NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
TCP SYN Flooding on RAX54v2 Router, Please help!
Hello all, i REALLY need help with stopping massive TCP SYN Floods to my home router. What has happened thus far: I got this router about 2 months ago ,(upgrading from a very old TP-link whic...
OK so updated my RAX50v2 to recent FW version.
Factory reset and setup from scratch.CAX80 in modem mode.
PE is enabled by default. Testing with it enabled and disabled:
PE Enabled:
PE Disabled:
I Noticed that the testing site was being reported as flooding the logs:
[admin login] from source 192.168.1.2, Wednesday, Aug 06, 2025 15:39:37
[admin login] from source 192.168.1.2, Wednesday, Aug 06, 2025 15:39:33
[DoS attack: TCP SYN Flood] from source 4.79.142.206,port 45743 Wednesday, Aug 06, 2025 15:39:03After I logged in at 15:39 and disabled PE and re-tested again after that, logs didn't report any flooding from the test site.
I recommend that after you disable PE and re-test, have your ISP give you a new WAN IP address as I presume some nefarious items may have a target for that WAN IP address. Once you have PE disabled and a new WAN IP address, I'm hoping you shouldn't see issues continue.
They change the port behavior seen by the test site.
Yes.
No. Cable connections page will have lots of numbers and channel listing for modem. Would like to see this full data page please.
OK so updated my RAX50v2 to recent FW version.
Factory reset and setup from scratch.
CAX80 in modem mode.
PE is enabled by default. Testing with it enabled and disabled:
PE Enabled:
PE Disabled:
I Noticed that the testing site was being reported as flooding the logs:
[admin login] from source 192.168.1.2, Wednesday, Aug 06, 2025 15:39:37
[admin login] from source 192.168.1.2, Wednesday, Aug 06, 2025 15:39:33
[DoS attack: TCP SYN Flood] from source 4.79.142.206,port 45743 Wednesday, Aug 06, 2025 15:39:03
After I logged in at 15:39 and disabled PE and re-tested again after that, logs didn't report any flooding from the test site.
I recommend that after you disable PE and re-test, have your ISP give you a new WAN IP address as I presume some nefarious items may have a target for that WAN IP address. Once you have PE disabled and a new WAN IP address, I'm hoping you shouldn't see issues continue.
Ok, cool!
I will do that tommarow and give you an update. I really hope this solves it >_<
If I keep PE disabled will I be open to attacks though??
Theoretically could be, however if PE is disabled, the idea is that the ports are now stealth, nefarious scanners wouldn't find anything there and move along to somthing else. If ports are CLOSED, ya this is blocking and the logs will just be reporing the blocking, however the close ports seem to return something being there when scanned, as they report being close. So nefarious scanner will keep continueing to scan those ports, even though they are close and the routers firewall is blocking. The logs are just reporting what is happening.
So ya, hoping with PE disabled, getting a new WAN IP address, should see less flooding happening.
OK,
I understand.
I have a few questions, since we are on the subject and I will test out what you said when I get home:
Is the Protection Engine the same as the routers Firewall or a seprate thing?
should I return this router and get another one without PE on it?
Which routers do not have PE on them but are protected and dont cause this problem?
I looked this up on Google and didnt find any solid answers. Plus a ton of sights listing what routers are best or not but none match any answers of the others.
Ok! I made discoveries!
YOU WHERE RIGHT!
Netgear Rax50 series routers Protection Engine STOPS PORTS FROM STEALTHING. 100%
Turned it off, full stealth!
Called ISP, got a run around (i use comcast/xfinity) took 4 hours.
They said they cant change my WAN IP. Its dynamic and I need to unplug router for a few hours and plug back in to have diffrent address. Even then, it may go back to original IP in thr future. So, that sucks but I did it. I STILL got TCP SYNed, ugh. Even stealthed.
I also talked to them about the time outs and errors on my modem logs and they will have somone by to check on the outside stuff on Sunday.
I found out ALL of the abusive IPs that are TCP SYN flooding me are still flooding me and they are ALL from AMAZON! Even the UNKNOWN ones are from Amazon. Why Amazon SYN flooding me?
Any idea?
Hello FURRYe38.
Thank you for all your help and input into my problem. You helped me solve the initial issue! You rock!
I found out that the IPs that are SYN flooding me are spoofed Amazon IPs searching for ACKs to send back to Amazon. Wild! I will let Amazon know of this, hope they can stop it on thier end. 🤞
So stealthing is my best bet to stop all the floods.
Thank you so very much for your help and time! 10/10!
I think you'll be ok using PE disabled and having ports stealthed.
Not sure why Amazon is pinging your router so much, maybe the amazon devices you have connected as well. Some devices have phone home to Amazon or Google services.
Be sure to save off a back up configuration to file for safe keeping. Saves time if a reset is needed.
https://kb.netgear.com/24231/How-do-I-back-up-the-router-configuration-settings-on-my-Nighthawk-router
Enjoy. 📡