NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

So_tired's avatar
So_tired
Guide
Jul 25, 2025
Solved

TCP SYN Flooding on RAX54v2 Router, Please help!

Hello all, i REALLY need help with stopping massive TCP SYN Floods to my home router.

 

What has happened thus far:

 

I got this router about 2 months ago ,(upgrading from a very old TP-link which i had no problems with, EVER. However, it was slowing down my speeds very badly and not utilizing the new speed I started paying for so, had to change ol'faithful.) and ever since I've been getting DoS UNKNOWN's on every port. I looked it up and most people said to not worry, so i ignored it. About a week later my internet goes out for about 3 mins. Comes back, I thought it was odd, checked and TCP SYN Flood attack up the wazoo! 100s of entries in the router logs. This has now been happening EVERY DAY and I am so tired of it.

 

I first started by changing some settings in the Router: Turning off remote access, Activating IPV6, Turning on WAP3 protocols on both WiFi signals, Set up Access Control, turning off UPNP, Disabled port forwarding, changed Passwords, and updated farmwear. Nothing worked.

 

So, as you do, i look up how to stop them....no one knows how to stop them on a Netgear router it seemed and the work arounds i've found have not helped because most are out-dated or do not work for a Netgear router. It also seems like the router has NO protection from SYN flooding and cant make SYN Cookies OR edit firewall rules OR block IPs in a range (even though you can go to the Block Services tab and try to enter it, it ALLWAYS comes up as 'Invalid IP entered' even though you enter the same IPs that are flooding you.) OR stealth ports. Router logs do not even state if these SYN packets are dropped, blocked or any status whatsoever. Just that they have happened.

 

 

I've even signed up for Netgear Armor by Bitdefender and it does not do anything. It has no abilities to stop SYN floods, DoS attacks or stealth ports. I Thought it would AT LEAST tell me it blocked something but, nope. 

 

I also contacted my ISP, changed IP address by un-plugging router and modem for a few hours, factory reset and set back up everything, and nothing has stopped it. Now I'm reaching out here to try and figure this out.  I attached a pic of what one of the attacks looks like.

 

 

I want to stealth my ports.

I want the SYN floods to stop.

How do I stop them? Mitigate them?

Anyone else having this issue?

Any help would be SO very apricated.

 

Thank you all.

rax54
  • FURRYe38's avatar
    FURRYe38
    Aug 06, 2025

    OK so updated my RAX50v2 to recent FW version. 
    Factory reset and setup from scratch. 

    CAX80 in modem mode.

    PE is enabled by default. Testing with it enabled and disabled:

    PE Enabled:

     

    PE Disabled:

    I Noticed that the testing site was being reported as flooding the logs:

    [admin login] from source 192.168.1.2, Wednesday, Aug 06, 2025 15:39:37
    [admin login] from source 192.168.1.2, Wednesday, Aug 06, 2025 15:39:33
    [DoS attack: TCP SYN Flood] from source 4.79.142.206,port 45743 Wednesday, Aug 06, 2025 15:39:03

     

    After I logged in at 15:39 and disabled PE and re-tested again after that, logs didn't report any flooding from the test site. 

     

    I recommend that after you disable PE and re-test, have your ISP give you a new WAN IP address as I presume some nefarious items may have a target for that WAN IP address. Once you have PE disabled and a new WAN IP address, I'm hoping you shouldn't see issues continue. 

21 Replies

  • FURRYe38's avatar
    FURRYe38
    Guru - Experienced User
    Jul 31, 2025

    What Firmware version is currently loaded?
    What is the Mfr and model# of the Internet Service Providers modem/ONT the NG router is connected too?

     

    Have you done a whois look up on that IP address to see where it maybe coming from? 

     

    Do you see Protection Engine feature on the routers web page at all? Under Advanced Tab/Security? 

    So_tired​ 

    • So_tired's avatar
      So_tired
      Guide
      Aug 01, 2025

      Firmwear for router is current.

      I do not use my ISPs router/gateway/modem. I bought mine.

       

      My current router is the RAX54v2.

       

      Yes, one of them was from Chins, another Korea.

       

      Yes, I have Protection Engin active.

      I also have the DoS protection active too and I also have Armor activated.

       

      I think ill just get a new modem to see if that fixes it... 

       

      My modem is a MC600 Netgear from 2013 >_<.

       

    • So_tired's avatar
      So_tired
      Guide
      Aug 01, 2025

      I ended up going to best buy and getting a Netgear Nighthawk CM2500 mid/high split.

       

      Set it up.

      Getting stupid fast speeds, no drops BUT I am STILL getting "TCP SYN flood" s -_-

       

      At least now when it happens it barely blips my internet. The floods only happen on large numbered ports now it seems...

      From 3000-6000+ ports.

       

      I also un plugged everything for hours today and re-plugged everything in. Got a new IP (still local...) so that did not work, again lol

       

      I ran ShieldsUP! Again and it said all of my major ports are stealthed but ALL of the other ports (except 0-127,135-139, and 445)  are not, they are all closed. Ill show a pic.

       

      At this point, should I even worry if they are only flooding the big ports? Am i in any danger?

      Still no way to stop this?

      • FURRYe38's avatar
        FURRYe38
        Guru - Experienced User
        Aug 01, 2025

        Disable Protection engine on the Router then re-test SheildsUP! 

         

        Make sure when testing, that you test with one ethernet connected PC and ALL other ethernet connected devices are disconnected from the router and temporary disable the wifi radios on the router before testing.

  • FURRYe38's avatar
    FURRYe38
    Guru - Experienced User
    Aug 05, 2025

    Any progress on this? 

    Were you to re-test with PE disabled with alll devices disconnected accept for one ethernet connected PC? 

    So_tired​ 

    • So_tired's avatar
      So_tired
      Guide
      Aug 05, 2025

      Yes, sorry I am very busy with work most days so my reply can be sparce.

       

      I tried that and its still showing all ports CLOSED none open and just a few STEALTHed. Still getting massive amounts of TCP SYN flood, notifications in logs and my connection can randomly "hiccup" several times a day. Where as, if im doing something on the internet, ill get s tiny buffer time of around 15-20 seconds on things im doing, then it comes back. Never truely disconnecting but doing this hiccup now.

       

      I ended up getting a very powerful cm2500 modem. Now I have the new RAX54v2 router and this modem.

       

      The cm2500 has mid/high split and 3.1 docsis so its all up to date... I should not be getting these hiccups or floods and im pretty sure my ports should not be like this still.

       

      Any ideas?

      • FURRYe38's avatar
        FURRYe38
        Guru - Experienced User
        Aug 05, 2025

        When you tested ShieldsUp and PE disabled, did you first disconnect all ethernet devices from the router accept for the one test pc and then disable the wifi radios on the router prior to testing? 

        Please post a screen capture of the test results from all serivce ports testing. 

         

        Please post a copy and paste of the modems connection status and event log page.
        https://kb.netgear.com/30007/How-do-I-obtain-the-cable-connection-information-from-a-NETGEAR-cable-modem-modem-router
        https://kb.netgear.com/30008/How-do-I-view-or-clear-the-event-logs-on-my-NETGEAR-cable-modem-or-modem-router