CAX80 keeps rebooting

For those getting "[DoS attack] LAND Attack SPT:2190 DPT:2190" I have a theory I'd like to test, join me if you have the time. 

all wifi off

all port empty except for 2.5g or lan1 to your main puter (ie, only 1 machine connected to it, as barebone as possible)

wait for 1 hour, check log for 2190

reboot your cax80 (not reset)

wait for another hour, check log again for 2190

I'm curious to see if it's coming from within, like TV or PS4/5

hanzo79 - In my case I doubt that the DoS message is being generated by a device in the LAN (Local Area Network). The source IP address of the DoS Attack is the IP address assigned to the WAN (Wide Area Network (Internet)) side of the CAX80 by my ISP.

tamanaco there goes to show you how little i know about networking, heh.  But I'm curious to see if there's anything within the network sending ghost ping signals out, then pong signals coming back.  If it is, we know for certain to trash that device into a bond fire...if not, then time to bring out the pitchforks.

Does this have a any WAN or LAN IP address displayed with this log entry seen with this happens? 

---

hanzo79 wrote:

For those getting "[DoS attack] LAND Attack SPT:2190 DPT:2190" I have a theory I'd like to test, join me if you have the time. 

 

all wifi off

all port empty except for 2.5g or lan1 to your main puter (ie, only 1 machine connected to it, as barebone as possible)

 

wait for 1 hour, check log for 2190

reboot your cax80 (not reset)

wait for another hour, check log again for 2190

 

I'm curious to see if it's coming from within, like TV or PS4/5

 

---

FURRYe38 oddly, no.

Hard to determine if it's coming from the WAN or LAN side...Though would be good to try your suggestion to see if anything on the LAN side is popping this entry up or not. 

A typical ISP connected home router is called a NAT. It's a  Network Address Translation device. The router itself has unique ISP assigned WAN IP address. With higher fees you can get a "dedicated" WAN IP address that it's also unique. All the data flow you send out from the LAN (Local Area Network) to the WAN (Internet) is actually sent to the router, which sends it out using its address. The returning data is sent to the LAN device using its MAC and IP Address the local device knows the LAN IP of the router and the port it needs to listen for the returning data. For LAN devices to work it's not necessary that they know the WAN IP of the "typical" home router as it can be changed by the ISP at any point.

I would be concerned about the CPU usage being that high. Wow. 

Are you seeing this all the time on the modem? 

---

tamanaco wrote:

I've been trying to reply to this thread since early this morning, but my posts with screenshots don't make it. Trying without the images.

 

-> @2-days up and counting...

-> I still do not see the "A Router Firmware Update is Available" banner

 

-> The [DoS attack] LAND Attack SPT:2190 DPT:2190  Log messages are back at intervals ranging from ~1 to ~10 minutes apart. The  source IP Address "xx.xxx.xxx.xx" is my ISP assigned WAN IP Address which as someone previously mentioned, is very strange as it looks like a "Suicide" DoS Attack. My ISP is Spectrum.

---

FURRYe38... No, my CPU utilization is normally not that high. That screenshot was probably taken when my two  NASes were syncing the previous day data. This usually happens overnight after 1am, but because of the router reboots I had to recently rescheduled the sync to 7am.

To make this easier, WAN v. LAN.

IF you have no idea on these than chances are you did not change anything 🙂

With that said a Modem just handles traffic.  It is only responsible for moving the 0's and 1's.  It doesn't translate anything, it doesn't tell the 0's and 1's were to go.  The ROUTER routes the 0's and 1's.  IT is the equipment response for sending stuff to your PC or Playstation or mobile device.  It uses a unique address, the IP Address.  Much as your house address is unique to you, your devices IP Address is unique to it.  Unlike our house address, the IP Address CAN change, unless it is dedicated or you are behind a Router.

Now then, with regards to the DoS Land Attacks.  When I log into my CAX80, the logs show:

The 192.168 addresses are called NAT, see description above.  THESE are provided by the Router side, these are how Home Routers are typically setup, but they can be changed to anything.  If you are curious to know more, you need to look up NAT or IP Address convections to learn more.  As for the others that show 73.65., this is the starting address assigned to Xfinity by the Global IP Address commission.  And when I look at the Modem IP Address it is the same as the Source under the DoS Land Attack.  IF you see the same then it is coming from WITHIN, if this is showing different then chances are it is coming from outside.  You can use any IP Address lookup tool to see the Source address and who it is assigned to.

So I see, these are coming suppossedly from the WAN side. Target is 255.255.255.255 oddly. 

In my case, the "source IP" is different from my Modem's IP and is the IP of my ISP (COX Internet). I've spent all week working with them on this and they're unsure what's going on. I've done full resets of the CAX80 (I've tried updating manually from files and from the NG server), COX came out and checked every cable and line and had no issues they could find, and COX has stated they're not seeing anything abnormal on their end.

It is worth noting that the reboots have stopped for me, my current uptime is now at 6 days, so some improvement. and I can now set up my reboots schedule again. Though I'm still getting those LAND attacks. The last 2 notices in the log had 25 reported 20 minutes before this write-up, and I had another one pop up while I was in the midst of writing this.

As additional troubleshooting, I've disconnected every single device from my network and still had these LAND attacks appear (disconnected everything but my wired PC, verified nothing was connected except the wired PC, unhooked wired PC, left house, came home hours later to find dozens of LAND attacks when nothing was connected to the network), so it's not any devices in my network causing it.

Yes if the reboots have stopped. Great to hear and know. 

For any other stuff please follow in the more appropriate post threads so we get all information inlcuded there.

Thank you.