NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
DoS Attacks - from varying sources and ports.
Hi There,
Since all the working from home started - I've noticed sporadic interruptions while using Video conferencing and while gaming. I will get ping spikes for about 3-5 mins and then it's pretty much back to normal. I researched a bit and found that some of this is just scans that happen normally, but some of the ports I'm seeing are not what people reference as "common ports", 443 and 80 being the most common. I attached the logs in a spreadsheet. Wondering if someone could let me know if I should be concerned or what I should do about it? I really don't want to deal with the interruptions in service and I don't know what else could be causing the interruptions. Any help would be greatly appreciated!
PS - I have so many lines I cannot post the log.
10 Replies
What Firmware version is currently loaded?
What is the Mfr and model# of the Internet Service Providers modem/ONT the NG router is connected too?What IP addresses are shown in the logs with these attacks? Any of them 192.168.1.somehing or for external IP addresses?
Firmware is 2.5.1.8, says it's up to date.
Modem is a NG CM 1000.
as for the IPs they are all varying and I'm not positive how to determine if they're from an external address - of the 256 lines I pulled from the log, 125 of them are DoS related. An actual attack doesn't make sense to me, but if not this, what would be causing my newly minted spikes and disconnects while gaming?
[DoS Attack: SYN/ACK Scan] from source: 45.220.82.227, port 80, Tuesday, April 21, 2020 10:36:00 [DoS Attack: ACK Scan] from source: 35.168.41.214, port 443, Tuesday, April 21, 2020 10:33:37 [DHCP IP: 10.0.0.19] to MAC address f0:6e:0b:e2:ed:a8, Tuesday, April 21, 2020 10:14:32 [DHCP IP: 10.0.0.6] to MAC address f2:54:33:9f:8c:65, Tuesday, April 21, 2020 10:04:19 [DHCP IP: 10.0.0.19] to MAC address f0:6e:0b:e2:ed:a8, Tuesday, April 21, 2020 09:46:07 [admin login] from source 10.0.0.19, Tuesday, April 21, 2020 09:36:16 [DoS Attack: ACK Scan] from source: 52.34.36.246, port 443, Tuesday, April 21, 2020 09:25:53 [admin login] from source 10.0.0.19, Tuesday, April 21, 2020 09:15:02 [DoS Attack: ACK Scan] from source: 3.126.192.149, port 443, Tuesday, April 21, 2020 09:10:50 [UPnP set event: del_nat_rule] from source 10.0.0.14, Tuesday, April 21, 2020 08:58:49 [DoS Attack: SYN/ACK Scan] from source: 213.238.167.92, port 22, Tuesday, April 21, 2020 08:56:44 [DHCP IP: 10.0.0.16] to MAC address d0:c6:37:63:3d:82, Tuesday, April 21, 2020 08:05:11 [DoS Attack: ACK Scan] from source: 52.96.32.2, port 443, Tuesday, April 21, 2020 07:46:39 [DoS Attack: ACK Scan] from source: 216.82.178.25, port 443, Tuesday, April 21, 2020 07:24:45 [DoS Attack: SYN/ACK Scan] from source: 149.202.87.54, port 25565, Tuesday, April 21, 2020 07:07:35 [DHCP IP: 10.0.0.6] to MAC address f2:54:33:9f:8c:65, Tuesday, April 21, 2020 06:57:01 [DoS Attack: RST Scan] from source: 213.29.6.196, port 43589, Tuesday, April 21, 2020 06:10:26 [DHCP IP: 10.0.0.2] to MAC address 3c:37:86:45:88:73, Tuesday, April 21, 2020 05:53:55 [DHCP IP: 10.0.0.3] to MAC address 28:6d:97:a4:66:d8, Tuesday, April 21, 2020 05:53:00 [DoS Attack: SYN/ACK Scan] from source: 43.250.107.198, port 80, Tuesday, April 21, 2020 05:32:16 [DoS Attack: SYN/ACK Scan] from source: 88.198.146.70, port 80, Tuesday, April 21, 2020 05:30:20 [DoS Attack: TCP/UDP Chargen] from source: 71.6.232.5, port 53443, Tuesday, April 21, 2020 05:04:08 [DoS Attack: SYN/ACK Scan] from source: 149.202.139.215, port 25565, Tuesday, April 21, 2020 03:55:52 [DoS Attack: SYN/ACK Scan] from source: 88.198.146.70, port 80, Tuesday, April 21, 2020 03:10:38 [DoS Attack: RST Scan] from source: 185.195.16.201, port 80, Tuesday, April 21, 2020 02:02:49 [admin login] from source 10.0.0.19, Tuesday, April 21, 2020 01:48:01 [DoS Attack: ACK Scan] from source: 52.34.36.246, port 443, Tuesday, April 21, 2020 01:40:51 [admin login] from source 10.0.0.19, Tuesday, April 21, 2020 01:36:39 [DHCP IP: 10.0.0.6] to MAC address f2:54:33:9f:8c:65, Tuesday, April 21, 2020 01:33:58 [DoS Attack: ACK Scan] from source: 52.96.9.5, port 8779, Tuesday, April 21, 2020 01:30:40 [DHCP IP: 10.0.0.5] to MAC address 4c:55:cc:19:29:8f, Tuesday, April 21, 2020 01:26:47 [DHCP IP: 10.0.0.20] to MAC address 08:12:a5:6a:32:76, Tuesday, April 21, 2020 01:26:43 [DHCP IP: 10.0.0.5] to MAC address 4c:55:cc:19:29:8f, Tuesday, April 21, 2020 01:26:02 [DHCP IP: 10.0.0.13] to MAC address 38:53:9c:a3:32:82, Tuesday, April 21, 2020 01:25:52 [DHCP IP: 10.0.0.8] to MAC address dc:f5:05:92:cc:3a, Tuesday, April 21, 2020 01:25:50 [DoS Attack: ACK Scan] from source: 52.96.9.5, port 10937, Tuesday, April 21, 2020 01:25:40 [DHCP IP: 10.0.0.20] to MAC address 08:12:a5:6a:32:76, Tuesday, April 21, 2020 01:25:37 [DHCP IP: 10.0.0.5] to MAC address 4c:55:cc:19:29:8f, Tuesday, April 21, 2020 01:25:31 [DHCP IP: 10.0.0.7] to MAC address fc:a1:83:22:79:30, Tuesday, April 21, 2020 01:25:26 [DHCP IP: 10.0.0.15] to MAC address 64:16:66:af:07:3b, Tuesday, April 21, 2020 01:25:23 [DHCP IP: 10.0.0.9] to MAC address 64:16:66:af:2b:6f, Tuesday, April 21, 2020 01:25:22 [DHCP IP: 10.0.0.12] to MAC address 78:d2:94:2d:a0:b3, Tuesday, April 21, 2020 01:25:20 [DHCP IP: 10.0.0.10] to MAC address 38:f7:3d:01:4f:f0, Tuesday, April 21, 2020 01:25:14 [DHCP IP: 10.0.0.14] to MAC address b4:ae:2b:1a:e0:ec, Tuesday, April 21, 2020 01:25:14 [DHCP IP: 10.0.0.19] to MAC address f0:6e:0b:e2:ed:a8, Tuesday, April 21, 2020 01:25:12 [DHCP IP: 10.0.0.10] to MAC address 38:f7:3d:01:4f:f0, Tuesday, April 21, 2020 01:25:11 [DHCP IP: 10.0.0.4] to MAC address 28:6d:97:b4:de:d3, Tuesday, April 21, 2020 01:24:59 [DHCP IP: 10.0.0.11] to MAC address 00:71:47:47:d3:29, Tuesday, April 21, 2020 01:24:56 [admin login] from source 10.0.0.19, Tuesday, April 21, 2020 01:18:04 [DHCP IP: 10.0.0.5] to MAC address 4c:55:cc:19:29:8f, Tuesday, April 21, 2020 01:06:22 [Time synchronized with NTP server] Tuesday, April 21, 2020 01:06:09 [DHCP IP: 10.0.0.5] to MAC address 4c:55:cc:19:29:8f, Tuesday, April 21, 2020 01:05:01 [admin login failure] from source 10.0.0.19, Tuesday, April 21, 2020 01:04:25 [DHCP IP: 10.0.0.5] to MAC address 4c:55:cc:19:29:8f, Tuesday, April 21, 2020 01:04:08 [DHCP IP: 10.0.0.14] to MAC address b4:ae:2b:1a:e0:ec, Tuesday, April 21, 2020 01:04:00 [DHCP IP: 10.0.0.5] to MAC address 4c:55:cc:19:29:8f, Tuesday, April 21, 2020 01:03:58 [DHCP IP: 10.0.0.12] to MAC address 78:d2:94:2d:a0:b3, Tuesday, April 21, 2020 01:03:57 [WLAN access rejected: incorrect security] from MAC address 8a:d2:94:2d:a0:b3, Tuesday, April 21, 2020 01:03:30 [DHCP IP: 10.0.0.13] to MAC address 38:53:9c:a3:32:82, Tuesday, April 21, 2020 01:03:02 [DHCP IP: 10.0.0.15] to MAC address 64:16:66:af:07:3b, Tuesday, April 21, 2020 01:02:57 [DHCP IP: 10.0.0.9] to MAC address 64:16:66:af:2b:6f, Tuesday, April 21, 2020 01:02:53 [DHCP IP: 10.0.0.8] to MAC address dc:f5:05:92:cc:3a, Tuesday, April 21, 2020 01:02:47 [DHCP IP: 10.0.0.6] to MAC address f2:54:33:9f:8c:65, Tuesday, April 21, 2020 01:02:43 [DHCP IP: 10.0.0.20] to MAC address 08:12:a5:6a:32:76, Tuesday, April 21, 2020 01:02:41 [DHCP IP: 10.0.0.7] to MAC address fc:a1:83:22:79:30, Tuesday, April 21, 2020 01:02:40 [DHCP IP: 10.0.0.10] to MAC address 38:f7:3d:01:4f:f0, Tuesday, April 21, 2020 01:02:39 [DHCP IP: 10.0.0.19] to MAC address f0:6e:0b:e2:ed:a8, Tuesday, April 21, 2020 01:02:39 [DHCP IP: 10.0.0.5] to MAC address 4c:55:cc:19:29:8f, Tuesday, April 21, 2020 01:02:36 [DHCP IP: 10.0.0.11] to MAC address 00:71:47:47:d3:29, Tuesday, April 21, 2020 01:02:33 [DHCP IP: 10.0.0.4] to MAC address 28:6d:97:b4:de:d3, Tuesday, April 21, 2020 01:02:33 [DHCP IP: 10.0.0.10] to MAC address 38:f7:3d:01:4f:f0, Tuesday, April 21, 2020 01:01:56 [remote login failure] from source 10.0.0.19, Tuesday, April 21, 2020 01:01:56 [admin login] from source 10.0.0.19, Tuesday, April 21, 2020 00:58:46 [DoS Attack: RST Scan] from source: 115.79.5.206, port 62831, Tuesday, April 21, 2020 00:53:30 [admin login] from source 10.0.0.19, Tuesday, April 21, 2020 00:47:52 [admin login failure] from source 10.0.0.19, Tuesday, April 21, 2020 00:47:43 [admin login failure] from source 10.0.0.19, Tuesday, April 21, 2020 00:47:32 [DoS Attack: ACK Scan] from source: 52.216.164.115, port 443, Tuesday, April 21, 2020 00:46:53 [DoS Attack: ACK Scan] from source: 3.126.192.149, port 443, Tuesday, April 21, 2020 00:40:46 [DoS Attack: SYN/ACK Scan] from source: 54.39.209.226, port 22, Tuesday, April 21, 2020 00:23:18 [DoS Attack: SYN/ACK Scan] from source: 64.68.121.205, port 80, Tuesday, April 21, 2020 00:13:31 [DoS Attack: ACK Scan] from source: 52.34.36.246, port 443, Tuesday, April 21, 2020 00:10:46 [DoS Attack: ACK Scan] from source: 3.126.192.149, port 443, Monday, April 20, 2020 23:55:46 [DHCP IP: 10.0.0.5] to MAC address 4c:55:cc:19:29:8f, Monday, April 20, 2020 23:28:09 [DHCP IP: 10.0.0.13] to MAC address 38:53:9c:a3:32:82, Monday, April 20, 2020 23:15:41 [DHCP IP: 10.0.0.12] to MAC address 78:d2:94:2d:a0:b3, Monday, April 20, 2020 22:27:29 [DoS Attack: ACK Scan] from source: 3.126.192.149, port 443, Monday, April 20, 2020 22:25:50 [DoS Attack: ACK Scan] from source: 31.13.71.3, port 443, Monday, April 20, 2020 22:03:03 [DoS Attack: ACK Scan] from source: 3.126.192.149, port 443, Monday, April 20, 2020 21:39:48
You can use a whois lookup service online to see what those IP addresses are coming from.
You should have your ISP change the IP address that is coming in from the modem as well to see if anything changes.
Some IPs maybe from services to devcies on your network. You may want to turn OFF all devices accept for 1 wired PC to see if the entries disapate any.
Have the ISP check the signal and line quality UP to the modem.
Be sure there are not coax cable line splitters in the between the modem and ISP service box.
Be sure your using good quality RG6 coax cable up to the modem.I have been collecting the logs from two Orbi's (one for over a year, one for 8 months). These logs record these "DoS Attacks" every day, and this is entirely normal. Orbi contains a firewall for a purpose. It rejects attempts to connect and has an option to record "interesting things" in the Orbi log. People have posted comments indicating that Orbi is to "liberal" at classifying random connection attempts as "attacks".
The user can "Disable Port Scan and DoS Protection" on the Orbi web interface, Setup, WAN Setup page. I believe this will stop the system from spending processing time recording and classifying things and writing them to the log. I am not confident that there will be a noticable improvement in performance.
Orbi's have a "public IP address", just as we have "public" street addresses and phone numbers. It is almost trivial to create a program which will "scan" IP addresses looking for systems that respond. This has been happening since the internet was created. It's like RoboCalls that just dial every possible phone number hoping that some of them will answer. I can set my phone to ignore certain calls and not ring, but that doesn't make the calls go away.
Since the service problems are serious, I would certainly try checking that box first.
Thank you for the advice - checking that won't leave me open to other security issues?
I downloaded a tool called ping plotter, and I really just don't know what i'm looking at - are these ping/latency spikes unusual?
