NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
DoS attacks RBR750
Hi there. I have been bombarded with alerts from my Orbi app that say that individual devices on my network are being targeted for attacks. The message says "Netgear Armor detected and blocked a Deni...
A curious situation since the Orbi firewall has not detected any suspicion patterns of connections attempts. (which do happen constantly and cannot be stopped)
The inference is that something inside the network (on the LAN) is doing something screwy. If these MAC addresses do not match any device on the network, I would suspect rogue software that is generating a lot of data packets with bogus MAC addresses so that the packets cannot be traced back to the device.
Is the target always the same device?
Different devices but the ones that get blocked are my smart TV's, iphones, and ipads so far. In fact, I may be calling it a MAC address when it in fact isn't. This number is also different almost every time. It appears to be an ipv6 ip address. Here is the format it shows with random letters and numbers after the fe80.
fe80::f7:522:ab3c:92b4
AngryGreenGiant wrote:
It appears to be an ipv6 ip address. Here is the format it shows with random letters and numbers after the fe80.
fe80::f7:522:ab3c:92b4
This is correct. fe80:: is the 64 bit long identification of a "Link Local" IPv6 address:
https://en.wikipedia.org/wiki/Link-local_address
Armor is complaining that these devices are creating "too many" IPv6 packets. Not having enabled Armor, I have no idea if it would complain about my network (or not).
Many devices display their various "addresses", for example:
pi@raspberrypi:~ $ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether dc:a6:32:12:30:20 txqueuelen 1000 (Ethernet)inet 192.168.1.30 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::bcf5:ba6f:51e2:c9a prefixlen 64 scopeid 0x20<link>
inet6 2603:8000:403:bd7c:9cfa:abe7:547e:fdc prefixlen 64 scopeid 0x0<global>This Raspberry Pi ethernet card (eth0) has three "addresses":
- IPv4 Address - 192.168.1.30
- IPv6 Public address - 2603:8000:403:bd7c:9cfa:abe7:547e:fdc
- IPv6 Link Local address - fe80::bcf5:ba6f:51e2:c9a
All of them tie to one hardware MAC address on the network: dc:a6:32:12:30:20
(I am not particularly anxious about sharing this information because the Orbi firewall totally blocks access to this Raspberry Pi from the Internet.)
It would have been useful if those Armor reports would list the actual hardware MAC address of the device it was complaining about. That should lead to a physical device on the network.
Very true about how Armor isn't giving the actual MAC addresses. I don't know why it doesn't. I guess at this point I need to figure out what to do. If the security isn't compromised on my network I would be content with just letting it go, but I don't really want alerts all day every day for a "false alarm" assuming that's what this is. I would prefer to correct the issue.
My search for a tool to convert IPv6 Link Local address to MAC address failed to find anything. Apparently, in the "early days" of IPv6 it was common to use the hardware MAC address to computer an IPv6 Link Local address, but that process is not universal. (It might work, but I am not hopeful)
Windows has a method to display the Link Local Directory: netsh interface ipv6 show neighbors
This created an enormous number of entries, so I output this into a text file that could be searched. i.e.
netsh interface ipv6 show neighbors > a.txt
I do not know if Macs have a similar command.
The only obvious solution is brute force, which will be practical only if those reports are frequent. It is probably not practical to do a binary search. i.e.
- Power off half of the devices in the house. (Turning off a TV picture does not actually "turn off" the device.)
- If the report happens again, that half is "not the problem" and they can all be left on while the next step is:
- Power off half of the devices in the "suspect" group and repeat.
- This is a lot like March Madness. If there are 32 devices, it will go from 32-16-8-4-2-1.