NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

nagendraprasath's avatar
nagendraprasath
Aspirant
Jun 04, 2020

DoS Attack: SYN/ACK Scan

I keep seeing below logs in my Orbi router. What does "DoS Attack: SYN/ACK Scan" signifies? Also am not sure why it prints "DHCP IP: <ip>" for all connected devices? DHCP has a lease time of 24hrs? ...
CrimpOn's avatar
CrimpOn
Guru - Experienced User
Jun 04, 2020
nagendraprasath wrote:

I keep seeing below logs in my Orbi router. What does "DoS Attack: SYN/ACK Scan" signifies? Also am not sure why it prints "DHCP IP: <ip>" for all connected devices? DHCP has a lease time of 24hrs?

The Orbi log contains a wide variety of items.  DHCP assignment record every time a device uses DHCP to ask Orbi to assign it an IP address.  With a "lease time" of one day (24 hours), the DHCP standard call for the device to request a renewal when the lease is half-expired.  They are entirely normal.  I know of no method to make the Orbi cease logging these events. 

 

The Orbi firewall refuses all connection attempts except those specifically authorized by the user (see "Port Forwarding" and Remote Management).  The firewall also has some (mysterious) mechanism for determining that a "pattern" of connection requests falls into a recognizable catagory of "scan" or "Denial of Service" attack.  There is an option to have Orbi not include those conclusions in the log.  As an analogy, suppose my practice is to never answer the telephone unless I recognize the calling number.  Calls may come in, but if I do not recognize the caller, I never answer.  I could keep a record of all the "Caller ID's" that I did not answer.  If I seem to get many calls from the same number, I might even decide to highlight them ("aha, the Heart Foundation still wants a donation from me.") and assign them a category ("public appeals for money").  That's what Orbi's firewall is logging.

 

There are suggestions that Orbi is too aggressive in describing things as "DoS Attacks" or "ACK Scans".  Alas, Netgear publishes nothing about how the firewall makes these determinations.

 

If they bother you, you can turn off the notices.

  • nagendraprasath's avatar
    nagendraprasath
    Aspirant
    Jun 08, 2020

    Thanks for your respone. I agree your comment about DHCP.  Is there a way to increase DHCP lease beyond 24 hrs? 

    • CrimpOn's avatar
      CrimpOn
      Guru - Experienced User
      Jun 08, 2020

      While I (personally) sort of like seeing that my devices are renewing their IP leases twice a day, my impression is that the default lease probably can be changed.  According to what I find by searching the web, a DHCP lease can be as long as 135 years.  This one article recommends various lease times for specific situations:

      https://www.informit.com/articles/article.aspx?p=30874&seqNum=3 

      Notice that they are describing a situation where different DHCP "pools" are used for different purposes (student labs vs. servers, etc.)

      Orbi has only a single DHCP pool.

       

      When I telnet into my Orbi and display parameters using the command

      nvram show | grep dhcp

      (display all the parameters and pass them through the program "grep" to list only those with the string "dhcp" in it)

      One of the lines that shows up is this:

      dhcpc_lease_time=86400

      86,400 seconds is one day (60x60x24).  So, in theory, one could change that to a different value by typing:

      config set dhcpc_lease_time=864000

      config commit

      This would create a lease time of 10 days.  Please understand:

      • I would for certain make a backup of the Orbi configuration in case this goes horribly wrong and I am forced to Factory Reset the Orbi.
      • I have not done this myself