NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

umeweall's avatar
umeweall
Aspirant
Aug 14, 2018
Solved

What is access log actually showing

I have a Nighthawk, R6700 v2 wireless router.  When looking at the access log, I have a question on what is appearing there.  Are the items displayed simply items that attempted connection, or are th...
Security
  • IrvSp's avatar
    IrvSp
    Aug 15, 2018

    DoS attacks are blocked, period, but are logged.  You should not have "Disable Port Scan and DoS Protection" checked on the Advanced tab, on left Setup, WAN setup page. If you uncheck that box you lose that protection and they will get in. No need to block that IP Address as long as that box is unchecked, router never lets them in to even be blocked.


    If they ARE legitimate and the router rejected a valid packet, TCP/IP is smart enough to regenerate the packet and it eventually gets to you. If logging in, you might notice it took longer.

     

    Multiple DoS entry seconds apart are more than likely to be a real attack, although in some cases it is just someone trying ping you I think. If they are very fast, seconds apart, the router is supposed to shutdown entry for everything for a few minutes, but I have NEVER seen that happen.

     

shadowsports's avatar
shadowsports
Hero
Aug 15, 2018

An entry like this means the connection was rejected:

 

[WLAN access rejected:

 

And one like this means it was accepted. 

 

[DHCP IP: (192.168.1.102)] to MAC address

 

I have someone blocked as well, but they still try, and the router still logs the attempt.

 

[WLAN access rejected: incorrect security] from MAC

 

 

umeweall's avatar
umeweall
Aspirant
Aug 15, 2018

I am speaking of entries like the following:

 

[DoS attack: ACK Scan] from source: 52.46.133.39:443 
[DoS attack: ACK Scan] from source: 72.21.207.87:443

If I have the IP listed to be blocked, does the router block it, without

showing it in the log, or does it allow the IP to appear in the log, as

above, and block it then?  I have never seen an entry in the log,

which states that the IP has been blocked, but I continue to see

IP's that I have listed to be blocked, showing up in the log, as is

indicated in the two, above, samples.  What it comes down to is

how do I know that the router is blocking what I told it to?

  • IrvSp's avatar
    IrvSp
    Master
    Aug 15, 2018
    umeweall wrote:

    I am speaking of entries like the following:

     

    [DoS attack: ACK Scan] from source: 52.46.133.39:443 
    [DoS attack: ACK Scan] from source: 72.21.207.87:443


    Those are what they say they are, DoS (Denial of Service) attacks. From the list IP Address... HOWEVER, NG routers are NOTORIOUS for logging false attacks. Usually happens when the router is busy (under load) or just lost an outgoing packet to track.

     

    I checked them both and they are Amazon, and port 443 is generally used for Log In even...

     

    99.99% sure those are false positives, and with the timestamp you can probably remember logging into Amazon at that time.

    • umeweall's avatar
      umeweall
      Aspirant
      Aug 15, 2018

      O.k., thanks.  The ones that I get primarily concerned about are the same type of commentary, but with IP addresses from Russia, China, Turkey, Ukraine, etc.  There are the typical port scans, which you can do nothing about, but I am more concerned with the blocking of bad, foreign parties.  I had one, from China, two nights ago, which produced at least twenty 'DOS' listings, in a row, in the log.  I have that IP as a blocked IP address, was not sure how the router was handling it.  I had presumed that if I blocked an IP, it would not show up in the log, as the router would not have allowed access.  That came down to the question for me that if an IP was showing up in the access log, did that mean the router HAD allowed access to the IP.

      • IrvSp's avatar
        IrvSp
        Master
        Aug 15, 2018

        DoS attacks are blocked, period, but are logged.  You should not have "Disable Port Scan and DoS Protection" checked on the Advanced tab, on left Setup, WAN setup page. If you uncheck that box you lose that protection and they will get in. No need to block that IP Address as long as that box is unchecked, router never lets them in to even be blocked.


        If they ARE legitimate and the router rejected a valid packet, TCP/IP is smart enough to regenerate the packet and it eventually gets to you. If logging in, you might notice it took longer.

         

        Multiple DoS entry seconds apart are more than likely to be a real attack, although in some cases it is just someone trying ping you I think. If they are very fast, seconds apart, the router is supposed to shutdown entry for everything for a few minutes, but I have NEVER seen that happen.