NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Trying to understand nature of "DoS attack: RST Scan" log messages
Disclaimer: I am a security engineer, so my questions which follow are not to understand what a DoS attack or RST scan are; I know what those are -- I'm trying to understand the behavior of my router...
Thank you brado77 for a post on this topic I'm trying to learn more about.
I had 2 computers even before getting both the Tandy 1000EX and 1000SX (dual floppy / no HDD).
Fast forward to today. The last 2 evenings, the TV is buffering and game machine losing service brought me to looking at the logs. Could be the ISP due to solar activity (2/22/24) and AT&T outages? Central USA location.
The log shows DoS attacks within 2 minutes of reset. Most are Fraggle and RST. Thanks to reading this thread I realize it is more inherent to the firmware than real attacks. Fraggles show port 67. RST scans on port 443. Also ACK scan on port 993, resolves to googleplex, CA.
I bought a pfsense SG1100 last year. I've been trying to teach myself it's setup. Now with the new buffering problem, I'm going to install the Nighthawk AX5400 for computers (whitelisting) and the Nighthawk R7960P as an access point for IOT devices. That is until I feel good enough about rules and subnetting setup on the pfsense to implement it.
Just posting this to say thank you and others on the thread for the insights on the DoS log messages. Now I am off to read about email did not resolve topic.
Hi. RAX54S-100NAS router here.
RE the DoS Fraggle attack, it would seem reporting this - maybe spuriously - is a Netgear firmware "feature", as this thread (above) seems to indicate.
After being forced to reset the password twice in conversation with Netgear support, I got on the phone with the ISP, Xfinity/Comcast because the "attack" origins were within their network. They didn't see anything going on (1-1/2 hours on the phone with network engineers following traffic, I think). Xfinity/Comcast folks said tentatively that it was likely router-related. So I took the advice of micro8 (above in this thread I think), went into the Advanced/Security/Log page, and un-checked the box for DoS. No problems logging in or otherwise any more. Also, maybe relevant, I set for login via https only.
Hope this helps . . .
Muddy_Street wrote:
Also, maybe relevant, I set for login via https only.
Be careful. This has been known to cause chaos.
You can lose access from other systems and devices.
I forget the exact details – must experiment – but we have had reports of people turning up here in panic. Solved by turning off that setting.
Disabling logs of DoS Attacks is generally enough.
Newer routers, and firmware updates to some older devices. seem to have squished this persistent bug.
