What router will detect and block internal DoS attacks?

[Random-Fool]

So I have a home network. Semi-normal. Modem > Router ( no wi-fi enabled ) > wi-fi access point.

Recently, I had a new house mate move in, and he's killing my network via a wi-fi DoS attack. See:

http://community.spiceworks.com/top...emc-storage-connector-spiceheads-take-warning

Naturally, either updating or uninstalling the app would fix the issue. However, he doesn't believe it's his system... nor does he believe in updating his system And yes, we've shown him the network works fine when he's offline. When people start to go down, there is a small window of time where we turn off his computer and everyone comes back up It can get to a point however, where everything needs to be rebooted

So I know I could, and most likely will, block his laptop, but my question is, why didn't the router automatically block him?

I'm wondering, is there a router out there that would shut him down automatically until i removed the block?

What about a router that goes, hey, I'm being overloaded and why don't I just block this one?

Could it be my router didn't block him because I have reserved IPs for all devices on my network?

This is somewhat surprising and troubling.

 

[AdvHomeServer]

I'm just spitballing but here's some ideas to get you thinking.

Assign a fixed ip address to the mac address associated with the offending PC. Now you have a fixed point of reference.

Use logs to see the port number of the offending app. It will look like 192.168.1.25:xxxx, with xxxx the port to block for that ip.

Examine qos, port forwarding or other screens on you router to see if you can isolate an internal ip address with a port. Then get creative.

iptables is another method. It's complicated but there should be clear examples available if you google for this problem. It's about 4 lines, maybe 6 with 2 or 3 pairs of related commands. The data you discovered above will be useful. Most routers don't openly support iptables, though. DD-wrt does.

 

[Random-Fool]

Thank you, that is an excellent idea I'm pretty sure it's port 137, but I'll check.

 

[AdvHomeServer]

Thank you, that is an excellent idea I'm pretty sure it's port 137, but I'll check.

http://www.auditmypc.com/udp-port-137.asp

Port 137 is an interesting port. I googled it and found it's a virus magnet. work quickly and scan all computers on your network after you fix it. malwarebytes free is a pit bull.

 

[htismaqe]

Port 137 is an interesting port. I googled it and found it's a virus magnet.

There's a good reason for that - port 137 is used by netbios. It's essential to the proper functioning of Windows.

It's one of the most commonly-targeted ports for malware because of that.

Most consumer routers only apply DoS protection and SPI firewall on the inbound WAN interface. They won't detect or block anything originating on the LAN.

My advice is to just block him until he fixes his issue.

 

[azazel1024]

That and DoS and SPI on consumer routers is realtively limited on top of that.

On WIFI, there is very little that consumer routers can or will do. You can take down a wifi network very easily by flooding it with traffic and nothing the router can or will do about it.

As for 137/NetBIOS. It is NOT critical for windows. You can easily disable it. Windows typically uses LLDP more than NetBIOS these days for LAN name/services resolution anyway.

To top it off, you do not HAVE to have name/services resolution on the network at all. It can be helpful, but worse comes to worse is you fall back on using the IP address of the machine/services manually.

Also, make absolutely sure UPnP is disabled. My God make sure it is disabled.

 

[htismaqe]

Basic file and printer sharing for workgroups will not work with port 137 disabled, among other things.

While it is true that a more technical user could get away with it, the average user is going to see several issues if they just have their router filter 137 without taking all of the necessary steps on their workstations.

 

[Nullity]

So I have a home network. Semi-normal. Modem > Router ( no wi-fi enabled ) > wi-fi access point.

Recently, I had a new house mate move in, and he's killing my network via a wi-fi DoS attack. See:

http://community.spiceworks.com/top...emc-storage-connector-spiceheads-take-warning

Naturally, either updating or uninstalling the app would fix the issue. However, he doesn't believe it's his system... nor does he believe in updating his system And yes, we've shown him the network works fine when he's offline. When people start to go down, there is a small window of time where we turn off his computer and everyone comes back up It can get to a point however, where everything needs to be rebooted

So I know I could, and most likely will, block his laptop, but my question is, why didn't the router automatically block him?

I'm wondering, is there a router out there that would shut him down automatically until i removed the block?

What about a router that goes, hey, I'm being overloaded and why don't I just block this one?

Could it be my router didn't block him because I have reserved IPs for all devices on my network?

This is somewhat surprising and troubling.

Just to be clear, with your current networking setup your router has no control over wifi to wifi traffic. Only the AP is capable of controlling wifi to wifi traffic.

You may be able to achieve control at the router by implementing VLANs, but I am unsure.

 

[azazel1024]

It is still pretty easy to add the printer by IP address and the file share by IP address. I won't disagree that it breaks basic file and printer sharing, but if LLDP is on, in general file sharing will work as per normal and newer network printers will also work fine (in both cases, LLDP is also used, not just NetBIOS, but older network printers do not support it and I think pre-7 or maybe pre-Vista does not support LLDP).

Even if it breaks, it isn't that hard to manual navigate to a file share or network printer by IP address. Its more advanced than a "I don't know anything" computer user can handle, but it isn't much above that level.

 

[htismaqe]

Its more advanced than a "I don't know anything" computer user can handle

That's like 75% of the entire Windows user base...

And 100% of the users I support.

 

[azazel1024]

That's like 75% of the entire Windows user base...

And 100% of the users I support.

I think you are being generous, it is probably 90% of the entire windows users base...but yeah.

I guess my point is it doesn't break file and print sharing, it just, possibly, breaks LAN services discovery for older machines and network equipment. Maybe/possibly on newer stuff, but I've tried NetBIOS disabled on my win 7/8/8.1 machines and it worked just fine to see network shares with LLDP still enabled. Disable that too and nothing. Have to manually browse to the IP address to see the share and entering the machine name gets you nowhere too. I didn't bother trying it with my network printer, I was just curious if LLDP could replace NetBIOS and it at least seems like the answer is yes (for the stuff that supports it).

 

[System Error Message]

a router like mikrotik RouterOS or routerboards have configurable firewalls that can prevent all sorts of security breaches that you want but it needs to be configured. Not for the unskilled user. They also list their NAT throughput performance (routing) under different situations.