NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

Kakusu's avatar
Kakusu
Aspirant
Apr 03, 2022

How to get AC3200 (C7800) to not respond to probe attacks

I am having constant probe attacks to my cable-modem-router. A few of them are quite persistent. See below: 

 

[DoS attack: UDP Scan] from source: 146.88.240.4, port 42325, Sat, Apr 02, 2022 22:51:01
[DoS attack: Echo char gen] from source: 184.105.139.79, port 16301, Sat, Apr 02, 2022 19:55:09
[DoS attack: Echo char gen] from source: 146.88.240.4, port 59284, Sat, Apr 02, 2022 19:37:25
[DoS attack: Echo char gen] from source: 185.101.107.120, port 55751, Sat, Apr 02, 2022 18:55:04
[DoS attack: UDP Scan] from source: 223.71.167.165, port 31361, Sat, Apr 02, 2022 17:40:46
[DoS attack: Echo char gen] from source: 78.128.113.34, port 8080, Sat, Apr 02, 2022 16:01:39
[DoS attack: UDP Scan] from source: 167.172.72.231, port 39595, Sat, Apr 02, 2022 11:05:22
[DoS attack: Echo char gen] from source: 184.105.139.85, port 57689, Sat, Apr 02, 2022 10:15:53
[DoS attack: Echo char gen] from source: 66.240.236.116, port 58592, Sat, Apr 02, 2022 04:37:07
[DoS attack: UDP Scan] from source: 185.94.111.1, port 57786, Sat, Apr 02, 2022 02:58:30
[DoS attack: UDP Scan] from source: 185.94.111.1, port 48059, Sat, Apr 02, 2022 01:15:15
[DoS attack: UDP Scan] from source: 146.88.240.4, port 49843, Fri, Apr 01, 2022 22:51:39
[DoS attack: UDP Scan] from source: 64.225.64.99, port 54995, Fri, Apr 01, 2022 22:34:41
[DoS attack: Echo char gen] from source: 141.212.123.208, port 52400, Fri, Apr 01, 2022 22:30:20
[DoS attack: Echo char gen] from source: 146.88.240.4, port 52575, Fri, Apr 01, 2022 19:37:27
[DoS attack: Echo char gen] from source: 66.240.236.109, port 55680, Fri, Apr 01, 2022 19:24:05
[DoS attack: Echo char gen] from source: 118.123.105.86, port 47748, Fri, Apr 01, 2022 16:36:20
[DoS attack: UDP Scan] from source: 106.75.98.89, port 58914, Fri, Apr 01, 2022 05:09:54
[DoS attack: Echo char gen] from source: 64.62.197.117, port 52020, Fri, Apr 01, 2022 02:19:58
[DoS attack: Echo char gen] from source: 183.136.225.9, port 39344, Fri, Apr 01, 2022 01:38:41
[DoS attack: UDP Scan] from source: 146.88.240.4, port 43068, Thu, Mar 31, 2022 22:45:58
[DoS attack: Echo char gen] from source: 146.88.240.4, port 50739, Thu, Mar 31, 2022 19:33:15
[DoS attack: Sync flood] from source: 147.78.47.189, port 65534, Thu, Mar 31, 2022 18:19:56

 

I went to Shield's up (haven't gone there in a loonnnng time and I am surprised they are still there), and it shows only a few of my ports as stealth. The rest are closed but responding to the scan. This is a bit disheartening for me, and encouraging to persistent hackers. How do you put the AC3200 (C7800) in a NON-RESPONSIVE state to probing? Turning off the logging isn't the solution here. I want to be able to make it so they don't get a response and assume nothing is there. 

 

Thanks in advance,

 

 

8 Replies

  • FURRYe38's avatar
    FURRYe38
    Guru - Experienced User
    Apr 03, 2022

    Is Respond to WAN pings enabled on the modem? There is a setting under Advanced Tab/Setup/WAN setup I believe...

  • michaelkenward's avatar
    michaelkenward
    Guru - Experienced User
    Apr 04, 2022

    Netgear's firmware is great at creating false reports of DoS attacks. Many of them are no such thing.

     

    Search - NETGEAR Communities – DoS attacks

     

    Use Whois.net to see who is behind some of them and you may find that they are from places like Facebook, Google, even your ISP.

     

    Here is a useful tool for that task:

     

    IPNetInfo: Retrieve IP Address Information from WHOIS servers

     

    If these events are slowing down your router, that may be because it is using up processor time as it writes the events to your logs. Anything that uses processor power – event logging, QoS management, traffic metering – may cause slowdowns. Disable logging of DoS attacks and see if that reduces the problem. This does not prevent the router from protecting you from the outside world.

     

  • Kakusu's avatar
    Kakusu
    Aspirant
    Apr 05, 2022

    I am still looking for the ability to make the C7800 NOT respond to any port probes. 

     

    GRC shields up responds with the ports being closed but NOT STEALTH. The DOS reporting is incidental. I am not asking how to prevent the router from reporting these... 

    Even during the GRC scans it reports port probing in the logs. So I would like it if GRC reports STEALTH and not just closed. 

     

    I have responded to the commenters and apparently it's not posting it publicly... which is fine. I am still curious if this modem even has the ability that I am asking for. The rented cable modem had that ability. 

    • FURRYe38's avatar
      FURRYe38
      Guru - Experienced User
      Apr 06, 2022

      Is Respond to WAN pings enabled on the modem? There is a setting under Advanced Tab/Setup/WAN setup I believe...

  • Kakusu's avatar
    Kakusu
    Aspirant
    Apr 07, 2022

    "Is Respond to WAN pings enabled on the modem? There is a setting under Advanced Tab/Setup/WAN setup I believe..."

     

    NO CHECK MARK IN: 

    Disable IPv4 Firewall Protection

    Disable Port Scan and DoS Protection

    Default DMZ Server

    Respond to Ping on Internet Port

    Disable SIP ALG

     

    MTU Size (in bytes) 1500

     

     

    • olympos1625's avatar
      olympos1625
      NETGEAR Employee Retired
      Apr 14, 2022

      Hi Kakusu,

       

      Good day!

       

      Welcome to NETGEAR Community!


      Thank you for reaching out. We are sorry for not getting back to you immediately. With the DoS attacks on the modem, does it affect your internet connection?  Also, can you DM us the screenshot of the Shields up showing the ports as well as your Modem logs so we can present this to our Engineering team?

       

      Please do not hesitate to let me know if you need further assistance. 

       

      Regards,

       

      Oliver

      Community Team


       

  • Kakusu's avatar
    Kakusu
    Aspirant
    Apr 18, 2022

    GRC shows that the cable modem-router is responding to the probe... BLUE is closed but responds... Green is closed but does NOT respond to the probe. 

     

    NOTE: 3 things.

    1) The point of this is NOT to say... "Oooooh... someone stop the DoS attacks." That point somehow keeps getting missed. I am trying to make my network INVISIBLE to probing. I have done this many times with other cable modem/routers in the past and I had ALL GREEN and Stealth and passed response. 

    2) I had to pare down the log... 20K characters exceeded. From April 11 to now exceeds 20K 

    3) 4.79.142.206 is GRC shield's up probe. Which correctly reports that the cable modem router is being probed. 

     

    LOGS: 

    [DoS attack: Sync flood] from source: 4.79.142.206, port 57050, Sun, Apr 17, 2022 21:47:10
    [DoS attack: Echo char gen] from source: 4.79.142.206, port 57050, Sun, Apr 17, 2022 21:47:10
    [DoS attack: Sync flood] from source: 4.79.142.206, port 57050, Sun, Apr 17, 2022 21:47:10
    [remote login] from source fe80::3536:1a18:520a:5d44, Sun, Apr 17, 2022 21:38:23
    [DoS attack: UDP Scan] from source: 5.189.168.206, port 42383, Sun, Apr 17, 2022 20:18:19
    [DoS attack: Echo char gen] from source: 146.88.240.4, port 59128, Sun, Apr 17, 2022 19:37:17
    [DoS attack: Echo char gen] from source: 168.100.10.75, port 49652, Sun, Apr 17, 2022 18:42:08
    [DoS attack: Sync flood] from source: 120.193.249.243, port 502, Sun, Apr 17, 2022 13:53:32
    [DoS attack: Sync flood] from source: 120.193.249.243, port 18551, Sun, Apr 17, 2022 12:01:25
    [DoS attack: UDP Scan] from source: 185.94.111.1, port 38465, Sun, Apr 17, 2022 11:18:25
    [DoS attack: Echo char gen] from source: 66.240.236.119, port 31743, Sun, Apr 17, 2022 10:15:19
    [DoS attack: UDP Scan] from source: 185.94.111.1, port 33541, Sun, Apr 17, 2022 09:35:29
    [DoS attack: Echo char gen] from source: 85.10.202.61, port 52361, Sun, Apr 17, 2022 08:31:09
    [DoS attack: Echo char gen] from source: 74.82.47.55, port 24106, Sat, Apr 16, 2022 23:37:00
    [DoS attack: UDP Scan] from source: 146.88.240.4, port 55478, Sat, Apr 16, 2022 22:48:37
    [DoS attack: Echo char gen] from source: 146.88.240.4, port 38611, Sat, Apr 16, 2022 19:37:15
    [DoS attack: Sync flood] from source: 44.197.112.94, port 64906, Sat, Apr 16, 2022 14:51:16
    [DoS attack: Echo char gen] from source: 41.216.182.137, port 39392, Sat, Apr 16, 2022 12:52:35
    [DoS attack: Echo char gen] from source: 74.82.47.9, port 44507, Sat, Apr 16, 2022 11:12:52
    [DoS attack: Echo char gen] from source: 179.43.140.177, port 54214, Sat, Apr 16, 2022 01:21:18
    [DoS attack: UDP Scan] from source: 146.88.240.4, port 46461, Fri, Apr 15, 2022 22:50:20
    [DoS attack: Echo char gen] from source: 146.88.240.4, port 59810, Fri, Apr 15, 2022 19:37:16
    [DoS attack: Echo char gen] from source: 141.212.123.209, port 50077, Fri, Apr 15, 2022 19:04:29
    [WLAN access denied] from MAC: 22:f3:20:91:3d:d8 Fri, Apr 15, 2022 18:00:56
    [DHCP IP: (192.168.0.36)] to MAC address 22:f3:20:91:3d:d8, Fri, Apr 15, 2022 18:00:54
    [DoS attack: UDP Scan] from source: 20.90.80.193, port 51615, Fri, Apr 15, 2022 16:55:41
    [DoS attack: UDP Scan] from source: 185.94.111.1, port 32986, Fri, Apr 15, 2022 09:59:26
    [DoS attack: Echo char gen] from source: 45.133.1.124, port 1844, Fri, Apr 15, 2022 09:49:18
    [DoS attack: UDP Scan] from source: 185.94.111.1, port 51187, Fri, Apr 15, 2022 08:56:48
    [DoS attack: Echo char gen] from source: 2.56.57.173, port 42785, Fri, Apr 15, 2022 07:49:26
    [DoS attack: Echo char gen] from source: 64.62.197.156, port 59660, Fri, Apr 15, 2022 06:59:52
    [DoS attack: Echo char gen] from source: 80.82.77.139, port 27221, Thu, Apr 14, 2022 23:26:13
    [DoS attack: UDP Scan] from source: 146.88.240.4, port 42822, Thu, Apr 14, 2022 22:48:52
    [DoS attack: Echo char gen] from source: 94.102.61.29, port 47767, Thu, Apr 14, 2022 21:06:29
    [DoS attack: Echo char gen] from source: 146.88.240.4, port 44989, Thu, Apr 14, 2022 19:37:16
    [DoS attack: Echo char gen] from source: 194.233.163.37, port 60341, Thu, Apr 14, 2022 16:12:04
    [DoS attack: Echo char gen] from source: 193.124.7.9, port 43423, Thu, Apr 14, 2022 15:12:43
    [DoS attack: Echo char gen] from source: 66.240.223.208, port 51762, Thu, Apr 14, 2022 14:56:12
    [DoS attack: Echo char gen] from source: 45.148.10.81, port 44453, Thu, Apr 14, 2022 13:42:36
    [DoS attack: UDP Scan] from source: 45.148.10.81, port 42031, Thu, Apr 14, 2022 10:18:56
    [DoS attack: UDP Scan] from source: 193.124.7.9, port 44648, Thu, Apr 14, 2022 09:14:16
    [DoS attack: Echo char gen] from source: 71.6.199.23, port 29921, Thu, Apr 14, 2022 02:47:33
    [DoS attack: UDP Scan] from source: 194.195.246.171, port 12313, Thu, Apr 14, 2022 02:46:18
    [DoS attack: Echo char gen] from source: 160.116.22.22, port 56647, Thu, Apr 14, 2022 00:52:52
    [DoS attack: Echo char gen] from source: 65.49.20.101, port 31664, Wed, Apr 13, 2022 22:50:36
    [DoS attack: UDP Scan] from source: 146.88.240.4, port 58122, Wed, Apr 13, 2022 22:46:43
    [DoS attack: Echo char gen] from source: 146.88.240.4, port 36072, Wed, Apr 13, 2022 19:37:16
    [DoS attack: Sync flood] from source: 47.93.3.202, port 36734, Wed, Apr 13, 2022 19:35:51
    [DoS attack: Echo char gen] from source: 184.105.139.101, port 59559, Wed, Apr 13, 2022 08:45:43
    [DoS attack: Echo char gen] from source: 94.102.61.32, port 53963, Wed, Apr 13, 2022 06:16:15
    [DoS attack: UDP Scan] from source: 185.94.111.1, port 39376, Wed, Apr 13, 2022 05:30:14
    [DoS attack: Echo char gen] from source: 205.205.150.21, port 50537, Wed, Apr 13, 2022 05:25:03
    [DoS attack: Echo char gen] from source: 205.205.150.21, port 50505, Wed, Apr 13, 2022 05:24:15
    [DoS attack: UDP Scan] from source: 185.94.111.1, port 42487, Wed, Apr 13, 2022 04:30:28
    [DoS attack: Echo char gen] from source: 91.218.115.175, port 53716, Tue, Apr 12, 2022 22:54:21
    [DoS attack: UDP Scan] from source: 146.88.240.4, port 45714, Tue, Apr 12, 2022 22:51:59
    [DoS attack: Echo char gen] from source: 146.88.240.4, port 50966, Tue, Apr 12, 2022 19:37:20
    [DoS attack: Echo char gen] from source: 91.218.115.175, port 53716, Tue, Apr 12, 2022 17:33:02
    [DoS attack: Echo char gen] from source: 205.205.150.26, port 41358, Tue, Apr 12, 2022 10:10:42
    [DoS attack: Echo char gen] from source: 205.205.150.26, port 41395, Tue, Apr 12, 2022 10:09:49
    [DoS attack: Echo char gen] from source: 209.126.136.3, port 54341, Tue, Apr 12, 2022 06:41:39
    [DoS attack: UDP Scan] from source: 159.223.210.217, port 48512, Tue, Apr 12, 2022 02:46:40
    [DoS attack: UDP Scan] from source: 183.136.225.9, port 9162, Tue, Apr 12, 2022 01:29:41
    [DoS attack: UDP Scan] from source: 146.88.240.4, port 55367, Mon, Apr 11, 2022 22:55:28
    [DoS attack: Echo char gen] from source: 74.82.47.19, port 26335, Mon, Apr 11, 2022 21:37:32
    [DoS attack: Echo char gen] from source: 146.88.240.4, port 45386, Mon, Apr 11, 2022 19:37:19
    [WLAN access allowed] from MAC: 2c:d0:5a:ca:04:c4 Mon, Apr 11, 2022 18:25:24
    [DHCP IP: (192.168.0.16)] to MAC address 2c:d0:5a:ca:04:c4, Mon, Apr 11, 2022 18:25:24
    [WLAN access allowed] from MAC: fc:8f:90:39:a4:83 Mon, Apr 11, 2022 18:25:10
    [DHCP IP: (192.168.0.15)] to MAC address fc:8f:90:39:a4:83, Mon, Apr 11, 2022 18:25:10
    [WLAN access allowed] from MAC: fa:49:95:53:95:78 Mon, Apr 11, 2022 18:17:54
    [DHCP IP: (192.168.0.29)] to MAC address fa:49:95:53:95:78, Mon, Apr 11, 2022 18:17:52
    [remote login] from source fe80::3536:1a18:520a:5d44, Mon, Apr 11, 2022 17:37:06
    [remote login] from source fe80::3536:1a18:520a:5d44, Mon, Apr 11, 2022 17:27:00
    [DoS attack: Echo char gen] from source: 45.135.232.50, port 44842, Mon, Apr 11, 2022 10:15:22
    [DoS attack: Sync flood] from source: 35.172.136.28, port 50240, Mon, Apr 11, 2022 04:44:07
    [DoS attack: UDP Scan] from source: 185.94.111.1, port 33604, Mon, Apr 11, 2022 01:58:00
    [DoS attack: Echo char gen] from source: 64.62.197.44, port 53365, Mon, Apr 11, 2022 01:24:27
    [DoS attack: Echo char gen] from source: 195.144.21.56, port 29921, Mon, Apr 11, 2022 00:45:14
    [DoS attack: Echo char gen] from source: 52.73.169.169, port 49967, Sun, Apr 10, 2022 23:46:50
    [DoS attack: UDP Scan] from source: 146.88.240.4, port 33541, Sun, Apr 10, 2022 22:46:41
    [DoS attack: UDP Scan] from source: 185.94.111.1, port 51797, Sun, Apr 10, 2022 22:26:55
    [WLAN access denied] from MAC: b6:16:71:96:40:8c Sun, Apr 10, 2022 22:07:14
    [DHCP IP: (192.168.0.38)] to MAC address b6:16:71:96:40:8c, Sun, Apr 10, 2022 22:07:13
    [WLAN access denied] from MAC: 36:d0:a7:5c:3d:56 Sun, Apr 10, 2022 22:06:56
    [DHCP IP: (192.168.0.27)] to MAC address 36:d0:a7:5c:3d:56, Sun, Apr 10, 2022 22:06:54
    [DoS attack: UDP Scan] from source: 128.232.21.75, port 49735, Sun, Apr 10, 2022 21:43:58
    [DoS attack: Echo char gen] from source: 66.228.36.17, port 40539, Sun, Apr 10, 2022 20:48:50
    [DoS attack: Echo char gen] from source: 146.88.240.4, port 57316, Sun, Apr 10, 2022 19:37:26
    [DoS attack: Echo char gen] from source: 66.240.236.116, port 42871, Sun, Apr 10, 2022 13:11:10
    [WLAN access allowed] from MAC: cc:b0:da:b4:ed:4b Sun, Apr 10, 2022 10:27:39
    [DHCP IP: (192.168.0.26)] to MAC address cc:b0:da:b4:ed:4b, Sun, Apr 10, 2022 10:27:39
    [DoS attack: Echo char gen] from source: 185.180.143.13, port 23984, Sun, Apr 10, 2022 07:16:38
    [DoS attack: Echo char gen] from source: 45.137.23.144, port 12503, Sun, Apr 10, 2022 02:02:35
    [DoS attack: Echo char gen] from source: 209.141.51.43, port 53566, Sun, Apr 10, 2022 00:47:40