up to load share I think, I might be asking how to properly set this up soon as we seem to have a lot of latency which I was hoping to eliminate with the parallel ISP connections.
Anyway, back to the incoming DOS attack.
Log is as follows:
>>>
2014/11/02 14:04:11 -- [DOS][Block][trace_route][69.25.7.69:34519->v.w.x.y:33450][UDP][HLen=20, TLen=44]
2014/11/02 14:04:15 -- [DOS][Block][trace_route][69.25.7.78:34523->v.w.x.y:33446][UDP][HLen=20, TLen=44]
2014/11/02 14:04:16 -- [DOS][Block][trace_route][69.25.7.78:34523->v.w.x.y:33447][UDP][HLen=20, TLen=44]
2014/11/02 14:04:21 -- [DOS][Block][trace_route][69.25.7.66:34520->v.w.x.y:33449][UDP][HLen=20, TLen=44]
2014/11/02 14:04:22 -- [DOS][Block][trace_route][69.25.7.66:34520->v.w.x.y:33450][UDP][HLen=20, TLen=44]
2014/11/02 14:04:28 -- [DOS][Block][trace_route][69.25.7.58:34522->v.w.x.y:33450][UDP][HLen=20, TLen=44]
2014/11/02 14:04:29 -- [DOS][Block][trace_route][69.25.7.58:34522->v.w.x.y:33451][UDP][HLen=20, TLen=44]
2014/11/02 14:04:33 -- [DOS][Block][trace_route][69.25.7.62:34521->v.w.x.y:33444][UDP][HLen=20, TLen=44]
<<<

Where v.w.x.y is our static BT ip address.
The incoming (?) ip’s seem to resolve to internap.com, whoever they are?


Do both of these logs mean that the DOS’s were blocked?
That is that the outgoing DOS attack if it was, was not allowed out, and the incoming tracert to our static ip was not responded to?

Is this something I need to be concerned about please?

One last question please, does anyone know where there is a good reliable explanation of what ports are what & what they are used for, I think port 80 is just for, like, web pages etc?

Thanks in advance for any help.

I highly doubt your iPhones were trying to launch a DOS attack on the Facebook...

The 'DoS Defense' on my DrayTek was causing me problems so I just disabled it.

A true DoS attack will saturate your bandwidth no matter what your router does, so it won't really make much of a difference.

>>>I highly doubt your iPhones were trying to launch a DOS attack on the Facebook...

Mo, but it's a REALLY good idea! :lol:

OK thanks, but still, can anyone help with decoding the logs anyway please?

I'm still at a very basic level of learning this stuff, as whilst I've done lots with hardware and software, it's been PLC/CNC type software, never had to deal with this side of the networking stuff before, and even if it's not an issue, I would like to understand what these logs and stuff mean.

Thanks,

Sorry I have just realised that this post is probably in the wrong section too.
Perhaps one of the Mods or Admins would like to move it?

Sorry.