NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi
I'm getting lots of Dos attacks logged in my C3000 modem/router. They appear to be coming from inside my network, from my wifi. I keep seeing a device attached to my wifi with an IP address of 1.1.15...
I also have this problem. My iPad always have this ip address associated with its MAC address. I'm using C3000 with Comcast.
By looking into this problem I realized that it's not hacking.
The fact is that NETGEAR is not supporting IPV6 well. It's mistaking part of the ipv6 address in ipv6 packets as the src and dst of ipv4 packets.
The ipv6 packat is something like this
| --- 32 bit --- | Info
| --- 32 bit --- | Info
| --- 32 bit --- | source ip e.g. 1111:2222
| --- 32 bit --- | source ip e.g. 3333:4444
| --- 32 bit --- | source ip e.g. 5555:6666
| --- 32 bit --- | source ip e.g. 7777:8888
| --- 32 bit --- | destination ip e.g. 9999:aaaa
| --- 32 bit --- | destination ip e.g. bbbb:cccc
| --- 32 bit --- | destination ip e.g. dddd:eeee
| --- 32 bit --- | destination ip e.g. ffff:0000
While ipv4 is like this
| --- 32 bit --- | Info
| --- 32 bit --- | Info
| --- 32 bit --- | Info
| --- 32 bit --- | source ip e.g. 111.222.111.222
| --- 32 bit --- | destination ip e.g. 000.111.000.111
| --- 32 bit --- | options
Netgear is mistaking the line 4 and 5 of an ipv6 packet, which are part of the ipv6 address, as the src and dst of an ipv4 packet.
The source and destination ip addresses in my log is exactly part of my ipv6 address, which is in heximal, of my iPad.
You can verify that by yourself.
ipv6 address:
xxxx:xxxx:aabb:ccdd:eeff:gghh:xxxx:xxxx
Change aa bb cc dd ee ff gg hh from heximal to decimal AAA BBB CCC DDD EEE FFF GGG HHH
Then you can find that AAA.BBB.CCC.DDD is your source and EEE.FFF.GGG.HHH is your destination of 'DoS' packets.
Interesting. Thanks for looking into this. I ended up buying a Motorola router and haven't had any issues since.
Wow! Congrats on finding the exact source of this bug! Now, hopefully Netgear sees this and will fix the code.
Any body have any detailed instruction on how to change the IPv6 addresses in above
Might you be able to point me towards a more detailed set of steps to follow to fix the ipv6 issue?
thank you
Paul
Might you be able to point me towards a more detailed set of steps to follow to fix the ipv6 issue?
thank you
Paul
Why do I keep buying netgear? I guess cause cheap, and it shows.
I have the same issue and even posted a new thread about this. As far as I know, there is no fix. I have searched all over the internet and quite a few people complain about this. In my case, my daughters Iphone shows up in the router page with a WAN IP and I see DOS attacks. This causes drops for all devices on my network for about 1 minute. It happens randomly, but, almost every day. I love the way there is no response at all from Netgear. Do they not monitor their own forums? At least acknowledge the issue. So, I decided to buy a Surfboard 6190 Model and Asus Wireless router. I'll be hooking up next week and hopefully, this issue will be behind me. Everything I read online states this is Netgear bug with IOS devices and Ipv6 packet interpretation. And of course you can't even turn off IPV6 on the C7000. That is pathetic.
thanks damianinpa,
i have to agree with what your saying, i think its also has to do with certain apps being used too. i tried latching my work iphone 6 to do some testing, and funny thing is that it changed the ip address briefly and went away. i used 2 work apps and hardly nothing else, and it appeared to be functioning as normal, when checking the logs. i noticed with certain social apps, it logs the errors immediately from another iphone being tested, which is constantly being used daily and has a ton of other apps. i feel its a cause for concern, thinking the that phone has been infected some how instead of the work phone due to its limited apps and usage. the other iphone is acting like some malicious program hiding behind those social apps, causing all these errors? hopefully, your test on the other replacement routers work out.
So, fqm889 is completely correct, and I can verify this as well.
fqm889 wrote:ipv6 address:
xxxx:xxxx:aabb:ccdd:eeff:gghh:xxxx:xxxx
Change aa bb cc dd ee ff gg hh from heximal to decimal AAA BBB CCC DDD EEE FFF GGG HHH
Then you can find that AAA.BBB.CCC.DDD is your source and EEE.FFF.GGG.HHH is your destination of 'DoS' packets.
I am seeing the same IP source to multiple target addresses, and this now makes sense because the first 3 fields of ipv6 will always be the same as would the first three numbers of an IPv4 address like "192.168.0.X" on the private network.
The target number is the fourth field of the IPv6 address that's allocated to my device, and different devices will show different numbers here. Also, this part of the address is dynamic and changes over time, so it looks like the target changes every few days. Targets because of the randomness of IP addresses have appered to be benign things like a random mobile device, or addresses of goverment or banking organizations in other countries. In fact, as demonstrated by fmq889 none of these addresses are actually being reached from my network.
I would also like to add that ipv6 also provides for allocating 2 addresses for every device, and only the 2nd address or privacy extension/temporary address is tripping up the router.
In any case, I am wondering if the performance issues I see are related, and perhaps the router is trying to filter/block or otherwise uses resources tracking all these seeminly malignant calls, when they are actually perfectly legit traffic passing through the network.
I hope that Netgear will fix, but perhaps we all who are seeing this should try to contact them directly and let them know of the issue rather than hope they monitor user forums.
is there any solution to this? I am having the same problem
