NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Disable Port Scan and DoS Protection Misleading
Having noticed a slowdown in my internet and frequent lag, I checked my logs only to discover I'm getting DDoS attacks nearly every 15 minutes! They IPs are from all over the world. My first instinct was to make sure I had disabled ping response on the WAN port, which I had, but it was still pinging! Then come to find out, on Orbi, when you turn on VPN it re-enables ping responses. So I shut this off and the attacks continued and my port was still responding to ping. On a whim, I disabled the port scan and DoS protection and finally my IP stopped responding to pings.
This seems all very counter-intuitive but if you don't want your WAN port to respond to pings and thus be vulnerable to attacks, it seems you need to disable the DoS and port scan detection.
Anyone else come across this situation?
17 Replies
Lets see if a factory reset and setup from scratch with out loading a config file resolves this.
https://community.netgear.com/t5/Orbi/ORBI-RBR50-Rebooting-and-Unresponsive/m-p/1748893#M61425
Then we can do more investigation here...
fdanna wrote:
Having noticed a slowdown in my internet and frequent lag, I checked my logs only to discover I'm getting DDoS attacks nearly every 15 minutes! They IPs are from all over the world. My first instinct was to make sure I had disabled ping response on the WAN port, which I had, but it was still pinging!
This seems all very counter-intuitive but if you don't want your WAN port to respond to pings and thus be vulnerable to attacks, it seems you need to disable the DoS and port scan detection.
My experience is different from yours. I disconnected my mobile phone from WiFi and performed a ping test on my Orbi's public (WAN) IP address using the LTE connection. As you report, even though my Orbi is set NOT to respond to ping on internet, I got ping responses. I then set it TO respond, and still got ping responses. I then clicked Disable Port Scan and DoS Protection. Still got ping responses. I did not mess with VPN or try every possible combination of settings.
So, either (1) Orbi firmware is "broken" in the sense that options selected do not work as described, or (2) the ping response did not come from my Orbi, but perhaps from the cable modem. My responses read: "cpe-172-249-115-xxx socal.res.rr.com 67.1ms". Testing that hypothesis involves more effort than just disconnecting from WiFi. (Like, stick a tap between Orbi and modem, or....)
On the other hand, detecting a DoS attempt every 15 minutes from "all over the world" seems (to me) pretty much "normal" and I would not assume it to be the sole cause of networking issues.
You might contact NG on this if you think these features are broke. IF they are then NG needs to be aware and address them...
CrimpOn wrote:
fdanna wrote:
Having noticed a slowdown in my internet and frequent lag, I checked my logs only to discover I'm getting DDoS attacks nearly every 15 minutes! They IPs are from all over the world. My first instinct was to make sure I had disabled ping response on the WAN port, which I had, but it was still pinging!
This seems all very counter-intuitive but if you don't want your WAN port to respond to pings and thus be vulnerable to attacks, it seems you need to disable the DoS and port scan detection.
My experience is different from yours. I disconnected my mobile phone from WiFi and performed a ping test on my Orbi's public (WAN) IP address using the LTE connection. As you report, even though my Orbi is set NOT to respond to ping on internet, I got ping responses. I then set it TO respond, and still got ping responses. I then clicked Disable Port Scan and DoS Protection. Still got ping responses. I did not mess with VPN or try every possible combination of settings.
So, either (1) Orbi firmware is "broken" in the sense that options selected do not work as described, or (2) the ping response did not come from my Orbi, but perhaps from the cable modem. My responses read: "cpe-172-249-115-xxx socal.res.rr.com 67.1ms". Testing that hypothesis involves more effort than just disconnecting from WiFi. (Like, stick a tap between Orbi and modem, or....)
On the other hand, detecting a DoS attempt every 15 minutes from "all over the world" seems (to me) pretty much "normal" and I would not assume it to be the sole cause of networking issues.
CrimpOn wrote:
fdanna wrote:
Having noticed a slowdown in my internet and frequent lag, I checked my logs only to discover I'm getting DDoS attacks nearly every 15 minutes! They IPs are from all over the world. My first instinct was to make sure I had disabled ping response on the WAN port, which I had, but it was still pinging!
This seems all very counter-intuitive but if you don't want your WAN port to respond to pings and thus be vulnerable to attacks, it seems you need to disable the DoS and port scan detection.
My experience is different from yours. I disconnected my mobile phone from WiFi and performed a ping test on my Orbi's public (WAN) IP address using the LTE connection. As you report, even though my Orbi is set NOT to respond to ping on internet, I got ping responses. I then set it TO respond, and still got ping responses. I then clicked Disable Port Scan and DoS Protection. Still got ping responses. I did not mess with VPN or try every possible combination of settings.
So, either (1) Orbi firmware is "broken" in the sense that options selected do not work as described, or (2) the ping response did not come from my Orbi, but perhaps from the cable modem. My responses read: "cpe-172-249-115-xxx socal.res.rr.com 67.1ms". Testing that hypothesis involves more effort than just disconnecting from WiFi. (Like, stick a tap between Orbi and modem, or....)
On the other hand, detecting a DoS attempt every 15 minutes from "all over the world" seems (to me) pretty much "normal" and I would not assume it to be the sole cause of networking issues.
It’s really not ideal to have your IP responding to pings. The DoS attempts were bringing down my network and the slowdowns coincided with the logging of the attacks so I think the data says this is more than coincidence.
Your cable modem shouldn’t respond to outside pings if the IP is being assigned to the WAN port of your router. Scanning is happening all they time on the internet, as you know, and any response from an IP is interpreted as, “oh look, something is here, let’s attack it!” Hence, better to NOT respond to pings.
I did another test. Turned on the "debug log", did some pings from my mobile phone over LTE, then looked at the WAN capture using Wireshark. Even though my mobile phone app showed ping responses, I did NOT see any ping requests to my Orbi in the WAN log (or any ping responses). I did see my Orbi making some ping requests and getting responses but not involving my mobile phone.
So now I am more confused than ever. The Orbi log contains zillions of ARP requests and some ICMPv6 traffic, but not those ping requests. Does the Orbi not log any packets that have been discarded? Hmmm. Guess I could repeat the experiment and capture a WAN log when the Orbi is told to respond to ping requests. (Maybe later today.)
For now, however, I regard this as a mystery.
CrimpOn wrote:
I did another test. Turned on the "debug log", did some pings from my mobile phone over LTE, then looked at the WAN capture using Wireshark. Even though my mobile phone app showed ping responses, I did NOT see any ping requests to my Orbi in the WAN log (or any ping responses). I did see my Orbi making some ping requests and getting responses but not involving my mobile phone.
So now I am more confused than ever. The Orbi log contains zillions of ARP requests and some ICMPv6 traffic, but not those ping requests. Does the Orbi not log any packets that have been discarded? Hmmm. Guess I could repeat the experiment and capture a WAN log when the Orbi is told to respond to ping requests. (Maybe later today.)
For now, however, I regard this as a mystery.
It sounds like your cable modem is doing the routing. You might have a double NAT situation.
Maybe a forum moderator can comment and let us know what we should be expecting to see and not see with these features enabled and disabled...:smileyhappy:
fdanna wrote:
........... My first instinct was to make sure I had disabled ping response on the WAN port, which I had, but it was still pinging! ..........
If you ping from a computer attached to your wifi and ping the WAN port you will get a response. Please test from a computer not attached to Orbi to get correct results.
fdanna wrote:
.........Then come to find out, on Orbi, when you turn on VPN it re-enables ping responses. .......
You can overcome this by doing the following telnet command (it will not impact VPN):
root@RBR50:/# config get wan_endis_rspToPing
You will get the default which is 1 (means Orbi should respond to WAN ping requests)
root@RBR50:/# config set wan_endis_rspToPing=0
root@RBR50:/# config commit
Two months and no solution?? I am just confused by one issue here. Why is the 'Default' a checked box/enabled "disabled port scan and dos protection? Even the help pop-up on the same router page states it should only be disabled on 'special circumstance'. Thus I have to uncheck the box in order to enable the protection. But, and it's a big but, I do get the same dos attacks on an apple ipad every few minutes. My PC gets them also but it is the Router's DNS (75.75.75.75) attacking the IP/Mask. (??) This does seem to stop when I leave the box checked, disabling scans and protection. Doesn't make sense.
Also, neither Comcast nor Net Gear say they can adjust my modem/router clock and thus one hour behind. I don't see any clock settings incl. DLSavings time.
A little help pls..
go4par wrote:Also, neither Comcast nor Net Gear say they can adjust my modem/router clock and thus one hour behind. I don't see any clock settings incl. DLSavings time.
On the Orbi web interface, Advanced Tab->Administration->NTP Settings is where the users has a choice of which NTP server to use and whether to follow Daylight Saving Time.
