Hardware or Software Instability? Actually no, Internet port scan denial of service
There have been a handful of instances with my new router where I lose connectivity and then what appears to me to be a hardware reset of the LAN switch and syslog messages about a WAN outage.
Code:
Feb 8 23:05:54 WAN_Connection: WAN was exceptionally disconnected.
Feb 8 23:05:54 DualWAN: skip single wan wan_led_control - WANRED off
Feb 8 23:06:06 WAN_Connection: WAN was restored.
When connectivity comes back I seem to have lost the syslog entries before and perhaps during the event except for WAN.
I am now using Skynet. Optionally I have chosen to log INVALID blocked connections in addition to INBOUND blocked connections. Other users have not been fans of the Skynet syslog entries.
I am also using Cygwin 64 syslog-ng on a Windows computer as a central, remote syslog for three network devices including the router. I am OK with all of the Skynet entries that do not get cleaned up hourly as they do on the router.
The connectivity outage has happened again, but this time I have the logs on my remote syslog server to know what it is caused by. Over the course of a few minutes, I receive at least a thousand INVALID SYN packets to various TCP ports. The time gaps in the log suggest a lot more packets are involved.
I submitted an abuse web form to the ISP of the source IP in Germany.
Without the logs I would have been suspecting problems with the hardware or the firmware. I do have DoS protection enabled even though this situation is beyond the help of rate limiting.
Code:
Top 10 Blocks (Invalid);
-------- | -------------- | -------------- | ----------------------
| Hits | | | IP Address | | | AlienVault | | | Associated Domains |
-------- | -------------- | -------------- | ----------------------
1628x | 88.99.37.190 | https://otx.alienvault.com/indicator/ip/88.99.37.190 |
Update: I was poking around in the Fing app. There is a feature which you cannot disable called Network Vulnerability Test. Apparently it performs a port scan from the Internet from time to time. Since I had recently enabled incoming IPSEC VPN, I was curious whether Fing could tell. The history showed nothing. So I decided to run it ad hoc.
Guess what, the Fing network vulnerability test has been the cause of the outages from IP address 88.99.37.190. It blasts your router with so many SYN packets in a couple of minutes that it takes you offline. And the history coincided with the outage from Friday night.
I am f***ing done with Fing. I had been on the fence with regard to the overall value of Fing compared to the breadth of data they were extracting and storing in the cloud. I deleted the networks from the app, deactivated and disconnected the Fing device on my network and deleted the Fing apps. Wow.