Re: DoS Attacks in the logs

Juventus_nz · ‎2017-03-04

Hey guys
I have been getting disconnected from the internet at different times over the past week. At first i thought it might have been an ISP issue, spoke to them and multiple line checks revealed no issues....during the drop outs i wasnt able to ping the router (Nighthawk D7000) or any devices on my home network, i have checked the logs and it contained multiple DoS attack entries as below

DoS attack: ACK Scan] from source: 51.254.7.95:80 Sunday, March 05,2017 08:43:45
[DoS attack: ACK Scan] from source: 51.254.7.95:80 Sunday, March 05,2017 08:42:30
[DoS attack: ACK Scan] from source: 51.254.7.95:80 Sunday, March 05,2017 08:41:14
[DoS attack: ACK Scan] from source: 51.254.7.95:80 Sunday, March 05,2017 08:39:59

I went ahead and disabled remote management and turned off upnp etc....propblem still persisted. I have changed the router to a new one (same model) and Dos attacks continued. With our ISP i get a new public IP address everytime i restart my router so there is really mo chance of this being a Real DoS attack as my IP changed on a daily basis (atleast over the past week)
Done a scan on all the home laptops for any malware nothing!!
I am stuck and not sure what to do? Is this a fault with the firmware / netgear equipments?
Any help is greatly appreciated
Cheers

MrCarrotIII · ‎2017-03-05

Im also having the same problems as you. Its constant, Ive been trying to find a way to block this IP address but with no luck. I lose connection each time this happens.

Teardrop or derivative]	1	Sun Mar 05 17:56:37 2017	121.13.197.171:0	73.0.209.0:0
[Illegal Fragments]	1	Sun Mar 05 17:56:37 2017	121.13.197.171:0	73.0.209.0:0
[Ping Of Death]	3	Sun Mar 05 17:56:37 2017	121.13.197.171:0	73.0.209.0:0
[Illegal Fragments]	1	Sun Mar 05 17:56:40 2017	121.13.197.171:0	73.0.209.0:0
[Ping Of Death]	1	Sun Mar 05 17:56:40 2017	121.13.197.171:0	73.0.209.0:0
[Teardrop or derivative]	2	Sun Mar 05 17:56:42 2017	121.13.197.171:0	73.0.209.0:0
[Illegal Fragments]	2	Sun Mar 05 17:56:46 2017	121.13.197.171:0	73.0.209.0:0
[Teardrop or derivative]	1	Sun Mar 05 17:56:48 2017	121.13.197.171:0	73.0.209.0:0
[Ping Of Death]	1	Sun Mar 05 17:56:50 2017	121.13.197.171:0	73.0.209.0:0
[Teardrop or derivative]	1	Sun Mar 05 17:56:55 2017	209.251.223.129:0	73.0.209.0:0
[Illegal Fragments]	2	Sun Mar 05 17:56:55 2017	209.251.223.129:0	73.0.209.0:0
[Teardrop or derivative]	4	Sun Mar 05 17:57:59 2017	209.251.223.129:0	73.0.209.0:0
[Ping Of Death]	1	Sun Mar 05 18:01:04 2017	209.251.223.129:0	73.0.209.0:0
[Teardrop or derivative]	1	Sun Mar 05 18:02:24 2017	121.13.197.171:0	73.0.209.0:0
[Illegal Fragments]	1	Sun Mar 05 18:02:25 2017	121.13.197.171:0	73.0.209.0:0
[Ping Of Death]	1	Sun Mar 05 18:02:25 2017	121.13.197.171:0	73.0.209.0:0
[Teardrop or derivative]	1	Sun Mar 05 18:02:25 2017	121.13.197.171:0	73.0.209.0:0
[Ping Of Death]	2	Sun Mar 05 18:02:35 2017	121.13.197.171:0	73.0.209.0:0
[Teardrop or derivative]	1	Sun Mar 05 18:02:52 2017	209.251.223.129:0	73.0.209.0:0
[TCP- or UDP-based Port Scan]	1	Sun Mar 05 18:07:13 2017
[Ping Of Death]	2	Sun Mar 05 18:07:15 2017	121.13.197.171:0	73.0.209.0:0
[Teardrop or derivative]	2	Sun Mar 05 18:07:18 2017	121.13.197.171:0	73.0.209.0:0
[Ping Of Death]	1	Sun Mar 05 18:07:24 2017	121.13.197.171:0	73.0.209.0:0
[Teardrop or derivative]	1	Sun Mar 05 18:07:27 2017	121.13.197.171:0	73.0.209.0:0
[Ping Of Death]	2	Sun Mar 05 18:07:28 2017	121.13.197.171:0	73.0.209.0:0
[Teardrop or derivative]	2	Sun Mar 05 18:07:30 2017	121.13.197.171:0	73.0.209.0:0
[Illegal Fragments]	1	Sun Mar 05 18:11:02 2017	121.13.197.171:0	73.0.209.0:0
[TCP- or UDP-based Port Scan]	1	Sun Mar 05 18:16:51 2017
[FAILURE: User interface login]	2	Sun Mar 05 18:16:56 2017
[SUCCESS: User interface login]	1	Sun Mar 05 18:17:00 2017

xnav · ‎2017-03-06

See this. I have an open problem with Netgear support, they ask me some trivial question every two weeks, but have done nothing!

xnav · ‎2017-03-06

KClaeys · ‎2017-03-06

I am having the same issue with these attacks. I am at my wit's end with what to do. I work from home and cannot afford to keep having these dropped internet issues. The attacks are happening daily, multiple times a day. Is there anything that can help? I am so freaking aggravated, it isn't funny. These are but just a few of the attacks. My provider is Cox Communications.

DoS attack] ICMP Flood from 206.117.25.90

1

Monday, 06 Mar 2017 09:48:06

68.102.73.127

206.117.25.90

[DoS attack] ICMP Flood from 129.82.138.44	1	Monday, 06 Mar 2017 07:56:30	68.102.73.127	129.82.138.44
[DoS attack] ICMP Flood from 212.1.84.56	1	Monday, 06 Mar 2017 07:24:23	68.102.73.127	212.1.84.56
[DoS attack] ICMP Flood from 195.251.255.69	1	Monday, 06 Mar 2017 07:00:58	68.102.73.127	195.251.255.69
[DoS attack] AIF:Dropped INPUT packet: PROTO:TCP SPT:9090 DPT:22	1	Monday, 06 Mar 2017 05:55:01	68.102.73.127	221.229.160.210
[DoS attack] ICMP Flood from 203.178.148.19	1	Monday, 06 Mar 2017 05:06:49	68.102.73.127	203.178.148.19
[DoS attack] ICMP Flood from 187.54.115.129	1	Monday, 06 Mar 2017 05:00:33	68.102.73.127	187.54.115.129
[DoS attack] ICMP Flood from 185.94.111.1	1	Monday, 06 Mar 2017 04:43:12	68.102.73.127	185.94.111.1
[DHCP IP: (192.168.0.104)] to MAC address 00:0b:82:67:70:9d	1	Monday, 06 Mar 2017 04:32:38	0.0.0.0	0.0.0.0
[DoS attack] ICMP Flood from 206.117.25.90	1	Monday, 06 Mar 2017 01:33:03	68.102.73.127	206.117.25.90
[DoS attack] AIF:Dropped INPUT packet: PROTO:TCP SPT:56766 DPT:23	1	Monday, 06 Mar 2017 00:13:49	68.102.73.127	5.232.188.59
[DoS attack] ICMP Flood from 129.82.138.44	1	Sunday, 05 Mar 2017 23:42:13	68.102.73.127	129.82.138.44
[DoS attack] ICMP Flood from 195.251.255.69	1	Sunday, 05 Mar 2017 23:08:04	68.102.73.127	195.251.255.69
[DoS attack] AIF:Dropped INPUT packet: PROTO:TCP SPT:9090 DPT:22	1	Sunday, 05 Mar 2017 22:34:18	68.102.73.127	221.229.160.210

DarrenM · ‎2017-03-07

Hello KClaeys

I checked and here is where your Dos attacks are coming from

https://ant.isi.edu/datasets/about.html

also are you seeing any type of timeouts in your logs?

DarrenM

KClaeys · ‎2017-03-07

Hi Darren,

Thanks for the info. I am planning on writing them a scathing letter to get them to stop. I don't think it is all them though. Anyway, I checked the logs and this is the first thing I saw:

DoS attack] AIF:Dropped INPUT packet: PROTO:TCP SPT:9090 DPT:22	1	Tuesday, 07 Mar 2017 11:17:48	68.102.73.127	221.229.160.210
[DoS attack] ICMP Flood from 206.117.25.90	1	Tuesday, 07 Mar 2017 09:49:06	68.102.73.127	206.117.25.90

Any ideas on what to do? I am seriously upset because of the dropped internet. This is really killing my paycheck.

DarrenM · ‎2017-03-08

Can you post the power levels on the Cable connection page check to see if anything is off. You may also want to check if you have a cable splitter connected to the modem they can cause some issues try plugging straight to the wall. Also have you had your ISP come out and check your lines?

DarrenM

KClaeys · ‎2017-03-08

I don't use a splitter, so I know that itsn't the problem. I'm going to have the cable company come out, even though they all tell me it's on my end. Here are the logs for the power. Please let me know if you see anything odd.

<tabindex=-1>Downstream Bonded Channels

Channel	Lock Status	Modulation	Channel ID	Frequency	Power	SNR	Correctables	UnCorrectables
1	Locked	QAM 256	121	813000000 Hz	-7.7 dBmV	37.6 dB	0	0
2	Locked	QAM 256	122	819000000 Hz	-7.7 dBmV	37.6 dB	17	0
3	Locked	QAM 256	123	825000000 Hz	-7.2 dBmV	37.6 dB	0	0
4	Locked	QAM 256	124	831000000 Hz	-7.5 dBmV	37.6 dB	0	0
5	Locked	QAM 256	125	837000000 Hz	-7.7 dBmV	37.6 dB	0	0
6	Locked	QAM 256	126	843000000 Hz	-8.2 dBmV	38.6 dB	0	0
7	Locked	QAM 256	127	849000000 Hz	-8.2 dBmV	37.6 dB	0	0
8	Locked	QAM 256	128	855000000 Hz	-8.7 dBmV	37.6 dB	0	0
9	Locked	QAM 256	137	909000000 Hz	-9.7 dBmV	37.3 dB	3424	48193
10	Locked	QAM 256	138	915000000 Hz	-10.2 dBmV	34.3 dB	4098	68314
11	Locked	QAM 256	139	921000000 Hz	-10.5 dBmV	37.6 dB	2086	41253
12	Locked	QAM 256	140	927000000 Hz	-10.7 dBmV	36.6 dB	284	7327
13	Locked	QAM 256	141	933000000 Hz	-11.4 dBmV	36.3 dB	0	0
14	Locked	QAM 256	142	939000000 Hz	-11.7 dBmV	36.3 dB	0	0
15	Locked	QAM 256	143	945000000 Hz	-12.5 dBmV	36.3 dB	0	0
16	Locked	QAM 256	144	951000000 Hz	-13.3 dBmV	35.7 dB	0	0

<tabindex=-1>Upstream Bonded Channels

Channel	Lock Status	US Channel Type	Channel ID	Symbol Rate	Frequency	Power
1	Locked	ATDMA	1	2560 Ksym/sec	21600000 Hz	41.3 dBmV
2	Locked	ATDMA	2	5120 Ksym/sec	26500000 Hz	41.3 dBmV
3	Locked	ATDMA	3	5120 Ksym/sec	33000000 Hz	42.8 dBmV
4	Locked	ATDMA	4	2560 Ksym/sec	37900000 Hz	42.8 dBmV

DarrenM · ‎2017-03-09

Hello KClaeys

All the levels look good from what you posted but those could change when you are losing service maybe its a line issue outside it happens alot when neighbors get cable hooked up a tech could mess someone else connection up I guess you will find out when the tech comes.

DarrenM

MrCarrotIII · ‎2017-03-11

Hey DarrenM

Do you have any ideas for me and the OP? Thanks!

xnav · ‎2017-03-11

I gave up on Netgear and bought a Motorola, and have not seen the problem in 3 days now.

DarrenM · ‎2017-03-15

Hello Mrcarrotlll

Are you able to post your logs and levels of the modem it could give a better Idea of why the disconnects are happening.

DarrenM

MrCarrotIII · ‎2017-03-16

<tabindex=-1>Downstream Bonded Channels

Channel	Lock Status	Modulation	Channel ID	Frequency	Power	SNR
1	Locked	QAM256	102	801000000 Hz	2.1 dBmV	38.7 dB
2	Locked	QAM256	101	795000000 Hz	2.0 dBmV	38.6 dB
3	Locked	QAM256	103	807000000 Hz	2.1 dBmV	39.0 dB
4	Locked	QAM256	104	813000000 Hz	2.0 dBmV	39.0 dB
5	Locked	QAM256	109	843000000 Hz	1.1 dBmV	38.6 dB
6	Locked	QAM256	110	849000000 Hz	0.7 dBmV	38.6 dB
7	Locked	QAM256	111	855000000 Hz	0.2 dBmV	38.0 dB
8	Locked	QAM256	112	861000000 Hz	-0.1 dBmV	37.8 dB

<tabindex=-1>Upstream Bonded Channels

Channel	Lock Status	US Channel Type	Channel ID	Symbol Rate	Frequency	Power
1	Locked	ATDMA	2	5120 Ksym/sec	21984000 Hz	44.8 dBmV
2	Locked	TDMA and ATDMA	1	2560 Ksym/sec	17154000 Hz	44.0 dBmV
3	Locked	ATDMA	3	5120 Ksym/sec	28414000 Hz	45.5 dBmV
4	Locked	ATDMA	4	5120 Ksym/sec	34844000 Hz	45.5 dBmV

DarrenM · ‎2017-03-21

Hello MrCarrotlll

The power level look fine what about the logs are you seeing any type of timeouts?

DarrenM

KClaeys · ‎2017-03-25

Hi Darren,

The cable company came out and ran a new line from the house to the pole, put a new box on the house, we moved the modem, used new cables on everything and I am still having issues. Now I am getting T3 and T4 timesouts. One day the internet was dropping literally every 10 minutes. Of course, Cox tells me it is on my end and they are getting great signals. Interestingly enough, when I contacted that university about not pinging my internet, I haven't had one DoS attack. Here is the log from today when trouble started (again). I am considering getting a modem from Cox and if I still have the same problems with one of THEIR modems, then I guess it is on them.

Time	Priority	Description
Mar 25 2017 20:31:39	Notice (6)	TLV-11 - unrecognized OID
Mar 25 2017 20:31:39	Warning (5)	MIMO Event MIMO: Stored MIMO=-1 post cfg file MIMO=-1
Mar 25 2017 14:57:58	Notice (6)	TLV-11 - unrecognized OID
Mar 25 2017 14:57:57	Warning (5)	MIMO Event MIMO: Stored MIMO=-1 post cfg file MIMO=-1
Mar 25 2017 14:52:58	Notice (6)	TLV-11 - unrecognized OID
Mar 25 2017 14:52:57	Warning (5)	MIMO Event MIMO: Stored MIMO=-1 post cfg file MIMO=-1
Mar 25 2017 14:50:45	Critical (3)	Started Unicast Maintenance Ranging - No Response received - T3 time-out
Mar 25 2017 14:50:15	Critical (3)	Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
Mar 25 2017 14:49:45	Critical (3)	Started Unicast Maintenance Ranging - No Response received - T3 time-out
Mar 25 2017 14:49:15	Critical (3)	Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
Mar 25 2017 14:48:45	Critical (3)	Started Unicast Maintenance Ranging - No Response received - T3 time-out
Mar 25 2017 14:48:15	Critical (3)	Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
Mar 25 2017 14:47:45	Critical (3)	Started Unicast Maintenance Ranging - No Response received - T3 time-out
Mar 25 2017 14:47:15	Critical (3)	Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
Mar 25 2017 14:46:45	Critical (3)	Started Unicast Maintenance Ranging - No Response received - T3 time-out
Mar 25 2017 14:46:15	Critical (3)	Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
Mar 25 2017 14:45:45	Critical (3)	Started Unicast Maintenance Ranging - No Response received - T3 time-out
Mar 25 2017 14:45:16	Critical (3)	Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
Mar 25 2017 14:44:46	Critical (3)	Started Unicast Maintenance Ranging - No Response received - T3 time-out
Mar 25 2017 14:44:16	Critical (3)	Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
Mar 25 2017 14:43:46	Critical (3)	Started Unicast Maintenance Ranging - No Response received - T3 time-out
Mar 25 2017 14:43:16	Critical (3)	Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
Mar 25 2017 14:42:46	Critical (3)	Started Unicast Maintenance Ranging - No Response received - T3 time-out
Mar 25 2017 14:42:16	Critical (3)	Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
Mar 25 2017 14:41:46	Critical (3)	Started Unicast Maintenance Ranging - No Response received - T3 time-out
Mar 25 2017 14:41:16	Critical (3)	Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
Mar 25 2017 14:40:46	Critical (3)	Started Unicast Maintenance Ranging - No Response received - T3 time-out
Mar 25 2017 14:40:17	Critical (3)	Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
Mar 25 2017 14:39:47	Critical (3)	Started Unicast Maintenance Ranging - No Response received - T3 time-out
Mar 25 2017 14:39:17	Critical (3)	Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
Mar 25 2017 14:38:47	Critical (3)	Unicast Maintenance Ranging attempted - No response - Retries exhausted
Mar 25 2017 14:38:47	Critical (3)	Ranging Request Retries exhausted
Mar 25 2017 14:38:17	Critical (3)	Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
Mar 25 2017 14:37:47	Critical (3)	Started Unicast Maintenance Ranging - No Response received - T3 time-out
Mar 25 2017 14:37:17	Critical (3)	Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
Mar 25 2017 14:36:47	Critical (3)	Started Unicast Maintenance Ranging - No Response received - T3 time-out
Mar 25 2017 14:36:17	Critical (3)	Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
Mar 25 2017 14:35:47	Critical (3)	Started Unicast Maintenance Ranging - No Response received - T3 time-out
Mar 25 2017 14:35:18	Critical (3)	Received Response to Broadcast Maintenance Request, But no Unicast Maintenance opportunities received - T4 time out
Mar 25 2017 14:34:48	Critical (3)	Started Unicast Maintenance Ranging - No Response received - T3 time-out
Mar 25 2017 14:34:48	Critical (3)	Started Unicast Maintenance Ranging - No Response received - T3 time-out
Mar 25 2017 14:34:48	Critical (3)	Started Unicast Maintenance Ranging - No Response received - T3 time-out

DarrenM · ‎2017-03-27

Hello KClaeys

It could be a bigger issue away from your homes lines but yea you may want to test another modem to be sure if its on there end or not but typically those T3 and T4 timeouts are.

DarrenM

PSGatoBW · ‎2017-07-05

I've had the same problems each person describes above, have set up trouble tickets, gotten your folks and Time Warner on the phone to duke it out, and it continues several weeks past the support period you offer. Quite frankly, I'm done with Netgear. You don't provide real resolution to this issue, as noted time and time again in reviewing this topic in the support community. My DOS attacks come from sites I frequent as well as sites I've never heard of or visited, nor has anyone else in our house visited them. I understand the device's job is to stop DOS attacks, but it sacrifices connection to the internet in doing so. THAT is the problem as I see it, but I'm woefully ignorant about the complicated world of IT. I'm sure it's more complicated, but the outcome is the same - we get booted from the internet and it takes anywhere from 30-45 minutes for the device to restabilize...until the next DOS attack. I hope you find a solution.