NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
IP Spoofing
Hi.
Can some please advise/help me?
We are having trouble with our wifi connection. I have gone into the log and we have the following
[DoS Attack: IP Spoofing] from source: 10.0.0.15, port 49154, Saturday, December 26, 2020 13:27:10
[DoS Attack: IP Spoofing] from source: 10.0.0.8, port 49154, Saturday, December 26, 2020 13:27:10
[DoS Attack: IP Spoofing] from source: 10.0.0.7, port 49154, Saturday, December 26, 2020 13:27:10
[DoS Attack: IP Spoofing] from source: 10.0.0.2, port 49154, Saturday, December 26, 2020 13:27:10
[DoS Attack: IP Spoofing] from source: 10.0.0.10, port 49154, Saturday, December 26, 2020 13:27:10
[DoS Attack: IP Spoofing] from source: 10.0.0.14, port 49154, Saturday, December 26, 2020 13:27:10
[DoS Attack: IP Spoofing] from source: 10.0.0.17, port 52817, Saturday, December 26, 2020 13:27:05
[DoS Attack: IP Spoofing] from source: 10.0.0.17, port 52327, Saturday, December 26, 2020 13:27:05
[DoS Attack: IP Spoofing] from source: 10.0.0.7, port 49154, Saturday, December 26, 2020 13:27:05
[DoS Attack: IP Spoofing] from source: 10.0.0.2, port 49154, Saturday, December 26, 2020 13:27:05
[DoS Attack: IP Spoofing] from source: 10.0.0.15, port 49154, Saturday, December 26, 2020 13:27:05
[DoS Attack: IP Spoofing] from source: 10.0.0.8, port 49154, Saturday, December 26, 2020 13:27:05
[DoS Attack: IP Spoofing] from source: 10.0.0.10, port 49154, Saturday, December 26, 2020 13:27:04
[DoS Attack: IP Spoofing] from source: 10.0.0.14, port 49154, Saturday, December 26, 2020 13:27:04
[DoS Attack: IP Spoofing] from source: 10.0.0.24, port 5353, Saturday, December 26, 2020 13:27:04
[DoS Attack: IP Spoofing] from source: 10.0.0.18, port 49153, Saturday, December 26, 2020 13:27:04
[admin login] from source 10.0.0.34, Saturday, December 26, 2020 13:27:00
[DoS Attack: IP Spoofing] from source: 10.0.0.7, port 49154, Saturday, December 26, 2020 13:27:00
[DoS Attack: IP Spoofing] from source: 10.0.0.15, port 49154, Saturday, December 26, 2020 13:27:00
[DoS Attack: IP Spoofing] from source: 10.0.0.2, port 49154, Saturday, December 26, 2020 13:27:00
[DoS Attack: IP Spoofing] from source: 10.0.0.8, port 49154, Saturday, December 26, 2020 13:26:59
[DoS Attack: IP Spoofing] from source: 10.0.0.10, port 49154, Saturday, December 26, 2020 13:26:59
[DoS Attack: IP Spoofing] from source: 10.0.0.14, port 49154, Saturday, December 26, 2020 13:26:59
[DoS Attack: IP Spoofing] from source: 10.0.0.34, port 137, Saturday, December 26, 2020 13:26:59
[DoS Attack: IP Spoofing] from source: 10.0.0.18, port 49153, Saturday, December 26, 2020 13:26:59
[DoS Attack: IP Spoofing] from source: 10.0.0.34, port 5353, Saturday, December 26, 2020 13:26:59
[DoS Attack: IP Spoofing] from source: 10.0.0.34, port 137, Saturday, December 26, 2020 13:26:59
[DoS Attack: IP Spoofing] from source: 10.0.0.15, port 49154, Saturday, December 26, 2020 13:26:55
[DoS Attack: IP Spoofing] from source: 10.0.0.7, port 49154, Saturday, December 26, 2020 13:26:55
[DoS Attack: IP Spoofing] from source: 10.0.0.8, port 49154, Saturday, December 26, 2020 13:26:55
[DoS Attack: IP Spoofing] from source: 10.0.0.2, port 49154, Saturday, December 26, 2020 13:26:55
[DoS Attack: IP Spoofing] from source: 10.0.0.10, port 49154, Saturday, December 26, 2020 13:26:55
[DoS Attack: IP Spoofing] from source: 10.0.0.14, port 49154, Saturday, December 26, 2020 13:26:55
[DoS Attack: IP Spoofing] from source: 10.0.0.21, port 5353, Saturday, December 26, 2020 13:26:54
[DoS Attack: IP Spoofing] from source: 10.0.0.18, port 49153, Saturday, December 26, 2020 13:26:54
[DoS Attack: IP Spoofing] from source: 10.0.0.9, port 49154, Saturday, December 26, 2020 13:26:53
[DoS Attack: IP Spoofing] from source: 10.0.0.5, port 49154, Saturday, December 26, 2020 13:26:53
[DoS Attack: IP Spoofing] from source: 10.0.0.6, port 49154, Saturday, December 26, 2020 13:26:53
[DoS Attack: IP Spoofing] from source: 10.0.0.8, port 49154, Saturday, December 26, 2020 13:26:50
[DoS Attack: IP Spoofing] from source: 10.0.0.10, port 49154, Saturday, December 26, 2020 13:26:50
[DoS Attack: IP Spoofing] from source: 10.0.0.14, port 49154, Saturday, December 26, 2020 13:26:50
[DoS Attack: IP Spoofing] from source: 10.0.0.18, port 49153, Saturday, December 26, 2020 13:26:49
[DoS Attack: IP Spoofing] from source: 10.0.0.24, port 5353, Saturday, December 26, 2020 13:26:48
[DoS Attack: IP Spoofing] from source: 10.0.0.9, port 49154, Saturday, December 26, 2020 13:26:48
[DoS Attack: IP Spoofing] from source: 10.0.0.6, port 49154, Saturday, December 26, 2020 13:26:48
[DoS Attack: IP Spoofing] from source: 10.0.0.5, port 49154, Saturday, December 26, 2020 13:26:48
[DoS Attack: IP Spoofing] from source: 10.0.0.3, port 49154, Saturday, December 26, 2020 13:26:48
[DoS Attack: IP Spoofing] from source: 10.0.0.34, port 5353, Saturday, December 26, 2020 13:26:45
[DoS Attack: IP Spoofing] from source: 10.0.0.6, port 49154, Saturday, December 26, 2020 13:26:43
[DoS Attack: IP Spoofing] from source: 10.0.0.5, port 49154, Saturday, December 26, 2020 13:26:43
[DoS Attack: IP Spoofing] from source: 10.0.0.3, port 49154, Saturday, December 26, 2020 13:26:42
[DoS Attack: IP Spoofing] from source: 10.0.0.24, port 5353, Saturday, December 26, 2020 13:26:40
[DoS Attack: IP Spoofing] from source: 10.0.0.15, port 49154, Saturday, December 26, 2020 13:26:40
[DoS Attack: IP Spoofing] from source: 10.0.0.7, port 49154, Saturday, December 26, 2020 13:26:40
[DoS Attack: IP Spoofing] from source: 10.0.0.2, port 49154, Saturday, December 26, 2020 13:26:40
[DoS Attack: IP Spoofing] from source: 10.0.0.8, port 49154, Saturday, December 26, 2020 13:26:40
[DoS Attack: IP Spoofing] from source: 10.0.0.10, port 49154, Saturday, December 26, 2020 13:26:40
Its obviously this which is causing our devices to stop responding. We have load of devices on the network, from smart speakers to smart lights, but I cannot work out what device/s is causing this.
Can someone please bring me some christmas cheer and it is driving me mad!!
Thank you.
7 Replies
DOS attacks listed in the Orbi log file are supposed to be indications that the Orbi firewall rules have detected a pattern of incomming packets that have been rejected and which are typical of some type of unwanted behavior.. It is like a telephone reporting, "I got a bunch of robot calls from these phone numbers and did not answer any of them." Here is a description of IP spoofing:
https://www.cloudflare.com/learning/ddos/glossary/ip-spoofing/
IP addresses that begin with 10.0.0 are "private" addresses that are not supposed to be send across the internet. This is easy to verify by looking at the Orbi Attached Devices page for the address range that has been assigned to devices attached to the LAN side of the Orbi.
Do they begin with 10.0.0?
It might be useful to describe more about the WiFi problem so people on the forum can venture opinions as to what is causing it.
Hi.
Thanks for the reply....even on Boxing Day, as did not think I would get a reply so soon.
The 10.0.0 range is my internal address range.
Im not sure of what is on my network that is causing it. however, I do have smart lights etc, and these are connected through alexa skills, so was wondering if maybe one of these connections had been hacked.
The main problem is some of the devices are not responding, for example our mobiles or tablets, when you try to do something it take ages to respond or take ages to load a webpage. Im just concerned that maybe I have been hacked, but just wonder where I start to look up what device is causing the issue. I could change the wifi password, but some of the devices are not located in an easy place to access so setting up the wifi with a new password might not be that easy. Not sure where to start really.
skeebs wrote:The 10.0.0 range is my internal address range.
Im not sure of what is on my network that is causing it. however, I do have smart lights etc, and these are connected through alexa skills, so was wondering if maybe one of these connections had been hacked.
The main problem is some of the devices are not responding, for example our mobiles or tablets, when you try to do something it take ages to respond or take ages to load a webpage. Im just concerned that maybe I have been hacked, but just wonder where I start to look up what device is causing the issue. I could change the wifi password, but some of the devices are not located in an easy place to access so setting up the wifi with a new password might not be that easy. Not sure where to start really.
The "typical" private IP range for consumer routers is 192.168.1.x, with the router takiing 192.168.1.1 for itself and assigning other IP's to devices connected to the local side (LAN). Orbi's change to 10.0.0 when they are connected to something that has already taken 192.168.
So there is a very good chance that the Orbi is connected to another router. ISP's commonly provide combination modem/router/WiFi boxes, so this is not unusual.
Is anything else connected to the ISP device besides the Orbi?
When you looked at Attached Devices, do any of them have the IP addresses that are appearing in the Orbi log?
My approach to this sort of problem is sort of weird. Orbi can capture the traffic on the WAN and LAN sides of the router and create a file that can be processed by network analysis programs, such as Wireshark. After capturing enough data to collect a few examples of IP Spoofing, I would use Wireshark to look for the packets and see "where they came from". IP Spoofing means that the Orbi has determined that packets with these IP address cannot possibly be coming from that IP address.
- Are they coming into the WAN port?
Orbi would know that 10.0.0 IP's do not cross the public internet, so some bozo in the neighborhood is creating packets that are hitting my router. Shame on them.
In that case, they are not reaching into the Orbi and are simply a nuisance that is probably not causing the performance issues. - Are they on the LAN side?
If so, some device on my LAN is creating bogus packets and Wireshark will reveal the MAC address that is generating them.
That device needs some inspection.
Weird, but that's what nerds do for entertainment.
- Are they coming into the WAN port?
What Firmware version is currently loaded?
What is the Mfr and model# of the Internet Service Providers modem/ONT the NG router is connected too? Built in router here by chance? IF so, This would be a double NAT (two router) condition which isn't recommended. https://kb.netgear.com/30186/What-is-Double-NAT
https://kb.netgear.com/30187/How-to-fix-issues-with-Double-NAT
Couple of options,
1. Configure the modem for transparent bridge or modem only mode. Then use the Orbi router in router mode. You'll need to contact the ISP for help and information in regards to the modem being bridged correctly.
2. If you can't bridge the modem, disable ALL wifi radios on the modem, configure the modems DMZ/ExposedHost or IP Pass-Through for the IP address the Orbi router gets from the modem. Then you can use the Orbi router in Router mode.
3. Or disable all wifi radios on the modem and connect the Orbi router to the modem, configure AP mode on the Orbi router. https://kb.netgear.com/31218/How-do-I-configure-my-Orbi-router-to-act-as-an-access-point and https://www.youtube.com/watch?v=H7LOcJ8GdDo&app=desktop
