Exposed? Dynamic DNS, Wireguard and Home Assistant - DDOS?

Hi OWRT community,

I was wondering I've setup DynamicDNS, Wireguard and Homeassistant. I have dynamic DNS on the router given I'm not on a fixed ip with my ISP this now allows me to access the router via the domain address. However, this must expose my router to easier Denial of Service attacks (because the IP of my router is always discoverable via the domain name) - is this something I should be concerned about? Is there a way to avoid DDOS or is this something that needs to be handled by something like Cloudflare or upstream at my ISP? Are there FW rules that would help minimise this type of attack?

I'm not suffering any DDOS now I've stopped playing FPS on the PS5 but always interested in making the router as secure as I can within my knowledge of OpenWrt so far.

My own experience of DoS and OpenVPN is that home networks is to small to require a DDoS. It is enough with DoS.

When this happens you can’t do a s..it about it since you are on the end of the receiving line. That is the point of cloudflare, they act as a boxingbag/lifeguard while letting the customers normal traffic go other ways.

The OpenVPN registered port 1194 is toxic. Every online port scanner out there is scanning that port and if they find a filtered or open 1194 they assumes a business behind it and the attacks come. And they will continue coming from time to time for about 30-40min until you change port to a port they don’t scan and you are left alone. But they keep scanning your 1194 port for ever.
on port 1194 they also try brute force logins on the VPN tunnel that the openvpn server stops and write a note in the log every time.

The best firewall rule is to drop everything incoming on WAN because then the router CPU really doesn’t do much. If you reject everything and for example have a 300/30 line the router tries to answer with 300mbit/s if the input is flodded with 300Mbit/s if junk.

Thanks for the clarity on WG good to know. Fair comment on DDOS for non-commercial activity. With regard to gaming though i've deffo been targeted before when playing FPS on PS5 in online matches (someone didn't like I was beating them and all of a sudden pop - booted off the server) and was wondering if there's FW rules to minimise those kind of attempts (to be fair I've now moved the goal posts from my original post :grinning:)

@vgaetera absolutely totally get that getting kicked/banned is done on the game server level, however, gamers employ other tactics too (see Identifying DDOS attack - #6 by lleachii) and was interested in potential solutions. Seems like not really any....

yeah... heard about these tactics a few times... very common sadly...

well... technically you may be able to write an adaptive firewall rule/s depending on the DoS vector (but we'd need to see the particular DoS capture as i'm guessing it would target a particular game centric pnp-port or spoofed server address etc. etc.)... could even be directed at the gameserver afaik... given how statefull firewall work...

(-m limit over X/sec ! -s gamingserver -m ports DROP etc. etc.)

2 Likes

I wouldn't use my post to address a specific professional use case.

E.G. in no way would I suggest a VPN in most professional gaming circumstances.

No...it has a public IP...(so that can't be mitigated...without latency in using e.g. a VPN...duh). I don't suggest a VPN while gaming.

OK...?

I was specially referring in that post to only mitigate attempts to DDoS the router during an active gaming session. I would suggest you reference @trendy:

I also noted: " an adversary who in fact has money and resources" - @Phase1, are you 100% sure you face an adversary that really cares so much to [spend money to] win a PS5 game? :thinking:

I doubt it. If so, maybe see you in some draft rankings! :wink:

1 Like

Is is always someone taking the game way to serious😂

Hey thanks everyone for the contributions to this discussion.

My concerns aren't really something I need to / should be worried about. I was interested in DDOS as a subject and wondered if OpenWRT could do anything to avoid it....seems like it's not the routers problem to resolve....back to securing my Home Assistant install with LetsEncrypt :slight_smile:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.