NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

Redtulips7's avatar
Redtulips7
Luminary
Nov 28, 2019

RAX120 Firmware Version 1.0.1.108

New Features and Enhancements: •Supports the Tx Beamforming option under Advanced > Wireless Settings to improve legacy wireless client support. Bug Fixes: •Wireless disconnection when WiFi passwo...
Killhippie's avatar
Killhippie
Prodigy
Dec 02, 2019

Since the update is anyone seeing a flood of SYN/ACK DoS attacks from 148.251.48.231?
 I have had hundreds atarting last week, pretty much when the firmware was released and I updated. According to my ISP its something the router is calling out for, or its a vulnerabilty in the new firmware. That seems a bit dramatic but then again this amount of scans is not fun and its a cut down version.

[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:52:34
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:52:25
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:52:16
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:51:37
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:51:28
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December
01, 2019 21:59:43
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Sunday, December 01, 2019 21:27:47
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Sunday, December 01, 2019 21:14:36
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Sunday, December 01, 2019 21:01:22
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Sunday, December 01, 2019 20:55:03
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Sunday, December 01, 2019 20:49:09
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Sunday, December 01, 2019 20:03:35
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Sunday, December 01, 2019 20:03:23
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Sunday, December 01, 2019 19:58:15
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Sunday, December 01, 2019 19:44:19
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Sunday, December 01, 2019 19:22:53
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Sunday, December 01, 2019 19:03:47
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Sunday, December 01, 2019 18:52:41
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Sunday, December 01, 2019 18:41:47
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Sunday, December 01, 2019 18:11:48
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Sunday, December 01, 2019 17:53:48
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Sunday, December 01, 2019 17:37:44
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Sunday, December 01, 2019 17:00:48
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Sunday, December 01, 2019 16:42:37
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Sunday, December 01, 2019 16:37:45
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Sunday, December 01, 2019 15:51:01
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Sunday, December 01, 2019 15:27:52
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Sunday, December 01, 2019 13:55:31
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Sunday, December 01, 2019 13:52:55
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Sunday, December 01, 2019 13:41:14

  • avtella's avatar
    avtella
    Prodigy
    Dec 02, 2019
    I personally disable the DDoS Protection option, quite often I’ve seen legitimate servers being falsely detected for DDoS ie, Amazon AWS, Apple, Google and many others. In fact some have had issues with this on previous NG models where disabling that feature allowed certain apps/sites to work properly.

    • Killhippie's avatar
      Killhippie
      Prodigy
      Dec 02, 2019

      Hello avtella while I totally agree about Netgear logs this particular site is known for not being a good actor I had a message from a few people pointing to a couple of sites that show Hetzner as being an abusive IP address, and they're going for a really odd port which is 50002 which is generally used for some software I've never heard of which is PPoiP I've had literally hundreds well actually into the thousands now since I've booted the router from that IP  even when cold booting with no devices attached or Wi-Fi device is turned on so literally it's just the route of sitting there and it starts almost instantly the router boots ieven before it gets the time from the NTP server it starts getting attacked, there is another conversation on these forums with people with Orbi devices RBK50s I think which are having similar issues.

       
       It's just odd that they're both had recent firmware updates for these routers and they're both Qualcomm devices also it's happening in America the UK Australia all over the world tbh and something just doesn't feel right if that makes sense about this, and my ISP said they think it's the router calling for something from this IP or there is possibly a security issue that people are not aware of, I don't see it being the latter because the router is stopping it but it is odd that it just started with the update, of course that could just be coincidence. If you do happen to see logs from this particular IP and believe me they I have as I said have thousands within 24 hours I've never seen so many I'm wondering if it's something in the latest firmware, or of course someone could've see accessed one of the servers at Hetzner and are just being a bad actor. 
      https://www.abuseipdb.com/check/148.251.48.231

      • Killhippie's avatar
        Killhippie
        Prodigy
        Dec 02, 2019

        I contacted Hetzner the company behind the IP address and informed them of what is happening, as not all large server farms are aware that the maybe they've lost control of one of there devices. They've replied to me stating the following;

         

        'We have received your information regarding spam and/or abuse and we shall follow up on this matter.
        The person responsible has been sent the following instructions:
        - Solve the issue
        - Send us a response'

         

        so hopefully this quite large-scale scan attack will cease and desist within the next day also. 

  • Joeymcnew35's avatar
    Joeymcnew35
    Guide
    Jan 13, 2020
    I'm getting the same issues with the ddos attacks. Mine are non-stop. This has been going on for just over a month now. I'm about ready to take this back and go back with a Asus Tri-Band router that I had before this. This rax120 is a total mess!
    • nighthawkr's avatar
      nighthawkr
      Tutor
      Jan 13, 2020

      I don't see any dos entries in my recent logs, but I'm watching now.

      • Joeymcnew35's avatar
        Joeymcnew35
        Guide
        Jan 13, 2020
        You'll know the second it starts, all traffic stops and it will restart and possibly a restart loop.