Forum Discussion

Aspirant

Dec 07, 2021

AX6000 / AC4000 constant disconnects

Hello there, wanted to see if I can get some help here before I contact support. I had an AC4000 and out of the blue I had constant disconnect issues. They usually last 30 seconds to 1 min ma...

FDWAL

Aspirant

Dec 07, 2021

I just went in to the admin log section and I found some areas that I think are hackers trying to logon or do something? Not sure what I can post here because I dont want to give any of my info away but I will paste some part of the log.

Maybe this helps identify the issue and a fix for it???

[DoS Attack: RST Scan] from source: 210.245.54.217, port 22825, Monday, December 06, 2021 17:01:58
[DoS Attack: TCP/UDP Chargen] from source: 71.6.167.142, port 29921, Monday, December 06, 2021 16:34:03

[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Monday, December 06, 2021 15:42:50
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Monday, December 06, 2021 15:35:14
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Monday, December 06, 2021 15:12:50

[DoS Attack: ACK Scan] from source: 64.58.239.122, port 6264, Monday, December 06, 2021 14:47:59
[DoS Attack: ACK Scan] from source: 64.58.239.146, port 26152, Monday, December 06, 2021 14:45:51

[DoS Attack: ACK Scan] from source: 64.58.239.59, port 5562, Monday, December 06, 2021 14:05:19
[DoS Attack: ACK Scan] from source: 64.58.239.204, port 2029, Monday, December 06, 2021 13:58:37
[DoS Attack: SYN/ACK Scan] from source: 194.126.144.113, port 443, Monday, December 06, 2021 13:48:07
[DoS Attack: ACK Scan] from source: 64.58.239.59, port 5562, Monday, December 06, 2021 13:47:20
[Internet connected] IP address: 00.00.000.00, Monday, December 06, 2021 13:10:19
[DoS Attack: SYN/ACK Scan] from source: 91.220.101.92, port 80, Monday, December 06, 2021 12:56:36
[DoS Attack: ACK Scan] from source: 64.58.239.204, port 14805, Monday, December 06, 2021 12:52:14
[DoS Attack: ACK Scan] from source: 64.58.239.204, port 14805, Monday, December 06, 2021 12:45:11
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Monday, December 06, 2021 12:42:37
[DoS Attack: SYN/ACK Scan] from source: 170.33.9.35, port 11119, Monday, December 06, 2021 12:39:08
[DoS Attack: SYN/ACK Scan] from source: 168.119.232.76, port 443, Monday, December 06, 2021 12:38:28
[DoS Attack: ACK Scan] from source: 64.58.239.204, port 14805, Monday, December 06, 2021 12:23:19
[DoS Attack: SYN/ACK Scan] from source: 95.217.31.46, port 443, Monday, December 06, 2021 12:18:36

And right after a few of them show up it is showing the following:

[Internet connected] IP address: 00.00.000.00, Monday, December 06, 2021 14:10:20

I obvioulsy removed my IP

So does that mean I am getting DDOSed? Or what ever that is called? If yes, what are my options to stop this? Have my ISP change my IP?

michaelkenward
Guru - Experienced User
Dec 07, 2021
Netgear's firmware is great at creating false reports of DoS attacks. Many of them are no such thing.

Search - NETGEAR Communities – DoS attacks

Use Whois.net to see who is behind some of them and you may find that they are from places like Facebook, Google, even your ISP.

Here is a useful tool for that task:

IPNetInfo: Retrieve IP Address Information from WHOIS servers

If these events are slowing down your router, that may be because it is using up processor time as it writes the events to your logs. Anything that uses processor power – event logging, QoS management, traffic metering – may cause slowdowns. Disable logging of DoS attacks and see if that reduces the problem. This does not prevent the router from protecting you from the outside world.

You might get more help, and find earlier questions and answers specific to your device, in the appropriate section for your hardware. That's probably here:

Nighthawk Routers with WiFi 6 (AX) - NETGEAR Communities

I will ask the Netgear moderator to move your message.

In the meantime you could visit the support pages:

Support | NETGEAR

Feed in your model number and check the documentation for your hardware. Look at the label on the device for the model number.

You may have done this already. I can't tell from your message.

I mention it because Netgear stopped supplying printed manuals and CD versions some years ago and people sometimes miss the downloads.
- FDWAL
  Aspirant
  Dec 07, 2021
  Thank you so much for your time and response.
  
  Yeah I looked over the Documentation before.
  
  My connection never slows down at all. It just dies instantly. And it comes back just as sudden 30 seconds to 1 minute later. When I look over the logs it seems as some of the IP's I looked up are in Asia and some are in the USA.
  
  If I check " Disable Port Scan and DoSProtection", will this only turn off the logs or will this turn off the protection all together? I seen this recommended on some other threads on here but didnt want to disable it as I wasnt sure which exactly it does.
  - michaelkenward
    Guru - Experienced User
    Dec 07, 2021
    FDWAL wrote:
    
    If I check " Disable Port Scan and DoSProtection", will this only turn off the logs or will this turn off the protection all together? I seen this recommended on some other threads on here but didnt want to disable it as I wasnt sure which exactly it does.
    
    There are two settings. One disables the logs:
    
    Advanced >> Administration >> Logs >> Known DoS attacks and Port Scans
    
    the other disables the protection.
    
    Advanced >>Setup >> WAN Setup
    
    Many people run without DoSProtection and with no ill effects.
    
    There is some debate as to what each achieves. The aim appears to be that either of these operations can involve processor power. If that overloads the router, then you can see the slow down and disruptions that you describe.
    
    This is mostly conjectural. Trial and error – or suck it and see – seems to be the strategy.