Yoodley is reader-supported. When you buy through links on our site, we may earn an affiliate commission.
So you have noticed [DoS Attack: ACK Scan] or [DoS Attack: SYN/ACK Scan] in your router’s logs and have no idea what they are? Don’t worry, in this article, we have covered everything related to this, and by the time you will finish reading this, you will find out if you should be worried about these attack logs with random IPs or not. For some people, these DoS attacks do not impact internet speed, but in some cases, these attacks can slow down your internet and even shut it off completely for short periods. We have explained why this happens, but to understand everything you need to have a basic understanding of DoS/DDoS and ACK scan, so make sure you read everything that we have covered.
What is a DoS Attack?
A Denial of Service attack is a cyber-attack used to make a computer or network unavailable by flooding the network with fake traffic. In simple words, hackers attack websites and computers by flooding the network with large amounts of fake traffic that crashes the website because of too many server requests. There is another term called a Distributed Denial of Service (DDoS) attack, which is also a DoS attack that comes from multiple sources, also called Botnet.
What are ACK Scans?
We are going to explain this without going into too much detail. ACK scans are usually used to gather information about firewall and identify filtered ports or hosts. So the DoS attack ack scan in logs is typically a sign of working firewall. Routers like Netgear claims these small attacks as DoS because if you get these attacks every second, it will be considered a DoS attack. You may also see these logs as Dos attack if your threshold is set too low.
What is SYN scanning?
SYN scanning is a tactic usually used by hackers to identify if a communications port is listening (open) or RST (closed). It does this without establishing a full TCP connection; thus, it’s also called half-open scanning.
Should You Worry about ‘’DoS Attack Ack Scan’’ in Router’s Logs?
Almost all routers show these attack logs; usually, these are just bots looking for open ports to exploit. As long as your ports are closed, and the firmware is up to date, you should not worry about them. As mentioned before, if your router logs are displaying them, it means the security settings are right, and all the bots are being blocked. In some routers, you may also get these logs from the websites you visit, that’s why some people have reported having IP addresses of companies like Google, Amazon, Facebook in these attack logs, nothing is malicious if it’s happening with you, your router is probably confused about it. We believe these ports scan should have a better description, so people don’t freak out when they see them.
When to worry about this?
Bots looking for open ports on the internet are pretty normal. If your security settings are right, they will be blocked from your network. Usually, the router logs show these attacks in minutes and sometimes there can be a gap of hours between them. But if you see multiple entries every second, it will be considered a DoS attack. As mentioned in the intro, a strong DoS attack can slow down your internet or shut it off for a while.
How do I Prevent DoS/DDoS Attacks on Router?
Even if you have never been Ddosed, you should do some basic things to prevent DoS/DDoS attacks in the future.
- Don’t tell anyone your IP address.
- Use good antivirus software on all devices.
- Make sure the firmware of your router is updated.
- Keep your operating systems (iOS Android, Mac, Windows, Linux) updated.
- You can copy the IPs from the logs and block them in your firewall.
- Ensure your router’s settings are configured properly and turn off automatic WPS configuration and turn on WPA2 encryption from the router’s admin page.
If you are under attack, restart your router, if you have a dynamic public IP address, it will change once your router reboots. You can also contact your ISP (Internet service provider) and tell them everything you are experiencing.
Enable ‘’Disable Port Scan and DoS Protection’’ on Your Router
If you have a Netgear router, you can enable the DoS protection feature from the NETGEAR router GUI.
- To enable this feature, open a web browser and type http://www.routerlogin.com in the URL.
- Type the user name as admin and the password as password and click OK.
- Select Advanced > Setup > WAN Setup.
- Enable / Disable Port scan and DoS protection.
How to Detect a DoS/DDoS Attack on Your Network
To trace a DoS/DDoS you can use an open-source packet analyzer like Wireshark. It shows you the attacker’s source with other required info. You can search the IPs on the internet to get the idea about where the attack is coming from. You can also block the IPs in your firewall or contact relevant authorities and provide them all the information.
Why Are Routers Attacked?
Data Theft
Some hackers attack routers to gain control and redirect your internet traffic to domains that collect user data. This way, they can collect your personal information.
Botnets
Computers infected with malware can be controlled by the hackers who created the malware. Hackers use those compromised computers as a bot in their botnet and usually use them for DDoS attacks against websites. A router is also a computer that generally runs on a light version of Linux, so there’s a possibility of getting infected by malwares.
Cryptojacking
Cryptojacking is malicious crypto mining. Hackers use the devices infected with malware to mine cryptocurrencies like Bitcoin. Every year a few hundred thousand routers are infected by crypto-mining malware.
Security Flaws of Routers
One of the main reasons for the increase in router attacks is security flaws. Routers are easier to infect with malware in comparison to other devices.
Lack of User Awareness
Lack of awareness is also one of the biggest reasons why routers are being targeted; people don’t care about router security as much as they do about other devices. Most people don’t even bother to change the default password of the router. Attacks like brute force usually rely on weak passwords so if your router admin username is ‘’Admin’’ and the password is ‘’Password’’ you are most likely to be a victim of a brute force attack.
Famous Malicious Router Campaigns
Mirai
Mirai is one of the most famous botnet malwares that usually infects loT devices like webcams and routers. In 2016, Mirai was responsible for the biggest DDoS of that time. It crashed popular sites like Netflix, Twitter and Spotify. To remove Mirai, disconnecting your device from the network and performing a reboot is enough.
Torii
Torii botnet started infecting loT devices in 2018. Instead of DDoS attacks, this malware was more towards data theft and allowed the hackers to control internet traffic passing through the router. Removing Torii with a router reboot was impossible, so scanning the device with a professional anti-malware software was the solution.
VPNFilter
VPNFilter was specially engineered to attack only routers, in 2018 half a million routers were compromised. The malware allowed the attackers to harvest data and disable the routers on command.
Sources
- Ways To Prevent DDoS Attack On Router
- Routers: a vulnerable opening to your home and personal data
- What is a Denial-of-Service (DoS) Attack?