I can't block an incoming DoS attack with WNDR3700???

[jonmck]

Someone for the last few days has been trying a DoS on our router...I keep getting log reports emailed to me at least every 15 minutes or so! What can I do? From what I have read, you can't block an incoming IP address. I think that is the most ridiculous thing I have heard of. This is a nice, expensive router and I can't block incoming attacks??? Surely I am overlooking something. Any help is appreciated.

Here is a sample portion of the log:
[DoS Attack: RST Scan] from source: 80.219.5.176, port 13575, Tuesday, July 10,2012 12:33:35
[DoS Attack: RST Scan] from source: 80.219.5.176, port 13573, Tuesday, July 10,2012 12:33:35
[DoS Attack: RST Scan] from source: 80.219.5.176, port 13566, Tuesday, July 10,2012 12:33:35
[DoS Attack: RST Scan] from source: 80.219.5.176, port 13571, Tuesday, July 10,2012 12:33:35
[DoS Attack: RST Scan] from source: 80.219.5.176, port 13575, Tuesday, July 10,2012 12:33:07
[DoS Attack: RST Scan] from source: 80.219.5.176, port 13573, Tuesday, July 10,2012 12:33:07
[DoS Attack: RST Scan] from source: 80.219.5.176, port 13566, Tuesday, July 10,2012 12:33:07
[DoS Attack: RST Scan] from source: 80.219.5.176, port 13571, Tuesday, July 10,2012 12:33:07
[DoS Attack: RST Scan] from source: 80.219.5.176, port 13575, Tuesday, July 10,2012 12:32:38
[DoS Attack: RST Scan] from source: 80.219.5.176, port 13573, Tuesday, July 10,2012 12:32:38
[DoS Attack: RST Scan] from source: 80.219.5.176, port 13566, Tuesday, July 10,2012 12:32:38
[DoS Attack: RST Scan] from source: 80.219.5.176, port 13571, Tuesday, July 10,2012 12:32:38
[DoS Attack: RST Scan] from source: 80.219.5.176, port 13575, Tuesday, July 10,2012 12:32:10
[DoS Attack: RST Scan] from source: 80.219.5.176, port 13573, Tuesday, July 10,2012 12:32:10
[DoS Attack: RST Scan] from source: 80.219.5.176, port 13566, Tuesday, July 10,2012 12:32:10
[DoS Attack: RST Scan] from source: 80.219.5.176, port 13571, Tuesday, July 10,2012 12:32:10
[DoS Attack: RST Scan] from source: 80.219.5.176, port 13575, Tuesday, July 10,2012 12:31:41
[DoS Attack: RST Scan] from source: 80.219.5.176, port 13573, Tuesday, July 10,2012 12:31:41
[DoS Attack: RST Scan] from source: 80.219.5.176, port 13571, Tuesday, July 10,2012 12:31:41
[DoS Attack: RST Scan] from source: 80.219.5.176, port 13566, Tuesday, July 10,2012 12:31:41
[DoS Attack: RST Scan] from source: 80.219.5.176, port 13575, Tuesday, July 10,2012 12:31:13
[DoS Attack: RST Scan] from source: 80.219.5.176, port 13573, Tuesday, July 10,2012 12:31:13

[jmizoguchi]

below is originated IP.

Quote:

whois 80.219.5.176
#
# Query terms are ambiguous. The query is assumed to be:
# "n 80.219.5.176"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=80...se&ext=netref2
#

NetRange: 80.0.0.0 - 80.255.255.255
CIDR: 80.0.0.0/8
OriginAS:
NetName: 80-RIPE
NetHandle: NET-80-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate:
Updated: 2009-03-25
Ref: http://whois.arin.net/rest/net/NET-80-0-0-0-1

OrgName: RIPE Network Coordination Centre
OrgId: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
RegDate:
Updated: 2011-09-24
Ref: http://whois.arin.net/rest/org/RIPE

ReferralServer: whois://whois.ripe.net:43

OrgTechHandle: RNO29-ARIN
OrgTechName: RIPE NCC Operations
OrgTechPhone: +31 20 535 4444
OrgTechEmail: hostmaster@ripe.net
OrgTechRef: http://whois.arin.net/rest/poc/RNO29-ARIN

OrgAbuseHandle: RNO29-ARIN
OrgAbuseName: RIPE NCC Operations
OrgAbusePhone: +31 20 535 4444
OrgAbuseEmail: hostmaster@ripe.net
OrgAbuseRef: http://whois.arin.net/rest/poc/RNO29-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '80.219.0.0 - 80.219.63.255'

inetnum: 80.219.0.0 - 80.219.63.255
netname: CABLECOMMAIN-NET
descr: Cablecom GmbH
descr: DHCP Scopes
country: CH
remarks: *************************************************
remarks: For spam/abuse, please contact abuse@cablecom.ch
remarks: E-mails to the persons below will be IGNORED!!
remarks: *************************************************
admin-c: LGI-RIPE
tech-c: LGI-RIPE
status: ASSIGNED PA
mnt-by: MNT-LGI
source: RIPE # Filtered

role: Hostmaster Liberty Global
address: Liberty Global Europe
address: Boeing Avenue 53
address: 1119 PE Schiphol Rijk
address: Netherlands
phone: +31 20 7788200
fax-no: +31 20 7788203
admin-c: SB666-RIPE
admin-c: SVS4-RIPE
tech-c: SB666-RIPE
tech-c: SVS4-RIPE
nic-hdl: LGI-RIPE
mnt-by: CHELLO-MNT
source: RIPE # Filtered

% Information related to '80.218.0.0/15AS6830'

route: 80.218.0.0/15
descr: Cablecom GmbH
descr: Zollstrasse42
descr: CH-8021 Zuerich
descr: SWITZERLAND
origin: AS6830
remarks: ************************************************** *
remarks: For Spam/Abuse, please contact abuse@cablecom.ch
remarks: E-mails to the persons below will be IGNORED!!
remarks: ************************************************** *
mnt-by: AS8404-MNT
source: RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.15 (WHOIS2)

[jlewter]

You are missing something.

It is being blocked!

If it wasnt being blocked then the router wouldnt report it, It's telling you that it's blocked the attack.

Send an email to your isp, and perhaps to abuse@cablecom.ch and hopefully they will find out what's going on.

Port scanning is frowned upon by all ISP's so hopefully something will be done about it.

[fordem]

First - let's start by defining a DoS attack - Denial of Service occurs when you or any other internet user is denied the use of their internet connection by whatever means, typically by flooding a link with unwanted traffic, or starting connections to the router and never completing them so that the router's memory and other resources become overloaded and the router stops routing.

The chances of your being the victim of a DoS attack are slim to nil - inconveniencing you, an individual, serves no purpose - the same resources required to create a DoS attack against you can be put to better use creating an attack on an ecommerce site, a government department, a military installation, where it will have a greater impact.

Second - your router, regardless of what you buy, cannot block a DoS (Denial of Service)attack - a DoS attack cannot be blocked at the downstream end of the link, you can have the most expensive product you can find, and I can still choke the link and deny you service. The only effective way to deal with a DoS attack is to filter the traffic at the upstream end, and that will have to be done by your ISP.

Third - if it was in fact a DoS attack, you wouldn't be here asking about it, your internet connection would be down and you'd be on the phone with the ISP telling them you want the problem resolved.

Now - what you're seeing in the logs is the firewall reporting an RST scan, which is when an RST command (an instruction to reset a connection) is received without there being an existing connection - technically speaking, it is a denial of service tool, but for the reasons I mentioned above, it's not really an attack.

Consider turning off the logging - all it's going to do is give you unnecessary heart ache.