Linksys wireless routers doing DDOS attack???

spire2z · Fri Mar 24, 2006 8:51 pm

I have had two cases of my customers who had Linksys wireless routers connected to my wireless service and it would appear that they generate DDOS like traffic on port 53 to our DNS service. I found I actually had to disconnect them from wireless to supress the issue. Even dropping response caused too much upstream traffic to cause a slowdown on the WLAN. We found it was the routers as they did it even when no PC's were linked on their local side!

Has anybody else seen this?

jp · Sat Mar 25, 2006 3:02 am

Sure have. The linksi probably need firmware upgrades.

spire2z · Sat Mar 25, 2006 11:19 am

What the hell are Linksys doing!!

Thats some crazy s*it! Could get out of hand if many users had them at home. And they are popular with consumers now.

I wonder how that would affect a large national ISP etc with millions of users Linksys routers going crazy..

bushy · Sat Mar 25, 2006 2:48 pm

Netgear too ........ http://www.cs.wisc.edu/~plonka/netgear-sntp

chris-oct · Tue Mar 28, 2006 7:36 pm

Sounds like a loop to me. Sometimes I need to enable spanning tree to prevent loops

airtech · Wed Mar 29, 2006 7:38 pm

It does cause a nightmare when you have a lot of customers on the network. We have about 1500 customers on our network right now and about 90 percent of them have Linksys routers. It appears that they cause they DDOS attacks when they hold the reset button on their router with our connection still plugged in. We just stopped it from being an issue by putting every customer on their own VLAN. Now, the only connection they can mess with is their own

.

chris-oct · Thu Mar 30, 2006 1:37 am

You have 1500 vlans on a mikrotik? If not, how many do you put on a single mikrotik?

airtech · Thu Mar 30, 2006 2:11 am

The VLANs are split up between multiple Mikrotiks, about 300 each round numbers, however, I have successfully tested and run over 2000 VLANs in one Mikrotik router now that 2.9.18 is out. It did not work before 2.9.18.

spire2z · Thu Mar 30, 2006 1:50 pm

Sounds like a loop to me. Sometimes I need to enable spanning tree to prevent loops

What do you mean by a loop? How would that be possible under DNS settings to have a loop. I mean the DNS forwarder in the Linksys would talk to the DNS server it's set to but what is the loop? I could only see that if local addresses were mirrored both sides of the NAT but then it just would not work?

jp · Thu Mar 30, 2006 2:34 pm

A loop would be if someone plugged a hub or switch into ... itself. I've seen these two, but they are very easily sourced to a single location with traffic graphs.

Right now, gigafast routers are the source of packet storms on our network. We are replacing them as they cause problems.

spire2z · Thu Mar 30, 2006 7:12 pm

Ok I see. Yes I have done that once a long time ago to see what happened!

In this case it's not that though. The config is:

MikroTik - AccessPoint - ClientBridge - AccessPointRouter(linksys) - laptop

Also I have worked with the users and we are sure it's not configuration issues. These users are quite knowlegeable. Also the linksys routers do it when idle. When being used by the end user the problem stops. One was bad when the user had gone to bed and just left his router switched on!

Crazy huh. I have had to add into TOS that users can be disconnected if using Linksys routers. Ha Ha... Good one linksys.

Linksys wireless routers doing DDOS attack???

Linksys wireless routers doing DDOS attack???

Who is online