NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
[DoS attack] LAND Attack SPT:2190 DPT:2190
Hi All, I had an issue last week with my Orbi system. Long story short, I was receiving a ton of DDoS messages from all my devices attached to my home network. After talking this over with a fe...
I believe the " [DoS attack] LAND Attack SPT:2190 DPT:2190 " is a legitimate concern.
I started to have poor wifi connection and investigated.
I logged into my router, Netgear CAX80, and under Advanced, Administration, Logs: I noticed many "[DoS attack]" errors.
I first notified the many "[DoS attack] LAND Attack SPT:2190 DPT:2190 " but it showed the source as my own ip address.
The user above, "FURRYe38" posted this link and shows a description of the error: https://www.radware.com/security/ddos-knowledge-center/ddospedia/land-attack/. Description: "In a DoS land (Local Area Network Denial) attack, the attacker sends a TCP SYN spoofed packet where source and destination IPs and ports are set to be identical. When the target machine tries to reply, it enters a loop, repeatedly sending replies to itself which eventually causes the victim machine to crash."
Then user above, "steveberry10" mentioned that he saw NULL attacks as well.
Upon furth inspection of my logs, I came across a different [DoS attack]:
"[DoS attack] NULL Attack SPT:15921 DPT:39402" from IP address: 60.161.81.116:39965
"[DoS attack] NULL Attack SPT:39965 DPT:59537" from IP address: 60.161.81.116:15921
By looking up the location of the IP address via What is my IP location? (Geolocation), these DoS NULL Attacks are coming from the Yunnan province of China and/or Beijing, China.
Once these NULL attacks started to happen, I've been receiving anywhere between 10 to 30 "DoS attack] LAND Attack SPT:2190 DPT:2190" attacks every hour or so.
I came to the conclusion that the solution to remedy this issue is to renew your dynamic IP address and unfortunately my ISP provider, Spectrum, cannot do it remotely. Spectrum stated that in order to renew my IP address is to turn off and unplug my router for as long as possible (3 to 4 hours may be enough time) so that the ISP system can automatically issue a new dynamic IP address.
I believe that by renewing your IP address, you will no longer be a target to these DoS attacks from China.
My best regards to you all.
Note: I also believe that the new firmware version V2.1.3.7 for the CAX80 did address this security vulnerability: CAX80 Firmware Version 2.1.3.7 | Answer | NETGEAR Support
So, to reiterate, I do believe this is a legitimate security concern and DO NOT DOWNGRADE YOUR FIRMWARE.
That is a heck of a theory. And some of it is technically true. Like Charter/Spectrum not assisting in changing the IP address. It's not that they cant, they can, and will, if you have a business account. But they wont, cuz you dont, have a business account. I'm a poet and didnt even know it. Like I said some true, some not true. Downgrading works, the DoS goes away entirely with 2.1.3.5. But! It is also a complete waste of time since it is auto updated every single night by Spectrum, and you cant stop it, thanks NG! So, your warning not to downgrade is correct and incorrect all at the same time.
I have been having firmware 2.1.3.7 issues for a while as well. I am not going to go over everything I've done nor provide logs. I just finalized my RMA and NG is sending me a new (or used, who can really tell with these guys) cax80, with all the stupid turns, twists, and jump though hoops involved with that process. It's takin almost two months to get to this point. Dumbest support ever. A complete waste of time but hey... you guys keep saying your not having issues so... worth a shot, right. See? Correct and incorrect all at the same time.
As for the Null attacks, the cax80 is reporting them rarely and from everything i've seen, it's doing its job and stopping them. As for the [DoS attack] LAND Attack SPT:2190 DPT:2190, that is 100% 2.1.3.7 firmware related. Since I am not always right, a very slim 0.05% possibility it is a defective hardware issue... that could be addressed by correcting the dang firmware!
Not to be ungrateful or anything, I appreciate the assistance as do others. But there are many threads and a MASSIVE security alert dump on 6/29/2022 that covers this problem on the CAX80 but on previous firmware revisions. Unfortunuately, I'm going to make you do the same thing I had to, go through them all one by one, since there is nothing to indentify the content in the alert. No direct link for you! Here is the link to all alerts... https://www.netgear.com/about/security/ I would highly recommend that if your going to assist, you go through them all, make a few notes... well, unfortuantely, a S*** ton of notes with that crazy dump... Holy Jebers! Its like the Whitehouse and their weekly Friday night news dump to hide stuff. Remember the other multiple threads you read or assisted with that dealt with the exact same or very similar topic which can be directly attributed to the same issues.
In this thread,
https://community.netgear.com/t5/Cable-Modems-Routers/CAX80-keeps-rebooting/td-p/2231370/page/2 you can see FURRYe38 respond to kinghq1. I am not sure if FURRYe38 didnt read kinghq1's post and also ignored all the others discussing and posting detailed information, but the response was lacking at the very least. I've seen this from FURRYe38 many times, asks a ton of questions, ignores the answers, provides incorrect or scripted answers that have nothing to do with the facts at hand. Frustrating but FURRYe38 isnt a NG employee or forum moderator. I hope the intent is to help but i've seen rapid fire post reponses with no actual need for the question since it was provided in the OP. I have no idea why anyone would want to up their post count on the NG community board, so I will keep hoping its to help. Even though furry later posts switching to the CM2000, possibly/probably before the issue presented itself but after the 2.1.3.7 firmware update.
To sum it all up, I beleive it is the 2.1.3.7 firmware, I am 99.9% certain of that (.01% ... I could be wrong, a broken clock is right twice a day). NG doesnt appear to be responding (appropiately) to the "known" issue as far as I can tell (my CAX80 RMA, what they have said, emailed, and their inadaquate lack of knowledge on NG product alerts). There are multiple community posts and i'm willing to bet a large number of support tickets that are being ignored or at least not tracked or cataloged effectively. Not everyone lurks the NetGear community board and reads 300+ threads researching this specific issue, not even the mods and NG employees... the customer just wants their product to work or be fixed. I've got to tell you, it is extremely difficult, far beyone what it should be. Just my 2 cents.
This issue has plagued for years and in all firmware. I am really not happy with Netgear on this modem at all. First of all, for a modem which i paid almost 500 for, does not have QOS setting and this LAND attack every 30 minutes.
I have tried looking out for solutions over the years and even though Netgear tells this will not affect your browsing experience as LAND attacks are ignored, i have found a correlation where these LAND attacks create this terrible latency while online gaming. Everytime i have a huge network latency inside a game, i have noticed these logs occur at the same time. While browsing, streaming OTT platforms this may not be observable, but it has broken online gaming for me.With really high blufferbloat and these constant Land port scan, this modem/router has the highest blufferbloat/latency i have encountered in any modems.
What FW version are you using?
Please post a copy and paste of the modems connection status and event log page.
https://kb.netgear.com/30007/How-do-I-obtain-the-cable-connection-information-from-a-NETGEAR-cable-modem-modem-router
https://kb.netgear.com/30008/How-do-I-view-or-clear-the-event-logs-on-my-NETGEAR-cable-modem-or-modem-router
Userneedshelp wrote:
This issue has plagued for years and in all firmware. I am really not happy with Netgear on this modem at all. First of all, for a modem which i paid almost 500 for, does not have QOS setting and this LAND attack every 30 minutes.
I have tried looking out for solutions over the years and even though Netgear tells this will not affect your browsing experience as LAND attacks are ignored, i have found a correlation where these LAND attacks create this terrible latency while online gaming. Everytime i have a huge network latency inside a game, i have noticed these logs occur at the same time. While browsing, streaming OTT platforms this may not be observable, but it has broken online gaming for me.With really high blufferbloat and these constant Land port scan, this modem/router has the highest blufferbloat/latency i have encountered in any modems.
