NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
[DoS attack] LAND Attack SPT:2190 DPT:2190
Hi All,
I had an issue last week with my Orbi system. Long story short, I was receiving a ton of DDoS messages from all my devices attached to my home network. After talking this over with a few people we thought it was hardware failure...so I went out and bought a new CAX80 Cable Modem/Router.
I was looking through the logs yesterday and saw a DoS message from an IP I didn't recognize. After a quick google search it appears that address is in China. Also, there was a firmware upgrade available so I installed it. Afterwards, I started seeing a TON of these in my log:
[DoS attack] LAND Attack SPT:2190 DPT: 2190
I also see some NULL attack messages sprinkled in.
My question is are these legit or are they false positives introduced by a bug in the firmware?
Thanks.
20 Replies
Anything related to this?
https://www.radware.com/security/ddos-knowledge-center/ddospedia/land-attack/
Thanks but I don't see anything in that link other than a description of the problem? Anyway, yes that basically describes it. However it's not affecting my internet service.
I did see an old article from around 2015 where these were caused by having Access Control turned on...and I set that up at the same time I updated the firmware. In fact Access Control was on when I rebooted after the firmware update. Hmmm...
Anyay, I am still getting the NULL attack messages as well. I've logged an incident with my ISP. Hopefully these are just false positives.
Might try a factory reset and setup from scratch. This time, don't setup Access Controls or any additional features. Check the logs.
steveberry10 wrote:
I had an issue last week with my Orbi system. Long story short, I was receiving a ton of DDoS messages from all my devices attached to my home network.
Netgear's firmware is great at creating false reports of DoS attacks. Many of them are no such thing.
Search - NETGEAR Communities – DoS attacks
Use Whois.net to see who is behind some of them and you may find that they are from places like Facebook, Google, even your ISP.
Here is a useful tool for that task:
IPNetInfo: Retrieve IP Address Information from WHOIS servers
If these events are slowing down your router, that may be because it is using up processor time as it writes the events to your logs. Anything that uses processor power – event logging, QoS management, traffic metering – may cause slowdowns. Disable logging of DoS attacks and see if that reduces the problem. This does not prevent the router from protecting you from the outside world.
Thanks Michael. The issue with the Orbi did cause the router to block my devices so in that sense it did cause an interruption of service. However, after talking it over with some of my coworkers (who are more knowledgeable than I) we generally agreed it was a hardware issue.
There is no interruption of service with the CAX80 but I'm still getting flooded with the LAND and NULL attack messages. Unfortunately there's no other IP address associated with them and if there is one it's buried in all the other stuff coming in.
I did log a case with my ISP. Hopefully they can tell if something is really going on.
I believe the " [DoS attack] LAND Attack SPT:2190 DPT:2190 " is a legitimate concern.
I started to have poor wifi connection and investigated.
I logged into my router, Netgear CAX80, and under Advanced, Administration, Logs: I noticed many "[DoS attack]" errors.
I first notified the many "[DoS attack] LAND Attack SPT:2190 DPT:2190 " but it showed the source as my own ip address.
The user above, "FURRYe38" posted this link and shows a description of the error: https://www.radware.com/security/ddos-knowledge-center/ddospedia/land-attack/. Description: "In a DoS land (Local Area Network Denial) attack, the attacker sends a TCP SYN spoofed packet where source and destination IPs and ports are set to be identical. When the target machine tries to reply, it enters a loop, repeatedly sending replies to itself which eventually causes the victim machine to crash."
Then user above, "steveberry10" mentioned that he saw NULL attacks as well.Upon furth inspection of my logs, I came across a different [DoS attack]:"[DoS attack] NULL Attack SPT:15921 DPT:39402" from IP address: 60.161.81.116:39965"[DoS attack] NULL Attack SPT:39965 DPT:59537" from IP address: 60.161.81.116:15921By looking up the location of the IP address via What is my IP location? (Geolocation), these DoS NULL Attacks are coming from the Yunnan province of China and/or Beijing, China.Once these NULL attacks started to happen, I've been receiving anywhere between 10 to 30 "DoS attack] LAND Attack SPT:2190 DPT:2190" attacks every hour or so.I came to the conclusion that the solution to remedy this issue is to renew your dynamic IP address and unfortunately my ISP provider, Spectrum, cannot do it remotely. Spectrum stated that in order to renew my IP address is to turn off and unplug my router for as long as possible (3 to 4 hours may be enough time) so that the ISP system can automatically issue a new dynamic IP address.I believe that by renewing your IP address, you will no longer be a target to these DoS attacks from China.My best regards to you all.Note: I also believe that the new firmware version V2.1.3.7 for the CAX80 did address this security vulnerability: CAX80 Firmware Version 2.1.3.7 | Answer | NETGEAR SupportSo, to reiterate, I do believe this is a legitimate security concern and DO NOT DOWNGRADE YOUR FIRMWARE.That is a heck of a theory. And some of it is technically true. Like Charter/Spectrum not assisting in changing the IP address. It's not that they cant, they can, and will, if you have a business account. But they wont, cuz you dont, have a business account. I'm a poet and didnt even know it. Like I said some true, some not true. Downgrading works, the DoS goes away entirely with 2.1.3.5. But! It is also a complete waste of time since it is auto updated every single night by Spectrum, and you cant stop it, thanks NG! So, your warning not to downgrade is correct and incorrect all at the same time.
I have been having firmware 2.1.3.7 issues for a while as well. I am not going to go over everything I've done nor provide logs. I just finalized my RMA and NG is sending me a new (or used, who can really tell with these guys) cax80, with all the stupid turns, twists, and jump though hoops involved with that process. It's takin almost two months to get to this point. Dumbest support ever. A complete waste of time but hey... you guys keep saying your not having issues so... worth a shot, right. See? Correct and incorrect all at the same time.
As for the Null attacks, the cax80 is reporting them rarely and from everything i've seen, it's doing its job and stopping them. As for the [DoS attack] LAND Attack SPT:2190 DPT:2190, that is 100% 2.1.3.7 firmware related. Since I am not always right, a very slim 0.05% possibility it is a defective hardware issue... that could be addressed by correcting the dang firmware!
Not to be ungrateful or anything, I appreciate the assistance as do others. But there are many threads and a MASSIVE security alert dump on 6/29/2022 that covers this problem on the CAX80 but on previous firmware revisions. Unfortunuately, I'm going to make you do the same thing I had to, go through them all one by one, since there is nothing to indentify the content in the alert. No direct link for you! Here is the link to all alerts... https://www.netgear.com/about/security/ I would highly recommend that if your going to assist, you go through them all, make a few notes... well, unfortuantely, a S*** ton of notes with that crazy dump... Holy Jebers! Its like the Whitehouse and their weekly Friday night news dump to hide stuff. Remember the other multiple threads you read or assisted with that dealt with the exact same or very similar topic which can be directly attributed to the same issues.
In this thread,
https://community.netgear.com/t5/Cable-Modems-Routers/CAX80-keeps-rebooting/td-p/2231370/page/2 you can see FURRYe38 respond to kinghq1. I am not sure if FURRYe38 didnt read kinghq1's post and also ignored all the others discussing and posting detailed information, but the response was lacking at the very least. I've seen this from FURRYe38 many times, asks a ton of questions, ignores the answers, provides incorrect or scripted answers that have nothing to do with the facts at hand. Frustrating but FURRYe38 isnt a NG employee or forum moderator. I hope the intent is to help but i've seen rapid fire post reponses with no actual need for the question since it was provided in the OP. I have no idea why anyone would want to up their post count on the NG community board, so I will keep hoping its to help. Even though furry later posts switching to the CM2000, possibly/probably before the issue presented itself but after the 2.1.3.7 firmware update.
To sum it all up, I beleive it is the 2.1.3.7 firmware, I am 99.9% certain of that (.01% ... I could be wrong, a broken clock is right twice a day). NG doesnt appear to be responding (appropiately) to the "known" issue as far as I can tell (my CAX80 RMA, what they have said, emailed, and their inadaquate lack of knowledge on NG product alerts). There are multiple community posts and i'm willing to bet a large number of support tickets that are being ignored or at least not tracked or cataloged effectively. Not everyone lurks the NetGear community board and reads 300+ threads researching this specific issue, not even the mods and NG employees... the customer just wants their product to work or be fixed. I've got to tell you, it is extremely difficult, far beyone what it should be. Just my 2 cents.
This issue has plagued for years and in all firmware. I am really not happy with Netgear on this modem at all. First of all, for a modem which i paid almost 500 for, does not have QOS setting and this LAND attack every 30 minutes.
I have tried looking out for solutions over the years and even though Netgear tells this will not affect your browsing experience as LAND attacks are ignored, i have found a correlation where these LAND attacks create this terrible latency while online gaming. Everytime i have a huge network latency inside a game, i have noticed these logs occur at the same time. While browsing, streaming OTT platforms this may not be observable, but it has broken online gaming for me.With really high blufferbloat and these constant Land port scan, this modem/router has the highest blufferbloat/latency i have encountered in any modems.
Everyone in this thread, please disable DLNA on the modem. I go some info from NG that seems to point to DLNA and it's tivo protocol using that port. So if your seeing this item in the logs, try disabling DLNA on the modem.
