Mail Alert Received from router

Would appreciate it if someone could explain what this error message is all about. Where xx is show is my WAN address.

2025/02/20 10:58:22 -- [DOS][Block][unassigned_numbers][14.187.104.0->xx.xx.xx.xx][143][HLen=20, TLen=149]

The message arrives almost every minute and could easily fill my inbox by the end of the day!

What router is it?

Draytek Vigor2865

The Firewall rules for DOS Defence are all ticked,

Very sorry wrong info supplied in my earlier message, It is:

Model Name Vigor2860Vac System Up Time 327:11:25
Router Name xxxx Current Time Thu Feb 20 2025 11:48:30
Firmware Version 3.9.8.2_BT Build Date/Time Sep 13 2024 19:37:52
DSL Version 576D17_A/B/C HW: A LAN MAC Address 00-xxxxxxxxx-68

Sensitive information replaced with xxxxx

Then looks like the firewall is detecting what it thinks is a DOS (denial of service) exploit from what looks to be a host in Vietnam. If I’m reading the log correctly the incoming packets to port 143 (email IMAP port) are being blocked by the firewall.

Can you disable the logging notifications from the router sent to your email?

The router is doing its job…

https://www.draytek.co.uk/support/guides/kb-denial-o...

As said you may want to switch of the syslog function that sends you these alerts to your email. You can continue to monitor the syslog entries directly on the router, without having your inbox fill up.

https://www.draytek.co.uk/support/guides/kb-vigor-sy...

In reply to a post by Pheasant:

looks to be a host in Vietnam.

I've never seen a useable IP address ending in .0 so could it be incoming DOS from more than one address in that range??

Notifications can indeed be turned off at the loss of any other useful information. The firewall DOS defence has the ability to block IP addresses. That seems a better solution and I will try that solution first.

But the black list has a limit of 16 entries now populated with these IP addresses:
31.43.192.166
94.247.61.201
117.6.130.51
95.154.33.134
183.105.163.42
86.125.18.166
176.36.109.230
188.25.82.228
91.150.81.203
113.176.70.49

Doing this seems to have slowed down the number of reports received. My be a country blocking would be better.

There's nothing inherently invalid in a public IP ending in .0
for example any kind of /32 or /31 PPP connection (including PPPoE customers of an ISP) can be allocated that.

Technically the loopback interface of a router can also be allocated a /32 but that's unlikely to be acting as an IMAP client.

However if it were a regular routed network range the smallest subnet that could contain a host address of 14.187.104.0
would be 14.187.96.0/20 (since for smaller subnets this would otherwise be the reserved network address).

Edited by prlzx (Thu 20-Feb-25 12:46:42)

Thanks for explaining

In reply to a post by trolleybus:

Draytek Vigor2865

The Firewall rules for DOS Defence are all ticked,

That's where you're probably going wrong. These things cause all sorts of unexplained and unintended problems. I'd advise turning it all off unless you understand exactly what those features do. They are designed for business networks really and consumer stuff (playing games, etc, etc) can trigger them protections. By all means do some reading up online about the topic. I have it all turned off on my Draytek.

In reply to a post by trolleybus:

My be a country blocking would be better.

Maybe.

31.43.192.166 Russia
94.247.61.201 Russia
117.6.130.51 Vietnam
95.154.33.134 Denmark
183.105.163.42 South Korea
86.125.18.166 Romania
176.36.109.230 Ukraine
188.25.82.228 Romania
91.150.81.203 Serbia
113.176.70.49 Vietnam

Not that I give much credence to GeoIP

Edited by DFScale (Thu 20-Feb-25 13:31:08)

Thanks to all who responded. I have been given some useful suggestions of the way forward to stem the flow of unwanted error messages to my Inbox. Will try to work out which is the most sensible route forward.

Hi,

FTR, If I was you, I would set up a dedicated email address away from my main email address where my router could send these type of email without it filling up my main email Inbox. This is what I do with the job hunting websites I sign up to. I have a completely separate email address for those sites so that when they send out their automated email it's not filling up my main Inbox.

HTH,

In reply to a post by Pheasant:

The router is doing its job…

https://www.draytek.co.uk/support/guides/kb-denial-o...

As said you may want to switch of the syslog function that sends you these alerts to your email. You can continue to monitor the syslog entries directly on the router, without having your inbox fill up.

https://www.draytek.co.uk/support/guides/kb-vigor-sy...

This. These are already blocked and are background noise. No-one is interested in DDoSing you and if they did either your connection would fill or your router would fold like tin foil in fhe face of a serious attack if you've the bandwidth for it to land.

So a similar response to when you asked about blocking traceroute. This DDoS protection is largely pointless, your router will drop anything not belonging to an existing session immediately unless you're port forwarding and they attack there. Receiving any emails for firewall drops of any kind is pointless unless hosting stuff on the connection and seeing sustained attacks on the server, which will be logged on the server anyway..