DDOS Prevention Methods


  • Hi, I just recently purchased my Amplifi Alein router. I am\was trying to find any information in regard to the topic. I did see some fixes regarding a breach etc. However, my main concern is, what measures does the router incorporate for DDoS prevention\protection? I'm not a networking guru or anything like that, and just want to make sure there is some type of protection. Some of the routers I looked at mentioned how or what they use to protect against DDoS so just wondering what, if any, this router has to mitigate that.

    Any light on this topic would be great as its a concern. Thank you for the assistance.


  • Your right : when you go to the url : 192.168.200.1 in my situation and enter your router you can hardly see what is running on the background. at the same time you can do little to safeguard your router yourself!!!
    If I’m wrong please let me know. Many questions are asked and few are answered? That saddens me. Also from the support desk . They can give online reactions more frequently. These days where cyber attacks are common practice one might expect some reassurance that the router is nailed and the firewall is protected better then ever. Support desk: please reply on this topic: not only for my benefit
    🙏🏻


  • Just going through the forum, it seems like this topic is shied away from (other than stating it has a firewall) and that port forwarding, UPnP as well as QoS can be tweaked (to a certain extent). That's kind of mind-boggling. It was just recently updated to handle DFS and 160Mhz and that you would think would have been standard, especially reading the specifications of it. (I understand it needed to go through certifications, etc. but how many years later?).

    I'm not bad-mouthing the product b/c the truth is I still bought it and I WANT it to have all the features I want as well as more advanced configurations (when I work up to all that). At the end of the day though, if something as simple as firewall features can't CLEARLY be defined and explained, on a premier router such as this, then other options may have to be found.

    I've also read trying to combine different options (such as raspberry pi, etc.) however, I'm not ready for all that yet. Eventually I will want to toy around and experiment with such options, and it's something I look forward too. Right now, I just need to know what this router, by itself, can do to assist with the prevention of DDoS attacks, especially with all the heightened threats in regard to cybersecurity.


  • Well, I guess that settles it. Official word from support:

    AmpliFi Support (AmpliFi)

    Mar 26, 2022, 12:31 PDT

    Hi Melvin,

    Thanks for getting in touch with us!

    After checking with my team on this, I would to like to inform that Alien doesn't have capabilities specifically against DDOS attacks. It has a firewall which should be enough for the vast majority of cases. Usually, protection against DDOS attack should be done on the ISP side.

    Hope that's helpful. If you have any other questions, please let us know!

    Thanks!
    Best,

    AmpliFi Support

    Unfortunately, I will have to return. Between my inexperience with other solutions and the router not providing what I need, it is what it is. Hope this topic sheds light for others out there looking to have this question answered as well.


  • @xKynetik I'm curious what DDOS protections you would expect to find on a SOHO router? Generally, DDOS protection is an upstream service providers technology, with your public IP not advertised or discoverable. This requires some care in ensuring no disclosure of your public IP (such as might be found in email headers) to avoid having traffic sent directly to your router.


  • TO SUPPORT DESK!!!

    I find this response unsatisfactory and easy going. The firewall must also be accessible to the end user.
    I disagree DDos prevention is the responsibility of the ISP!
    I’ve got a Synology NAS and I can manually program it against DDOS.
    It's embarrassing that WPA2 is still the standard! Many hard and software companies regularly release software updates. You are very amateurish/incompetent here. The frequent signal loss of the WiFi signal on, for example, the IPhone/iPad or MacBookPro M1 MAX is extremely irritating.
    Also that is hopping from the different SSID within the Amplifi Aliën router You always ask everyone who submits a complaint to send a report. These complaints are NOT from yesterday but have been present for a long time. You ignore the complaints by NOT providing customization. The router seems to have a mind of its own. huge setback. Take some professional action. for me it's nice to, for a change, write a positive response!


  • My children and I are gamers, among other things. There are many tools used today to which someone can gain access to my IP address. Software such as xResolver, which is a gamertag to IP resolver can be used. There are many means to which this same process can be done. From MY knowledge, ISP's aren't in the business of protecting its users extensively from being DDoS'ed. Many routers offer solutions to my concerns in being able to limit an attackers' ability to hinder my network useless. Protections against TCP.Flood, Syn.Flood, Ping.Flood (to name a few) on the ROUTER side offers greater protection, even if some is offered from the ISP. No method is 100% and even with said protections, devices can still be targeted. I just want the comfort of knowing I also have this ability on my router and offered some, if any, customization. I mean, from reading on the forum, you can't even see what's going on in your network's firewall other than knowing you have one.

    Again, I'm not here to bad mouth the product. And I don't pretend to be some networking guru (as I am DEF not). However, I do enjoy customization and being able to SEE what my router is doing and its capabilities. I hope, perhaps in its next iteration, more customizations can be made as I truly wanted to keep this router. They seem open to suggestions, so hopefully some of those will be incorporated.


  • Hi. Please find our answer below.
    @mleeds, you're basically right. If the malicious traffic has already reached the home router, we can't help much. DDoS protection should be done by ISP at their level and as always the best strategy is to avoid exposing your IP address to 3rd parties.
    Additionally:

    • AmpliFi routers already block private networks arriving from WAN side by default.
    • AmpliFi routers block invalid/malformed packets and invalid tcp flags combination.
    • AmpliFi routers drop GRE traffic unless it belongs to a connection initiated by the customer from LAN.
    • AmpliFi routers limit number of tcp rst/syn packets per second (rst/syn flood protection) if the connection is not in conntrack entries.

  • @UI-AmpliFi Question. Where is this information listed?

    AmpliFi routers already block private networks arriving from WAN side by default.
    AmpliFi routers block invalid/malformed packets and invalid tcp flags combination.
    AmpliFi routers drop GRE traffic unless it belongs to a connection initiated by the customer from LAN.
    AmpliFi routers limit number of tcp rst/syn packets per second (rst/syn flood protection) if the connection is not in conntrack entries.

    How is this verified on the user's end, especially if we can't see firewall configurations?

    Other than running a VPN through your router (which is another feature yours does not have) you can't "hide" your IP from services mentioned in my earlier post (unless there is a way and if so, please educate me). Now, I'm speaking from a console perspective and not PC, just to be clear. Actually you can share your VPN tunnel from your PC to a console, however, that's not the most elegant option because now you're hard-wired to your PC. Why don't you allow VPN's on your router again? Because teleport is…well, that's for another conversation.

    To say it's strictly an ISP's job to prevent DDoS to ME is like saying it's solely on my doctor to prevent me from having heart attacks. Yes, he\she has the knowledge I do not in regard to my health, the medication I may need should I run into issues and even the means to try and help should I find myself in a dangerous situation. But it is by no means strictly up to them to make sure my health remains good. I need to be proactive. I need to monitor. Be aware. And when something is off and doesn't feel right, have the ability to respond. To add, and again please correct me if I'm wrong, ISPs don't necessarily protect us from protocol attacks.

    Having these protections in a router is that EXTRA step. Allows me to be proactive. Like I mentioned before, there are many means to which someone can gain your IP address. If we want to pretend that this is impossible, we can. NO method is 100%. So going back to my point, it would be GREAT if the router offered these protections.

    Also, please, if possible, point me to where there is documentation of the things you mentioned your router does by default. I'm especially curious about the conntrack entries, its settings etc., however, documentation of what you mentioned in general would be helpful.


Log in to reply