RT-AX86U Pro received data that was not requested by device

[Chulamin]

I'm not sure if I completely understand what happened but I'll try to explain:
From my understanding, the Traffic Monitor will record all incoming data and show where the traffic went by wired, 2.4Ghz or 5Ghz. In this one instance it showed that the router received over 350GB of data over a two hour period that had no corresponding distribution to any other devices on the network. That's almost as much data as I use in three weeks that went nowhere. I got in touch with Asus and they had me file a report. I haven't heard back from them yet. In fact my ISP (Shaw/Rogers in Canada) doesn't even record that I received that much traffic. Does anyone have any idea what may have happened or do I not understand wht the monitor is showing? Thanks.

 

[Ripshod]

Do you have the latest firmware?
Recently asus routers have had a vulnerability, which when exploited gives symptoms that include this one. The latest firmware is patched for this.

 

[Chulamin]

Everything is up to date. 3.0.0.6.102_34336. Unless there is a newer one.

 

[Ripshod]

Everything is up to date. 3.0.0.6.102_34336. Unless there is a newer one.

It's strange that you're seeing this. Did you factory reset and manually set back up from scratch (no restore) after flashing?

 

[bennor]

@Chulamin, do you have a USB drive attached to the router?
Any services enabled on the router? Services like AiCloud, VPN, remote WAN access to the GUI, FTP, any sort of remote access?

 

[Chulamin]

It's strange that you're seeing this. Did you factory reset and manually set back up from scratch (no restore) after flashing?

No. It only happened the one time and I'll monitor it. I'm not overly concerned at this point where I want to manually reset the router.

 

[Chulamin]

@Chulamin, do you have a USB drive attached to the router?
Any services enabled on the router? Services like AiCloud, VPN, remote WAN access to the GUI, FTP, any sort of remote access?

Yes, I do have some of those options running. None are necessary but add to the convenience of the device. I have been monitoring the connection activity and all seems normal. I also use a third party monitor to detect for any unwanted or unknown connections.
I should also add, that my ISP went down shortly after the incident. I don't know if it's related but as I mentioned, they didn't even record the traffic at their end.

 

[Squall Leonhart]

This is a ddoss attack, nothing more nothing less.

 

[Chulamin]

Okay, so assuming you're right...why didn't my ISP record the traffic? Or could they have somehow been the ones to cause it resulting in the system going down soon after?

 

[bbunge]

Okay, so assuming you're right...why didn't my ISP record the traffic? Or could they have somehow been the ones to cause it resulting in the system going down soon after?

Maybe they did record it but do not want to tell you that a DDoS attack had happened. Your router firewall did block the attack.
However, it would be a great idea to enable DoS Protection in the Firewall settings. Also, do not enable AiCloud services or Remote Access from the WAN. If you use a VPN Server, change the default port. And avoid using port forwarding if possible. Disable UPnP on the WAN settings.
I also recommend using a filtering DNS service such as Quad9 and enable DoT (DNSSEC is not necessary with DoT). I use Cloudflare Security: 1.1.1.2 and 1.0.0.2. - security.cloudflare-dns.com. Disable DoH on your web browsers.

 

[Tech9]

However, it would be a great idea to enable DoS Protection in the Firewall settings.

Not really. May do more harm than good.

 

[Chulamin]

Not really. May do more harm than good.

Explain please.

 

[Tech9]

The explanation is in how it works, Asus documents. Unlikely to prevent real DoS attack, more likely to negatively affect useful applications. Disabled by default for a reason. What I see above is perhaps Traffic Monitor glitch.

 

[Chulamin]

The explanation is in how it works, Asus documents. Unlikely to prevent real DoS attack, more likely to negatively affect useful applications. Disabled by default for a reason. What I see above is perhaps Traffic Monitor glitch.

Thanks. I did look it up and you seem to be right. Although it could be useful to deal with an ongoing attack.
Also, as an aside point: I have another router RT-N66U that is use on a separate IP from the same ISP. I use that for my two TV connections (I have the ISP modem/router in bridge mode). It too experienced a spike in data usage at the same time but not to the same extent. It may have been caused to by the ISP if not a DoS attack.

 

[bennor]

Explain please.

How does DoS protection work? | Official Support | ASUS Global

The tooltip on stock Asus 3006.102_x firmware:

Look at it this way, if it such a great idea to have enabled, why isn't it enabled as default?

 

[bbunge]

How does DoS protection work? | Official Support | ASUS Global

The tooltip on stock Asus 3006.102_x firmware:
View attachment 63704

Look at it this way, if it such a great idea to have enabled, why isn't it enabled as default?

The answer is right in front of you: "it would increase the router's workload." My oh my - my router is so overloaded... none of my four cores ever seem to get above 10% load... Plenty left for sudden need like DoS attack filtering. Older routers? Dual core processors may need it off...

 

[Chulamin]

I remembered that my son worked for the ISP for many years. He said he's seen this before and suspects it may have been caused by a system update that went awry and not a DoS. Especially because the node went down not long after the incident. Also, I actually did hear back from Asus and all they suggested was to reset the whole router from scratch and implement some security measures. I'll pass on the reset for now but I did tighten up security.