NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Daily Dos Attacks shutting off internet
Hi I'm receiving daily Dos Attacks in my logs which shutoff my internet for upwards of 30minutes if I dont restart my modem and router. The logs look something like this and they happen daily XR...
Those log entries are not Denial of Service (DoS). They are reports that the router has applied a Quality of Service (QoS) to a "zone" that was defined by the user. Starting about page 54 of the user manual:
https://www.downloads.netgear.com/files/GDC/XR500/XR500_UM_EN.pdf
There is a discussion in that section about what happens if 100% is allocated to one device, then that effectively shuts off every other device.
Gaming routers are entirely different than 'ordinary' routers, such as the Orbi that we talk about in this forum. You are more likely to find someone who has experience with the XR500 in the gaming forum:
The Qos is not what i'm worried about as I have it turned on and set to 50%. I'm worried about the
" [DoS Attack: WinNuke Attack] from source: 218.76.236.71, port 19300, Wednesday, January 12, 2022 23:56:33\
[DoS Attack: TCP/UDP Echo] from source: 80.82.77.193, port 59891, Thursday, January 13, 2022 00:21:53
[DoS Attack: SYN/ACK Scan] from source: 156.54.36.151, port 5060, Thursday, January 13, 2022 00:19:57
Sorry (My Bad. Yes, those entries were buried in the log file and I missed them.) My Orbi records the same WinNuke events and does not loss internet.
Two Netgear Orbi systems email me their log files every time they fill up, and I have been keeping those logs for over two years.
Denial of Service (DoS) "attacks" are continuous. Every day, both of these routers record dozens. So far this January (13 days), one system has logged 654 and the other 754 DoS entries. (A rate of 50-60 per day.) There have been some weeks when the Internet "goes wild" with some jerk banging away with hundreds of attempts for day after day (until it stops). Neither system has ever lost internet. Not once.
There have been several discussions on the forum about these log entries. The concensus appears to be:
- Router firewalls do not accept incomming connections unless a port has been forwarded (deliberately) to a device on the LAN.
- There are hooks into the firewall software which detect certain patterns of connection attempts and classify them as "attacks", with the option to record this observation in the router log.
- No one seems to have found any documentation as to how these detections routine determine when connection attempts are just "random noise" and then they "fit a pattern".
- This detection activity does consume some router CPU cycles. (How much no one has seemed to determine.) It would be interesting to see if disabling the detection/logging activity makes a measurable difference in processor usage.
- Whether the router logs these conclusions is an option that can be set. No matter whether they are logged or not, the connections attempts still occur and are still not accepted.
I have no doubt that "something is going on", but have serious doubts that it is these reported Denial of Service attempts.
Hey aliraza2 ,
Great answer above!
I believe the issue of disconnections is separate from the log entries you're seeing.
When the disconnection occurs, are you able to access the XR500 interface by going to either 192.168.1.1 or routerlogin.net in your web browser?
The IP addresses are suspicious ones.
218.76.236.71 (Chinese) : https://whois.domaintools.com/218.76.236.71
80.82.77.193 (Netherlands) : https://whois.domaintools.com/80.82.77.193
156.54.36.151 (Italy) : https://whois.domaintools.com/156.54.36.151
It is only your ISP that can try to do something about the DOS attacks.