NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
IP Spoofing
Hi. Can some please advise/help me? We are having trouble with our wifi connection. I have gone into the log and we have the following [DoS Attack: IP Spoofing] from source: 10.0.0.15, p...
Hi.
Thanks for the reply....even on Boxing Day, as did not think I would get a reply so soon.
The 10.0.0 range is my internal address range.
Im not sure of what is on my network that is causing it. however, I do have smart lights etc, and these are connected through alexa skills, so was wondering if maybe one of these connections had been hacked.
The main problem is some of the devices are not responding, for example our mobiles or tablets, when you try to do something it take ages to respond or take ages to load a webpage. Im just concerned that maybe I have been hacked, but just wonder where I start to look up what device is causing the issue. I could change the wifi password, but some of the devices are not located in an easy place to access so setting up the wifi with a new password might not be that easy. Not sure where to start really.
skeebs wrote:The 10.0.0 range is my internal address range.
Im not sure of what is on my network that is causing it. however, I do have smart lights etc, and these are connected through alexa skills, so was wondering if maybe one of these connections had been hacked.
The main problem is some of the devices are not responding, for example our mobiles or tablets, when you try to do something it take ages to respond or take ages to load a webpage. Im just concerned that maybe I have been hacked, but just wonder where I start to look up what device is causing the issue. I could change the wifi password, but some of the devices are not located in an easy place to access so setting up the wifi with a new password might not be that easy. Not sure where to start really.
The "typical" private IP range for consumer routers is 192.168.1.x, with the router takiing 192.168.1.1 for itself and assigning other IP's to devices connected to the local side (LAN). Orbi's change to 10.0.0 when they are connected to something that has already taken 192.168.
So there is a very good chance that the Orbi is connected to another router. ISP's commonly provide combination modem/router/WiFi boxes, so this is not unusual.
Is anything else connected to the ISP device besides the Orbi?
When you looked at Attached Devices, do any of them have the IP addresses that are appearing in the Orbi log?
My approach to this sort of problem is sort of weird. Orbi can capture the traffic on the WAN and LAN sides of the router and create a file that can be processed by network analysis programs, such as Wireshark. After capturing enough data to collect a few examples of IP Spoofing, I would use Wireshark to look for the packets and see "where they came from". IP Spoofing means that the Orbi has determined that packets with these IP address cannot possibly be coming from that IP address.
- Are they coming into the WAN port?
Orbi would know that 10.0.0 IP's do not cross the public internet, so some bozo in the neighborhood is creating packets that are hitting my router. Shame on them.
In that case, they are not reaching into the Orbi and are simply a nuisance that is probably not causing the performance issues. - Are they on the LAN side?
If so, some device on my LAN is creating bogus packets and Wireshark will reveal the MAC address that is generating them.
That device needs some inspection.
Weird, but that's what nerds do for entertainment.
Hi all.
Thanks for all the advice.
I live in the UK and have BT Broadband. Originally I set it up so it would sync using the BT router and then turn off the wifi on the BT router and use the Orbi network.
So now, I have removed the BT router from the network and plugged in a BT Openreach modem and use the Orbi's to connect to the internet. All of the attacks have stopped, but now I have these. Probably not at bad though!
[DoS Attack: ARP Attack] from source: 192.168.1.1, Sunday, December 27, 2020 11:59:52
[DoS Attack: SYN/ACK Scan] from source: 192.95.9.25, port 22, Sunday, December 27, 2020 11:58:57
[DoS Attack: SYN/ACK Scan] from source: 192.95.9.30, port 22, Sunday, December 27, 2020 11:57:27
[DoS Attack: ACK Scan] from source: 52.51.76.79, port 443, Sunday, December 27, 2020 11:54:16My Orbi has logged 1,705 various "attacks" so far this month, an average of about 63 per day. People have expressed various opinions about these log entries, such as:
- Analyzing packets with the Orbi firewall consumes CPU cycles that could be used for "other things" so it is better to quit logging them.
- Netgear's firewall analysis flags too many "attacks" that are not really attacks.
- The Orbi doesn't accept connection requests (unless ports are "opened" on purpose), so the exercise is pointless.
I have never found documentation about how this feature actually works or how these "attacks" are defined. (such as how many connection attempts does it take to be considered an "attack"? one? 100? over what period of time?)
I did try to compare the Orbi iptables rules with and without logging and was unable to discover obvious differences, so I don't have evidence on whether CPU load is affected a little or a lot.
The more relevant question is your WiFi performance. Has it improved?
Yes the wifi and everything is improved. All I can think, it the IP address I was issued with BT, was being hit alot by hackers. I only have had 10 attempts in about 2 hours. Im more than happy with that. I just hope it lasts, as this has caused me so much stress, as I am normally good at fixing things and this has blown my mind!