Is it just me?

---

UK_Wildcats wrote:

I have a XR700 router, and I have been seeing a LOT of the same subnet DOS attacks in my system logs.  In addition, I have been have a lot more internet disruptions that correlate to the same times as this DOS attacks in the logs.

---

Thanks for responding.  day 10 and "still going..." (like the Energizer Bunny). I would think after hammering at port 80 and never getting a connection, this goofball would move on to something else.

My Orbi does not seem bothered by the connection attempts.  I have PingInfoView from Nirsoft pinging three DNS servers every 30 seconds (CloudFlare, Google, and Cloud Nine)  Out of the last 10,000 or so pings, only a handful have failed to respond and they do not seem to be "clustered".  i.e. One of the three will miss a ping, but not the other two.  ICMP is a UDP packet, which is not guaranteed to be delivered, so there is no way to know whether the missing ping is

• a packet that never reached the DNS server
• a packet that got dropped somewhere along the way back
• a packet that arrived at my Orbi but the Orbi was "too busy" to process it

There could be different types of DoS attacks that have greater impact on the Orbi, or my experiment is flawed, but so far I do not see a strong correlation beteen Orbi log entries and service disruptions.

I really wish Netgear had published something describing how the DoS attack mechanism works.  Surely a single connection attempt is not enough to be called an "attack".  Would it be 10? 20?  100?  No idea.

---

FURRYe38 wrote:

I'm currently seeing some entries from this address:

23.62.78.137

Some other entries but mostly from this domain: 23.62.

---

Looks as if this phenomenon is geographically different.  I collect log files from two Orbi systems in the US (East Coast, West Coast) and have combined the DoS log reports from July 1 through mid July 10. (11,634 log entries).  Put them in an Excel file that can be sorted on various columns. On Dropbox at https://www.dropbox.com/s/i2qmfep2v6e0y2d/July-1-10-Attacks.xlsx?dl=0   (My parsing algorithym messed up a couple of entries.)

It is bizzare. Some hit both systems, others only one.  I can see trying ports 80, 443, 8080, etc. but some of the port numbers are just strange.

I'm experiencing the same and I recently reached out to my ISP (Spectrum) to get a new modem to provide a new IP address. I don't have any ports open and the only thing that I could think of accessing from outside was my Arlo camera which I have temporarliy taken offline. The IP Address (most likely spoofed) is looking at port 11095 and port 25565 and port 443. Embedding log copy below but Spectrum claims they have no responsibility and Netgear has no answer. I'm inclined to buy a new router but I have no idea why these attacks are happening (not hosting game server) and why they are sometimes shutting off the whole router.

[DoS Attack: SYN/ACK Scan] from source: 51.161.99.79, port 25565, Tuesday, July 13, 2021 12:11:22
[DHCP IP: 10.10.34.102] to MAC address 86:95:fb:87:95:fb, Tuesday, July 13, 2021 12:10:39
[DoS Attack: ACK Scan] from source: 142.250.72.106, port 443, Tuesday, July 13, 2021 12:10:01
[DoS Attack: ACK Scan] from source: 72.5.202.12, port 443, Tuesday, July 13, 2021 11:45:08
[DHCP IP: 10.10.34.110] to MAC address 44:65:0d:69:e1:30, Tuesday, July 13, 2021 11:40:34
[DoS Attack: ACK Scan] from source: 72.5.202.12, port 443, Tuesday, July 13, 2021 11:33:17
[DoS Attack: ACK Scan] from source: 17.248.135.201, port 443, Tuesday, July 13, 2021 11:28:50
[DHCP IP: 10.10.34.113] to MAC address 00:26:bb:01:07:a4, Tuesday, July 13, 2021 11:27:03
[DoS Attack: Ascend Kill] from source: 209.18.47.62, port 53, Tuesday, July 13, 2021 11:25:23
[DHCP IP: 10.10.34.108] to MAC address 46:94:1d:a3:78:0b, Tuesday, July 13, 2021 11:17:35
[DoS Attack: SYN/ACK Scan] from source: 89.44.192.37, port 3389, Tuesday, July 13, 2021 11:16:24
[DHCP IP: 10.10.34.108] to MAC address 46:94:1d:a3:78:0b, Tuesday, July 13, 2021 11:11:55
[DHCP IP: 10.10.34.102] to MAC address 86:95:fb:87:95:fb, Tuesday, July 13, 2021 11:10:36
[DHCP IP: 10.10.34.108] to MAC address 46:94:1d:a3:78:0b, Tuesday, July 13, 2021 11:08:53
[DoS Attack: ACK Scan] from source: 17.248.135.211, port 443, Tuesday, July 13, 2021 11:08:00
[DHCP IP: 10.10.34.108] to MAC address 46:94:1d:a3:78:0b, Tuesday, July 13, 2021 11:07:32
[DHCP IP: 10.10.34.106] to MAC address d4:3b:04:8c:f3:43, Tuesday, July 13, 2021 11:06:44
[DHCP IP: 10.10.34.106] to MAC address d4:3b:04:8c:f3:43, Tuesday, July 13, 2021 11:06:43
[DHCP IP: 10.10.34.108] to MAC address 46:94:1d:a3:78:0b, Tuesday, July 13, 2021 11:03:27
[DHCP IP: 10.10.34.104] to MAC address 9e:35:1d:4d:0d:df, Tuesday, July 13, 2021 10:58:26
[DHCP IP: 10.10.34.104] to MAC address 9e:35:1d:4d:0d:df, Tuesday, July 13, 2021 10:58:26
[DoS Attack: ACK Scan] from source: 31.13.71.52, port 443, Tuesday, July 13, 2021 10:58:14
[DHCP IP: 10.10.34.108] to MAC address 46:94:1d:a3:78:0b, Tuesday, July 13, 2021 10:57:28
[DHCP IP: 10.10.34.108] to MAC address 46:94:1d:a3:78:0b, Tuesday, July 13, 2021 10:56:30
[DoS Attack: ACK Scan] from source: 72.5.202.12, port 443, Tuesday, July 13, 2021 10:55:48
[DHCP IP: 10.10.34.109] to MAC address 14:10:9f:d2:f7:15, Tuesday, July 13, 2021 10:55:04
[DoS Attack: ACK Scan] from source: 72.5.202.12, port 443, Tuesday, July 13, 2021 10:55:03
[Access Control] Device SCIMITAR with MAC address 14:10:9F:D2:F7:15 is allowed to access the network, Tuesday, July 13, 2021 10:
[DHCP IP: 10.10.34.104] to MAC address 9e:35:1d:4d:0d:df, Tuesday, July 13, 2021 10:53:57
[WLAN access rejected: incorrect security] from MAC address 9e:35:1d:4d:0d:df, Tuesday, July 13, 2021 10:53:38
[DHCP IP: 10.10.34.108] to MAC address 46:94:1d:a3:78:0b, Tuesday, July 13, 2021 10:52:42
[DHCP IP: 10.10.34.104] to MAC address 9e:35:1d:4d:0d:df, Tuesday, July 13, 2021 10:47:23
[DHCP IP: 10.10.34.104] to MAC address 9e:35:1d:4d:0d:df, Tuesday, July 13, 2021 10:36:49
[WLAN access rejected: incorrect security] from MAC address 9e:35:1d:4d:0d:df, Tuesday, July 13, 2021 10:36:43
[DHCP IP: 10.10.34.112] to MAC address c8:f7:50:4d:15:9e, Tuesday, July 13, 2021 10:36:35
[DHCP IP: 10.10.34.104] to MAC address 9e:35:1d:4d:0d:df, Tuesday, July 13, 2021 10:36:14
[DHCP IP: 10.10.34.101] to MAC address 38:68:a4:23:00:4c, Tuesday, July 13, 2021 10:28:06
[DHCP IP: 10.10.34.101] to MAC address 38:68:a4:23:00:4c, Tuesday, July 13, 2021 10:28:05
[DHCP IP: 10.10.34.113] to MAC address 00:26:bb:01:07:a4, Tuesday, July 13, 2021 10:21:57
[DHCP IP: 10.10.34.108] to MAC address 46:94:1d:a3:78:0b, Tuesday, July 13, 2021 10:20:43
[DoS Attack: ACK Scan] from source: 72.5.202.12, port 443, Tuesday, July 13, 2021 10:11:41
[DHCP IP: 10.10.34.102] to MAC address 86:95:fb:87:95:fb, Tuesday, July 13, 2021 10:10:32
[DoS Attack: ACK Scan] from source: 142.250.176.202, port 443, Tuesday, July 13, 2021 09:58:08
[DoS Attack: ACK Scan] from source: 142.250.80.106, port 443, Tuesday, July 13, 2021 09:56:20
[DoS Attack: SYN/ACK Scan] from source: 142.44.178.137, port 388, Tuesday, July 13, 2021 09:48:35
[DoS Attack: SYN/ACK Scan] from source: 162.241.216.182, port 443, Tuesday, July 13, 2021 09:44:13
[DoS Attack: ACK Scan] from source: 68.67.179.90, port 443, Tuesday, July 13, 2021 09:31:30
[DoS Attack: ACK Scan] from source: 68.67.160.186, port 443, Tuesday, July 13, 2021 09:30:02
[DoS Attack: ACK Scan] from source: 199.187.193.182, port 443, Tuesday, July 13, 2021 09:30:02
[DoS Attack: ACK Scan] from source: 199.232.37.194, port 443, Tuesday, July 13, 2021 09:29:29
[DHCP IP: 10.10.34.113] to MAC address 00:26:bb:01:07:a4, Tuesday, July 13, 2021 09:22:05