NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
What is access log actually showing
I have a Nighthawk, R6700 v2 wireless router. When looking at the access log, I have a question on what is appearing there. Are the items displayed simply items that attempted connection, or are they items that actually connected to the router? I have IP addresses which are blocked, and I see some of those addresses listed in the log. I have not seen IP addresses in the access log stating that an IP has been blocked. This leads to my question if the Nighthawk just blocks IP's silently, without listing this in the log, and the items in the log are just showing items that tried to connect.
DoS attacks are blocked, period, but are logged. You should not have "Disable Port Scan and DoS Protection" checked on the Advanced tab, on left Setup, WAN setup page. If you uncheck that box you lose that protection and they will get in. No need to block that IP Address as long as that box is unchecked, router never lets them in to even be blocked.
If they ARE legitimate and the router rejected a valid packet, TCP/IP is smart enough to regenerate the packet and it eventually gets to you. If logging in, you might notice it took longer.Multiple DoS entry seconds apart are more than likely to be a real attack, although in some cases it is just someone trying ping you I think. If they are very fast, seconds apart, the router is supposed to shutdown entry for everything for a few minutes, but I have NEVER seen that happen.
12 Replies
What log entries are we talking about here?
What do they say?
An entry like this means the connection was rejected:
[WLAN access rejected:
And one like this means it was accepted.
[DHCP IP: (192.168.1.102)] to MAC address
I have someone blocked as well, but they still try, and the router still logs the attempt.
[WLAN access rejected: incorrect security] from MAC
I am speaking of entries like the following:
[DoS attack: ACK Scan] from source: 52.46.133.39:443
[DoS attack: ACK Scan] from source: 72.21.207.87:443
If I have the IP listed to be blocked, does the router block it, without
showing it in the log, or does it allow the IP to appear in the log, as
above, and block it then? I have never seen an entry in the log,
which states that the IP has been blocked, but I continue to see
IP's that I have listed to be blocked, showing up in the log, as is
indicated in the two, above, samples. What it comes down to is
how do I know that the router is blocking what I told it to?
umeweall wrote:
I am speaking of entries like the following:
[DoS attack: ACK Scan] from source: 52.46.133.39:443
[DoS attack: ACK Scan] from source: 72.21.207.87:443
Those are what they say they are, DoS (Denial of Service) attacks. From the list IP Address... HOWEVER, NG routers are NOTORIOUS for logging false attacks. Usually happens when the router is busy (under load) or just lost an outgoing packet to track.
I checked them both and they are Amazon, and port 443 is generally used for Log In even...
99.99% sure those are false positives, and with the timestamp you can probably remember logging into Amazon at that time.
