NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

Juventus_nz's avatar
Juventus_nz
Follower
Mar 04, 2017

DoS Attacks in the logs

Hey guys
I have been getting disconnected from the internet at different times over the past week. At first i thought it might have been an ISP issue, spoke to them and multiple line checks revealed no issues....during the drop outs i wasnt able to ping the router (Nighthawk D7000) or any devices on my home network, i have checked the logs and it contained multiple DoS attack entries as below

DoS attack: ACK Scan] from source: 51.254.7.95:80 Sunday, March 05,2017 08:43:45
[DoS attack: ACK Scan] from source: 51.254.7.95:80 Sunday, March 05,2017 08:42:30
[DoS attack: ACK Scan] from source: 51.254.7.95:80 Sunday, March 05,2017 08:41:14
[DoS attack: ACK Scan] from source: 51.254.7.95:80 Sunday, March 05,2017 08:39:59

I went ahead and disabled remote management and turned off upnp etc....propblem still persisted. I have changed the router to a new one (same model) and Dos attacks continued. With our ISP i get a new public IP address everytime i restart my router so there is really mo chance of this being a Real DoS attack as my IP changed on a daily basis (atleast over the past week)
Done a scan on all the home laptops for any malware nothing!!
I am stuck and not sure what to do? Is this a fault with the firmware / netgear equipments?
Any help is greatly appreciated
Cheers
DOS attacks
dropouts
Troubleshooting

17 Replies

  • MrCarrotIII's avatar
    MrCarrotIII
    Aspirant
    Mar 05, 2017

    Im also having the same problems as you. Its constant, Ive been trying to find a way to block this IP address but with no luck. I lose connection each time this happens. 

     

    Teardrop or derivative]1Sun Mar 05 17:56:37 2017121.13.197.171:073.0.209.0:0
    [Illegal Fragments]1Sun Mar 05 17:56:37 2017121.13.197.171:073.0.209.0:0
    [Ping Of Death]3Sun Mar 05 17:56:37 2017121.13.197.171:073.0.209.0:0
    [Illegal Fragments]1Sun Mar 05 17:56:40 2017121.13.197.171:073.0.209.0:0
    [Ping Of Death]1Sun Mar 05 17:56:40 2017121.13.197.171:073.0.209.0:0
    [Teardrop or derivative]2Sun Mar 05 17:56:42 2017121.13.197.171:073.0.209.0:0
    [Illegal Fragments]2Sun Mar 05 17:56:46 2017121.13.197.171:073.0.209.0:0
    [Teardrop or derivative]1Sun Mar 05 17:56:48 2017121.13.197.171:073.0.209.0:0
    [Ping Of Death]1Sun Mar 05 17:56:50 2017121.13.197.171:073.0.209.0:0
    [Teardrop or derivative]1Sun Mar 05 17:56:55 2017209.251.223.129:073.0.209.0:0
    [Illegal Fragments]2Sun Mar 05 17:56:55 2017209.251.223.129:073.0.209.0:0
    [Teardrop or derivative]4Sun Mar 05 17:57:59 2017209.251.223.129:073.0.209.0:0
    [Ping Of Death]1Sun Mar 05 18:01:04 2017209.251.223.129:073.0.209.0:0
    [Teardrop or derivative]1Sun Mar 05 18:02:24 2017121.13.197.171:073.0.209.0:0
    [Illegal Fragments]1Sun Mar 05 18:02:25 2017121.13.197.171:073.0.209.0:0
    [Ping Of Death]1Sun Mar 05 18:02:25 2017121.13.197.171:073.0.209.0:0
    [Teardrop or derivative]1Sun Mar 05 18:02:25 2017121.13.197.171:073.0.209.0:0
    [Ping Of Death]2Sun Mar 05 18:02:35 2017121.13.197.171:073.0.209.0:0
    [Teardrop or derivative]1Sun Mar 05 18:02:52 2017209.251.223.129:073.0.209.0:0
    [TCP- or UDP-based Port Scan]1Sun Mar 05 18:07:13 2017  
    [Ping Of Death]2Sun Mar 05 18:07:15 2017121.13.197.171:073.0.209.0:0
    [Teardrop or derivative]2Sun Mar 05 18:07:18 2017121.13.197.171:073.0.209.0:0
    [Ping Of Death]1Sun Mar 05 18:07:24 2017121.13.197.171:073.0.209.0:0
    [Teardrop or derivative]1Sun Mar 05 18:07:27 2017121.13.197.171:073.0.209.0:0
    [Ping Of Death]2Sun Mar 05 18:07:28 2017121.13.197.171:073.0.209.0:0
    [Teardrop or derivative]2Sun Mar 05 18:07:30 2017121.13.197.171:073.0.209.0:0
    [Illegal Fragments]1Sun Mar 05 18:11:02 2017121.13.197.171:073.0.209.0:0
    [TCP- or UDP-based Port Scan]1Sun Mar 05 18:16:51 2017  
    [FAILURE: User interface login]2Sun Mar 05 18:16:56 2017  
    [SUCCESS: User interface login]1Sun Mar 05 18:17:00 2017  
  • xnav's avatar
    xnav
    Star
    Mar 06, 2017

    See this.  I have an open problem with Netgear support, they ask me some trivial question every  two weeks, but have done nothing!

  • KClaeys's avatar
    KClaeys
    Aspirant
    Mar 06, 2017

    I am having the same issue with these attacks. I am at my wit's end with what to do. I work from home and cannot afford to keep having these dropped internet issues. The attacks are happening daily, multiple times a day.  Is there anything that can help? I am so freaking aggravated, it isn't funny. These are but just a few of the attacks. My provider is Cox Communications.

     

    DoS attack] ICMP Flood from 206.117.25.901Monday, 06 Mar 2017 09:48:0668.102.73.127206.117.25.90
    [DoS attack] ICMP Flood from 129.82.138.441Monday, 06 Mar 2017 07:56:3068.102.73.127129.82.138.44
    [DoS attack] ICMP Flood from 212.1.84.561Monday, 06 Mar 2017 07:24:2368.102.73.127212.1.84.56
    [DoS attack] ICMP Flood from 195.251.255.691Monday, 06 Mar 2017 07:00:5868.102.73.127195.251.255.69
    [DoS attack] AIF:Dropped INPUT packet: PROTO:TCP SPT:9090 DPT:221Monday, 06 Mar 2017 05:55:0168.102.73.127221.229.160.210
    [DoS attack] ICMP Flood from 203.178.148.191Monday, 06 Mar 2017 05:06:4968.102.73.127203.178.148.19
    [DoS attack] ICMP Flood from 187.54.115.1291Monday, 06 Mar 2017 05:00:3368.102.73.127187.54.115.129
    [DoS attack] ICMP Flood from 185.94.111.11Monday, 06 Mar 2017 04:43:1268.102.73.127185.94.111.1
    [DHCP IP: (192.168.0.104)] to MAC address 00:0b:82:67:70:9d1Monday, 06 Mar 2017 04:32:380.0.0.00.0.0.0
    [DoS attack] ICMP Flood from 206.117.25.901Monday, 06 Mar 2017 01:33:0368.102.73.127206.117.25.90
    [DoS attack] AIF:Dropped INPUT packet: PROTO:TCP SPT:56766 DPT:231Monday, 06 Mar 2017 00:13:4968.102.73.1275.232.188.59
    [DoS attack] ICMP Flood from 129.82.138.441Sunday, 05 Mar 2017 23:42:1368.102.73.127129.82.138.44
    [DoS attack] ICMP Flood from 195.251.255.691Sunday, 05 Mar 2017 23:08:0468.102.73.127195.251.255.69
    [DoS attack] AIF:Dropped INPUT packet: PROTO:TCP SPT:9090 DPT:221Sunday, 05 Mar 2017 22:34:1868.102.73.127221.229.160.210
    • KClaeys's avatar
      KClaeys
      Aspirant
      Mar 07, 2017

      Hi Darren,

       

      Thanks for the info. I am planning on writing them a scathing letter to get them to stop. I don't think it is all them though. Anyway, I checked the logs and this is the first thing I saw:

       

      DoS attack] AIF:Dropped INPUT packet: PROTO:TCP SPT:9090 DPT:221Tuesday, 07 Mar 2017 11:17:4868.102.73.127221.229.160.210
      [DoS attack] ICMP Flood from 206.117.25.901Tuesday, 07 Mar 2017 09:49:0668.102.73.127206.117.25.90

       

      Any ideas on what to do? I am seriously upset because of the dropped internet. This is really killing my paycheck.

    • DarrenM's avatar
      DarrenM
      Sr. NETGEAR Moderator
      Mar 08, 2017

      Can you post the power levels on the Cable connection page check to see if anything is off. You may also want to check if you have a cable splitter connected to the modem they can cause some issues try plugging straight to the wall. Also have you had your ISP come out and check your lines?

       

      DarrenM

      • KClaeys's avatar
        KClaeys
        Aspirant
        Mar 09, 2017

        I don't use a splitter, so I know that itsn't the problem. I'm going to have the cable company come out, even though they all tell me it's on my end. Here are the logs for the power.  Please let me know if you see anything odd.

         

        <tabindex=-1>Downstream Bonded Channels
        ChannelLock StatusModulationChannel IDFrequencyPowerSNRCorrectablesUnCorrectables
        1LockedQAM 256121813000000 Hz-7.7 dBmV37.6 dB00
        2LockedQAM 256122819000000 Hz-7.7 dBmV37.6 dB170
        3LockedQAM 256123825000000 Hz-7.2 dBmV37.6 dB00
        4LockedQAM 256124831000000 Hz-7.5 dBmV37.6 dB00
        5LockedQAM 256125837000000 Hz-7.7 dBmV37.6 dB00
        6LockedQAM 256126843000000 Hz-8.2 dBmV38.6 dB00
        7LockedQAM 256127849000000 Hz-8.2 dBmV37.6 dB00
        8LockedQAM 256128855000000 Hz-8.7 dBmV37.6 dB00
        9LockedQAM 256137909000000 Hz-9.7 dBmV37.3 dB342448193
        10LockedQAM 256138915000000 Hz-10.2 dBmV34.3 dB409868314
        11LockedQAM 256139921000000 Hz-10.5 dBmV37.6 dB208641253
        12LockedQAM 256140927000000 Hz-10.7 dBmV36.6 dB2847327
        13LockedQAM 256141933000000 Hz-11.4 dBmV36.3 dB00
        14LockedQAM 256142939000000 Hz-11.7 dBmV36.3 dB00
        15LockedQAM 256143945000000 Hz-12.5 dBmV36.3 dB00
        16LockedQAM 256144951000000 Hz-13.3 dBmV35.7 dB00
        <tabindex=-1>Upstream Bonded Channels
        ChannelLock StatusUS Channel TypeChannel IDSymbol RateFrequencyPower
        1LockedATDMA12560 Ksym/sec21600000 Hz41.3 dBmV
        2LockedATDMA25120 Ksym/sec26500000 Hz41.3 dBmV
        3LockedATDMA35120 Ksym/sec33000000 Hz42.8 dBmV
        4LockedATDMA42560 Ksym/sec37900000 Hz42.8 dBmV
  • DarrenM's avatar
    DarrenM
    Sr. NETGEAR Moderator
    Mar 09, 2017

    Hello KClaeys

     

    All the levels look good from what you posted but those could change when you are losing service maybe its a line issue outside it happens alot when neighbors get cable hooked up a tech could mess someone else connection up I guess you will find out when the tech comes.

     

    DarrenM

    • KClaeys's avatar
      KClaeys
      Aspirant
      Mar 26, 2017

      Hi Darren,

      The cable company came out and ran a new line from the house to the pole, put a new box on the house, we moved the modem, used new cables on everything and I am still having issues. Now I am getting T3 and T4 timesouts. One day the internet was dropping literally every 10 minutes. Of course, Cox tells me it is on my end and they are getting great signals. Interestingly enough, when I contacted that university about not pinging my internet, I haven't had one DoS attack. Here is the log from today when trouble started (again).  I am considering getting a modem from Cox and if I still have the same problems with one of THEIR modems, then I guess it is on them.

       
       
       
       
      TimePriorityDescription
      Mar 25 2017 20:31:39Notice (6)TLV-11 - unrecognized OID
      Mar 25 2017 20:31:39Warning (5)MIMO Event MIMO: Stored MIMO=-1 post cfg file MIMO=-1
      Mar 25 2017 14:57:58Notice (6)TLV-11 - unrecognized OID
      Mar 25 2017 14:57:57Warning (5)MIMO Event MIMO: Stored MIMO=-1 post cfg file MIMO=-1
      Mar 25 2017 14:52:58Notice (6)TLV-11 - unrecognized OID
      Mar 25 2017 14:52:57Warning (5)MIMO Event MIMO: Stored MIMO=-1 post cfg file MIMO=-1
      Mar 25 2017 14:50:45Critical (3)Started Unicast Maintenance Ranging - No Response received - T3 time-out
      Mar 25 2017 14:50:15Critical (3)Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
      Mar 25 2017 14:49:45Critical (3)Started Unicast Maintenance Ranging - No Response received - T3 time-out
      Mar 25 2017 14:49:15Critical (3)Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
      Mar 25 2017 14:48:45Critical (3)Started Unicast Maintenance Ranging - No Response received - T3 time-out
      Mar 25 2017 14:48:15Critical (3)Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
      Mar 25 2017 14:47:45Critical (3)Started Unicast Maintenance Ranging - No Response received - T3 time-out
      Mar 25 2017 14:47:15Critical (3)Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
      Mar 25 2017 14:46:45Critical (3)Started Unicast Maintenance Ranging - No Response received - T3 time-out
      Mar 25 2017 14:46:15Critical (3)Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
      Mar 25 2017 14:45:45Critical (3)Started Unicast Maintenance Ranging - No Response received - T3 time-out
      Mar 25 2017 14:45:16Critical (3)Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
      Mar 25 2017 14:44:46Critical (3)Started Unicast Maintenance Ranging - No Response received - T3 time-out
      Mar 25 2017 14:44:16Critical (3)Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
      Mar 25 2017 14:43:46Critical (3)Started Unicast Maintenance Ranging - No Response received - T3 time-out
      Mar 25 2017 14:43:16Critical (3)Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
      Mar 25 2017 14:42:46Critical (3)Started Unicast Maintenance Ranging - No Response received - T3 time-out
      Mar 25 2017 14:42:16Critical (3)Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
      Mar 25 2017 14:41:46Critical (3)Started Unicast Maintenance Ranging - No Response received - T3 time-out
      Mar 25 2017 14:41:16Critical (3)Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
      Mar 25 2017 14:40:46Critical (3)Started Unicast Maintenance Ranging - No Response received - T3 time-out
      Mar 25 2017 14:40:17Critical (3)Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
      Mar 25 2017 14:39:47Critical (3)Started Unicast Maintenance Ranging - No Response received - T3 time-out
      Mar 25 2017 14:39:17Critical (3)Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
      Mar 25 2017 14:38:47Critical (3)Unicast Maintenance Ranging attempted - No response - Retries exhausted
      Mar 25 2017 14:38:47Critical (3)Ranging Request Retries exhausted
      Mar 25 2017 14:38:17Critical (3)Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
      Mar 25 2017 14:37:47Critical (3)Started Unicast Maintenance Ranging - No Response received - T3 time-out
      Mar 25 2017 14:37:17Critical (3)Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
      Mar 25 2017 14:36:47Critical (3)Started Unicast Maintenance Ranging - No Response received - T3 time-out
      Mar 25 2017 14:36:17Critical (3)Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
      Mar 25 2017 14:35:47Critical (3)Started Unicast Maintenance Ranging - No Response received - T3 time-out
      Mar 25 2017 14:35:18Critical (3)Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
      Mar 25 2017 14:34:48Critical (3)Started Unicast Maintenance Ranging - No Response received - T3 time-out
      Mar 25 2017 14:34:48Critical (3)Started Unicast Maintenance Ranging - No Response received - T3 time-out
      Mar 25 2017 14:34:48Critical (3)Started Unicast Maintenance Ranging - No Response received - T3 time-out

       

      • DarrenM's avatar
        DarrenM
        Sr. NETGEAR Moderator
        Mar 27, 2017

        Hello KClaeys

         

        It could be a bigger issue away from your homes lines but yea you may want to test another modem to be sure if its on there end or not but typically those T3 and T4 timeouts are.

         

        DarrenM

    • xnav's avatar
      xnav
      Star
      Mar 11, 2017

      I gave up on  Netgear and bought a Motorola, and have not seen the problem in 3 days now.

  • DarrenM's avatar
    DarrenM
    Sr. NETGEAR Moderator
    Mar 15, 2017

    Hello Mrcarrotlll

     

    Are you able to post your logs and levels of the modem it could give a better Idea of why the disconnects are happening.

     

    DarrenM

    • MrCarrotIII's avatar
      MrCarrotIII
      Aspirant
      Mar 17, 2017
      <tabindex=-1>Downstream Bonded Channels
      ChannelLock StatusModulationChannel IDFrequencyPowerSNR
      1LockedQAM256102801000000 Hz2.1 dBmV38.7 dB
      2LockedQAM256101795000000 Hz2.0 dBmV38.6 dB
      3LockedQAM256103807000000 Hz2.1 dBmV39.0 dB
      4LockedQAM256104813000000 Hz2.0 dBmV39.0 dB
      5LockedQAM256109843000000 Hz1.1 dBmV38.6 dB
      6LockedQAM256110849000000 Hz0.7 dBmV38.6 dB
      7LockedQAM256111855000000 Hz0.2 dBmV38.0 dB
      8LockedQAM256112861000000 Hz-0.1 dBmV37.8 dB
      <tabindex=-1>Upstream Bonded Channels
      ChannelLock StatusUS Channel TypeChannel IDSymbol RateFrequencyPower
      1LockedATDMA25120 Ksym/sec21984000 Hz44.8 dBmV
      2LockedTDMA and ATDMA12560 Ksym/sec17154000 Hz44.0 dBmV
      3LockedATDMA35120 Ksym/sec28414000 Hz45.5 dBmV
      4LockedATDMA45120 Ksym/sec34844000 Hz45.5 dBmV
  • DarrenM's avatar
    DarrenM
    Sr. NETGEAR Moderator
    Mar 21, 2017

    Hello MrCarrotlll

     

    The power level look fine what about the logs are you seeing any type of timeouts?

     

    DarrenM