NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

acayci's avatar
acayci
Tutor
Jan 06, 2026

DoS attack: TCP SYN Flood] from source

Hello,

 

Now that I have enabled OpenVPN on Netgear Router for developers to connect using OpenVPN clients and also the router has now Public IP,  I am sure bad actors may try to connect or others things that I am not 100% sure.  For example,  I saw this logged in the log 

 

[DoS attack: TCP SYN Flood] from source 3.17.72.122,port 40908 Monday, Jan 05,2026 19:22:22
[DoS attack: TCP SYN Flood] from source 3.17.72.122,port 37576 Monday, Jan 05,2026 19:22:22
[DoS attack: TCP SYN Flood] from source 3.17.72.122,port 38274 Monday, Jan 05,2026 19:22:22
[DoS attack: TCP SYN Flood] from source 3.17.72.122,port 57958 Monday, Jan 05,2026 19:22:22
[DoS attack: TCP SYN Flood] from source 3.17.72.122,port 58656 Monday, Jan 05,2026 19:22:22
[DoS attack: TCP SYN Flood] from source 3.17.72.122,port 39428 Monday, Jan 05,2026 19:22:22
[DoS attack: TCP SYN Flood] from source 3.17.72.122,port 43444 Monday, Jan 05,2026 19:22:22
[DoS attack: TCP SYN Flood] from source 3.17.72.122,port 36466 Monday, Jan 05,2026 19:22:22
[DoS attack: TCP SYN Flood] from source 3.17.72.122,port 37716 Monday, Jan 05,2026 19:22:22
[DoS attack: TCP SYN Flood] from source 3.17.72.122,port 35524 Monday, Jan 05,2026 19:22:22
[DoS attack: TCP SYN Flood] from source 3.17.72.122,port 32956 Monday, Jan 05,2026 19:22:22
[DoS attack: TCP SYN Flood] from source 3.17.72.122,port 43748 Monday, Jan 05,2026 19:22:22

 

How would I prevent these kinds of TCP SYN Flood won't happen again?  Do I simply block the IP address?  If so,  how do I do that?  

 

Secondly how do I ensure only the developers in my team can connect to the router and not anyone else?  

 

I appreciate all your insights and help on this.  Thank you.

 

Mustafa

not listed

1 Reply

  • StephenB's avatar
    StephenB
    Guru - Experienced User
    Jan 06, 2026
    acayci wrote:

    source 3.17.72.122

    FYI, this particular address is registered to Amazon and is part of the AWS cloud.  Best not to block it, as later on it could disrupt use of other cloud services hosted in the EC2 cloud.  You could try reporting the behavior to mailto:trustandsafety@support.aws.com

     

    These detections are pretty common.  I don't think they are linked to the deployment of openvpn.  

     

    acayci wrote:

    Secondly how do I ensure only the developers in my team can connect to the router and not anyone else?  

    The OpenVPN certificate should prevent other actors (w/o the certificate) from connecting with OpenVPN.  One challenge here is that former team members might hang on to the credentials, which would let them continue to use the service.  AFAIK, there is no way to create a new certficate in my Orbi router (and I think that is also true for other Netgear routers).  So you might not be able to revoke access if you stay with Netgear's built-in service.  

     

    If you are forwarding any ports (or putting a server in the DMZ), then other measures would be needed.  Firewalls on the devices receiving that traffic, and perhaps other security software.  I'd disable upnp in the router.

     

    Netgear routers are designed for home use by consumers - you could also consider getting a business class router. There is a learning curve, so you'd need to be sure you have someone with the skills needed to properly administer it.  But they will give you stronger access controls.  As far as revocation goes, you could also get that by setting up your own VPN server.  There's a learning curve there too.

     

    You could also separate the development resources from the rest of your network, which would give you some more protection for your personal data.  For instance, connect the Netgear router behind a business class firewall, and put your personal devices on the Netgear router (while putting development repos and servers on the business-only network).