NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

steveberry10's avatar
steveberry10
Tutor
May 29, 2022

[DoS attack] LAND Attack SPT:2190 DPT:2190

Hi All,   I had an issue last week with my Orbi system.  Long story short, I was receiving a ton of DDoS messages from all my devices attached to my home network.  After talking this over with a fe...
Trickabounce's avatar
Trickabounce
Initiate
Jul 27, 2022

I believe the " [DoS attack] LAND Attack SPT:2190 DPT:2190 " is a legitimate concern.

I started to have poor wifi connection and investigated.

I logged into my router, Netgear CAX80, and under Advanced, Administration, Logs: I noticed many "[DoS attack]" errors.

I first notified the many "[DoS attack] LAND Attack SPT:2190 DPT:2190 " but it showed the source as my own ip address. 

 

The user above, "FURRYe38" posted this link and shows a description of the error: https://www.radware.com/security/ddos-knowledge-center/ddospedia/land-attack/. Description: "In a DoS land (Local Area Network Denial) attack, the attacker sends a TCP SYN spoofed packet where source and destination IPs and ports are set to be identical. When the target machine tries to reply, it enters a loop, repeatedly sending replies to itself which eventually causes the victim machine to crash."

 

Then user above, "steveberry10" mentioned that he saw NULL attacks as well.
Upon furth inspection of my logs, I came across a different [DoS attack]: 
"[DoS attack] NULL Attack SPT:15921 DPT:39402" from IP address: 60.161.81.116:39965
"[DoS attack] NULL Attack SPT:39965 DPT:59537" from IP address: 60.161.81.116:15921
By looking up the location of the IP address via What is my IP location? (Geolocation), these DoS NULL Attacks are coming from the Yunnan province of China and/or Beijing, China.
 
Once these NULL attacks started to happen, I've been receiving anywhere between 10 to 30 "DoS attack] LAND Attack SPT:2190 DPT:2190" attacks every hour or so. 
 
I came to the conclusion that the solution to remedy this issue is to renew your dynamic IP address and unfortunately my ISP provider, Spectrum, cannot do it remotely. Spectrum stated that in order to renew my IP address is to turn off and unplug my router for as long as possible (3 to 4 hours may be enough time) so that the ISP system can automatically issue a new dynamic IP address.
I believe that by renewing your IP address, you will no longer be a target to these DoS attacks from China.
My best regards to you all.
Note: I also believe that the new firmware version V2.1.3.7 for the CAX80 did address this security vulnerability: CAX80 Firmware Version 2.1.3.7 | Answer | NETGEAR Support
So, to reiterate, I do believe this is a legitimate security concern and DO NOT DOWNGRADE YOUR FIRMWARE.