NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

NetworkBear's avatar
NetworkBear
Follower
Feb 07, 2022

Various DoS attacks in log, what do?

The following events I have found in the log of my newly installed router. There appear to be several different types of DoS attacks listed. This goes on for days (installed saturday, log looks like ...
microchip8's avatar
microchip8
Master
Feb 07, 2022

NETGEAR's DDoS option is known for many false positives (eg, wrongly detected as DoS attacks). It's better to lookup the IP addresses and see if they really are from a source that may attack you. Many IP addresses may come from your ISP, Twitter, Facebook, etc so they're false positives. Never the less, if they are legitimate, you can disable loggin on these attacks as it puts strain on the router to process them. If that doesn't hellp, disable DDoS completely to fullly relieve the roouter. Don't worry, all Internet devices get exposed to attacks and most are harmless. I've been running for 3.5 years withoout DDoS protectiion on my routers and haven't enncountered any issues

  • AZAX_user's avatar
    AZAX_user
    Aspirant
    Apr 24, 2022

    Your reply confuses me.  I'm experiencing the same thing, from a different local IP (10.128.200.1), which doesn't exist in my network.

     

    It makes sense to look at an IP that wouldn't be a "10.x.x.x ", as it may show an actual DoS attacker, but HOW DOES a local IP appear on these log entries??

     

    Also, you say, Netgear may be logging 'false positives'   (that is it's log entry is NOT due to a true DoS attempt).

    So, you suggest turning off DoS to save router stress, aren't these log entries being triggered by "something?".....which would continue, would add stress to the router, and be undetected by us?   

     

    Thanks in advance for a reply

    • michaelkenward's avatar
      michaelkenward
      Guru - Experienced User
      Apr 25, 2022
      AZAX_user wrote:

       

      Also, you say, Netgear may be logging 'false positives'   (that is it's log entry is NOT due to a true DoS attempt).

       

       

      This is a constant refrain.

      Netgear's firmware is great at creating false reports of DoS attacks. Many of them are no such thing.

       

      Search - NETGEAR Communities – DoS attacks

       

      Use Whois.net to see who is behind some of them and you may find that they are from places like Facebook, Google, even your ISP.

       

      Here is a useful tool for that task:

       

      IPNetInfo: Retrieve IP Address Information from WHOIS servers

       

      If these events are slowing down your router, that may be because it is using up processor time as it writes the events to your logs. Anything that uses processor power – event logging, QoS management, traffic metering – may cause slowdowns. Disable logging of DoS attacks and see if that reduces the problem. This does not prevent the router from protecting you from the outside world.

       

      By the way, you have joined in on an existing conversation that may or may not have anything to do with your problems.


      There is also a good chance that the official support team is busily monitoring new conversations and may miss your addition to this one.


      If you do want help with your problem, check previous stuff that may be related then start your own discussion.

       

       

       

    • FURRYe38's avatar
      FURRYe38
      Guru - Experienced User
      Apr 25, 2022

      What Firmware version is currently loaded?
      What is the Mfr and model# of the Internet Service Providers modem/ONT the NG router is connected too?

      AZAX_user wrote:

      Your reply confuses me.  I'm experiencing the same thing, from a different local IP (10.128.200.1), which doesn't exist in my network.

       

      It makes sense to look at an IP that wouldn't be a "10.x.x.x ", as it may show an actual DoS attacker, but HOW DOES a local IP appear on these log entries??

       

      Also, you say, Netgear may be logging 'false positives'   (that is it's log entry is NOT due to a true DoS attempt).

      So, you suggest turning off DoS to save router stress, aren't these log entries being triggered by "something?".....which would continue, would add stress to the router, and be undetected by us?   

       

      Thanks in advance for a reply

       

      • AZAX_user's avatar
        AZAX_user
        Aspirant
        Apr 26, 2022

        My firmware is current [V1.0.10.110_2.0.75]

         

        I'm inferring from this, and other posts I've now read, that this isn't likely to be a true DoS attack.  Still surprised the packets show that 10.128.200.1 source IP, since that's a private/local IP, right?    Shouldn't be routable, right?   I guess my ISP doesn't care about the source?  

         

        The log entries are about 5-6 per hour, so I'm leaning toward ignoring this,  for now,  and get on with my life.    

         

        I'll take the other reply to my post to suggest I open a new topic if I want to pursue it.

        This seem a reasonable position for me to take ?