NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
dos attack by ISP?
Hello,
I have been having trouble with my nighthawk. Today I had cox come out to fix an issues to me losing internet random for about 20 seconds. The guy took off a filter that is inbetween the modem and cable. Since the internet has not lost service for about 6 hours. Then around 20 mins ago i lost service once again. So i go to my router log and see this:
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [72.195.165.88], Tuesday, Nov 08,2016 17:31:33
[DHCP IP: (192.168.1.6)] to MAC address 00:25:F0:A9:3F:F1, Tuesday, Nov 08,2016 17:29:53
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [72.195.165.144], Tuesday, Nov 08,2016 17:29:46
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [72.195.165.144], Tuesday, Nov 08,2016 17:29:41
Now i understand that these are not REAL Dos attacks, but I googled the IP and it was IPs from Cox Communications. So i called cox to confirm that I just lost internet and they told me the internet has been stable for 8 hours and see no indication of a disconnect. I have the latest firmware on my R7000: V1.0.7.2_1.1.93 and also have gone to factory defaults multiple times. I have search all around the internet to figure out this problem and have not come up with a solution. My internet connection speed is:
as i was running speed test my internet dropped out for another 20 seconds log shows this:
[Admin login] from source 192.168.1.2, Tuesday, Nov 08,2016 23:03:27
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [52.89.158.114], Tuesday, Nov 08,2016 22:54:32
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [52.89.158.114], Tuesday, Nov 08,2016 22:54:27
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [151.101.24.175], Tuesday, Nov 08,2016 22:44:29
[DHCP IP: (192.168.1.7)] to MAC address E4:98:D6:71:16:DA, Tuesday, Nov 08,2016 22:37:58
Any help on this will be greatly appricated i have been battling this for months now. Let me know if any other information is needed.
So the problem is fixed!! :) I am posting this so if anyone has the same problem they can fix it too. First things first the router and/or the equipment was not the problem. The problem was cox sent out dip**bleep** techs to my house over and over. When calling cox the last time I told them my modems power signals were not looking correct and told them about my modems logs. Ask your ISP for i believe what they call a "Data Tech" this tech actually knew what the **bleep** they were doing and fixed the issues. I had been dealing with this problem for over a year and it took the tech 30 minutes to fix my problem. So in ending this topic after the tons of hours looking on the internet and wasting my time JUST CALL YOUR ISP and have them fix the problem if your logs and symptoms are the same as mine, do not waste your time. Hopefullly this helps someone else out.
these were the errors my modem was giving to look my modems logs i typed 192.168.100.1 in the search bar:
2016-11-15, 20:48:43 Critical (3) Unicast Ranging Received Abort Response - Re-initializing MAC;CM-MAC=40:5d:82:e5:26:a0;CMTS-MAC=00:1e:be:ff:28:b0;CM-QOS=1.1;CM-VER=3.0;
2016-11-15, 20:48:57 Warning (5) Dynamic Range Window violation
18 Replies
Probably I'm not very helpful since it's been ages since I used the stock firmware, but if it supports disabling DoS protection, then do it. Also, NG's DoS detection is seriously flawed and reports many false positives as correct
Alright i will disable dos protection and see it that fixes it. fingers crossed.
after disabling dos protection i seem to be dropping internet more frequent. i downgrade to V1.0.5.70_1.1.91 and same thing is happening. i dont know what else to do.....
Netgear logging is full of stuff like this, go Google "DoS attack: ACK Scan" and check a few links out, almost ALL will be on Netgear routers.
I believe it is a s/w problem in the firmware where the router loses track of TCP/IP packets. TCP/IP packets go out and the routers knows to who. When a packets comes back it sees if it was expecting it and for whom. If 'on the list' it gets sent to you. Not on the list, it IS an attack it thinks and logs it an throws away to the packet.
Since it was your ISP, chances are that is why you can notice this. It was probably a DNS query. What came back was the IP ADDRESS you needed to go somewhere on your browser. After a 'timeout period' the browser assumed the reqest go lost or wasn't honored and sent another one, that one came back, and since it took some time that is WHY you noticed you lost internet.
I've never discovered a way to 'stop' this? Sometimes a reboot of the router, sometimes it just goes away by itself.
Anyway, if you see IP Addresses from places you would normally be going to on the web as an attacker it more than likely are FALSE. Real attacks are not a single or a few tried from the same IP Address but many sequentiallly.
