NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi
I'm getting lots of Dos attacks logged in my C3000 modem/router. They appear to be coming from inside my network, from my wifi. I keep seeing a device attached to my wifi with an IP address of 1.1.15...
I also have this problem. My iPad always have this ip address associated with its MAC address. I'm using C3000 with Comcast.
By looking into this problem I realized that it's not hacking.
The fact is that NETGEAR is not supporting IPV6 well. It's mistaking part of the ipv6 address in ipv6 packets as the src and dst of ipv4 packets.
The ipv6 packat is something like this
| --- 32 bit --- | Info
| --- 32 bit --- | Info
| --- 32 bit --- | source ip e.g. 1111:2222
| --- 32 bit --- | source ip e.g. 3333:4444
| --- 32 bit --- | source ip e.g. 5555:6666
| --- 32 bit --- | source ip e.g. 7777:8888
| --- 32 bit --- | destination ip e.g. 9999:aaaa
| --- 32 bit --- | destination ip e.g. bbbb:cccc
| --- 32 bit --- | destination ip e.g. dddd:eeee
| --- 32 bit --- | destination ip e.g. ffff:0000
While ipv4 is like this
| --- 32 bit --- | Info
| --- 32 bit --- | Info
| --- 32 bit --- | Info
| --- 32 bit --- | source ip e.g. 111.222.111.222
| --- 32 bit --- | destination ip e.g. 000.111.000.111
| --- 32 bit --- | options
Netgear is mistaking the line 4 and 5 of an ipv6 packet, which are part of the ipv6 address, as the src and dst of an ipv4 packet.
The source and destination ip addresses in my log is exactly part of my ipv6 address, which is in heximal, of my iPad.
You can verify that by yourself.
ipv6 address:
xxxx:xxxx:aabb:ccdd:eeff:gghh:xxxx:xxxx
Change aa bb cc dd ee ff gg hh from heximal to decimal AAA BBB CCC DDD EEE FFF GGG HHH
Then you can find that AAA.BBB.CCC.DDD is your source and EEE.FFF.GGG.HHH is your destination of 'DoS' packets.
So, fqm889 is completely correct, and I can verify this as well.
fqm889 wrote:
ipv6 address:
xxxx:xxxx:aabb:ccdd:eeff:gghh:xxxx:xxxx
Change aa bb cc dd ee ff gg hh from heximal to decimal AAA BBB CCC DDD EEE FFF GGG HHH
Then you can find that AAA.BBB.CCC.DDD is your source and EEE.FFF.GGG.HHH is your destination of 'DoS' packets.
I am seeing the same IP source to multiple target addresses, and this now makes sense because the first 3 fields of ipv6 will always be the same as would the first three numbers of an IPv4 address like "192.168.0.X" on the private network.
The target number is the fourth field of the IPv6 address that's allocated to my device, and different devices will show different numbers here. Also, this part of the address is dynamic and changes over time, so it looks like the target changes every few days. Targets because of the randomness of IP addresses have appered to be benign things like a random mobile device, or addresses of goverment or banking organizations in other countries. In fact, as demonstrated by fmq889 none of these addresses are actually being reached from my network.
I would also like to add that ipv6 also provides for allocating 2 addresses for every device, and only the 2nd address or privacy extension/temporary address is tripping up the router.
In any case, I am wondering if the performance issues I see are related, and perhaps the router is trying to filter/block or otherwise uses resources tracking all these seeminly malignant calls, when they are actually perfectly legit traffic passing through the network.
I hope that Netgear will fix, but perhaps we all who are seeing this should try to contact them directly and let them know of the issue rather than hope they monitor user forums.
is there any solution to this? I am having the same problem