Re: [DoS attack] LAND Attack SPT:2190 DPT:2190

Anything related to this?

https://www.radware.com/security/ddos-knowledge-center/ddospedia/land-attack/

Thanks but I don't see anything in that link other than a description of the problem?  Anyway, yes that basically describes it.  However it's not affecting my internet service.  

I did see an old article from around 2015 where these were caused by having Access Control turned on...and I set that up at the same time I updated the firmware.  In fact Access Control was on when I rebooted after the firmware update.  Hmmm...

Anyay, I am still getting the NULL attack messages as well.  I've logged an incident with my ISP.  Hopefully these are just false positives.

---

@steveberry10 wrote:

 

I had an issue last week with my Orbi system.  Long story short, I was receiving a ton of DDoS messages from all my devices attached to my home network. 

Netgear's firmware is great at creating false reports of DoS attacks. Many of them are no such thing.

Search - NETGEAR Communities – DoS attacks

Use Whois.net to see who is behind some of them and you may find that they are from places like Facebook, Google, even your ISP.

Here is a useful tool for that task:

IPNetInfo: Retrieve IP Address Information from WHOIS servers

If these events are slowing down your router, that may be because it is using up processor time as it writes the events to your logs. Anything that uses processor power – event logging, QoS management, traffic metering – may cause slowdowns. Disable logging of DoS attacks and see if that reduces the problem. This does not prevent the router from protecting you from the outside world.

Thanks Michael.  The issue with the Orbi did cause the router to block my devices so in that sense it did cause an interruption of service.  However, after talking it over with some of my coworkers (who are more knowledgeable than I) we generally agreed it was a hardware issue.

There is no interruption of service with the CAX80 but I'm still getting flooded with the LAND and NULL attack messages.  Unfortunately there's no other IP address associated with them and if there is one it's buried in all the other stuff coming in.

I did log a case with my ISP.  Hopefully they can tell if something is really going on.  

Might try a factory reset and setup from scratch. This time, don't setup Access Controls or any additional features. Check the logs.

Thanks Furry, I've thought about that.  The thing is I see two types of attacks: the LAND attacks and the NULL attacks.  The latter have a legit source IP which seem to be coming from China.

I've opened a ticket with my ISP and I'm waiting to hear back from them. 

Okay, I've done the factory reset.  Access controls are disabled and the only changes from default are turning off UPnP and enabling smart connect for my Wi-Fi.   I'm still receiving the LAND attack messages.  I've also enabled the armor security however the messages were coming in well before that.

The factory reset didn't go smoothly.  I had issues with the Nighthawk app connecting to the router.  I had to half set it up with the app and finish the setup by logging into the admin web page.

I did hear back from the Comcast security team however their response was basically useless.  All they said was factory reset, use a VPN, etc.  They never even bothered to research where the attack was coming from.

At this point I may just return the Netgear and get my money back. I'm not sure what else I can do at this point and I'm beyond frustrated. 

Hey Steveberry,

Im getting the same message on my Router Log's as well. "[DoS attack] LAND Attack PT:2190 DPT:2190" Did you find out the issue? One of my friends that's in IT security said the 255.255.255.255 is a local network pinging the system. So im slowly turning off computer and accessories around the house one by one until I find which computer or node. Im out of ideas right now. 

did you fix your issue?

btw, I have a CAX80 modem too. 

Third owner of a CAX80, also on Comcast. I have the exact same SPT/DPT combo, except with my own public IP.

The only thing I can remember changing from when I started having this issue, is I had updated the firmware to the latest version, and also I have added the Phillips Hue 2nd gen bridge with a bunch of their smart lights. Other than that, no substantial changes.

Not sure what the issue might be, I'm at work and can't roll back the firmware anyways, but I saw that this is still a very fresh thread and wanted to provide my own info.

Hey crttrsfrttrs, 

I have the same modem and Philips Hue 2nd gen hub with the same issues. After Comcast came over and replaced cable lines, it didn't fix the issue. And from what I found online, tons of people are having the same issues. I found out that downgrading the firmware will fix the rebooting. Here is the link to the other Netgear forum with the link to downgrade your firmware. 

Hope this helps you guys!! 

https://community.netgear.com/t5/Cable-Modems-Routers/CAX80-keeps-rebooting/m-p/2232185/highlight/fa...

Same here... at about the same intervals using 2.1.3.7 - The source IP of the [DoS attack] LAND Attack SPT:2190 DPT:2190

messages is the ISP (Spectrum) assigned CAX80 Modem (WAN) address.

Today, for the first time, I got a series of [DoS attack] SYN Flood SPT:xxxxx DPT:xxxx messages like the one  below.  The SPT: Port number and DPT: Port number changes from message to message. I'm assuming these are random port numbers. The target (xx.xxx.xxx.xx:3359) is my ISP assigned address, but the source (193.239.86.210:55441) is unknown to me, and apparently, it's originating from Hong Kong. The series of about 10 consecutive messages stopped about two hours ago. Did anyone get similar messages?

Before anyone asks... yes, I've already followed the usual troubleshooting steps... Please, don't ask me to reboot or reset the CAX80.

[DoS attack] SYN Flood SPT:55441 DPT:3359  1   Sat Jun 25 14:31:49 2022    xx.xxx.xxx.xx:3359    193.239.86.210:55441

@Omnitron  - Agree about the "suicide" DoS Attacks, but while on the subject of DoS Attacks, I was wondering if other Netgear Router users were also experiencing "legit" DoS Attacks from same or similar IP address or place of origin (source).

I believe the " [DoS attack] LAND Attack SPT:2190 DPT:2190 " is a legitimate concern.

I started to have poor wifi connection and investigated.

I logged into my router, Netgear CAX80, and under Advanced, Administration, Logs: I noticed many "[DoS attack]" errors.

I first notified the many "[DoS attack] LAND Attack SPT:2190 DPT:2190 " but it showed the source as my own ip address. 

The user above, "FURRYe38" posted this link and shows a description of the error: https://www.radware.com/security/ddos-knowledge-center/ddospedia/land-attack/. Description: "In a DoS land (Local Area Network Denial) attack, the attacker sends a TCP SYN spoofed packet where source and destination IPs and ports are set to be identical. When the target machine tries to reply, it enters a loop, repeatedly sending replies to itself which eventually causes the victim machine to crash."

That is a heck of a theory.  And some of it is technically true.  Like Charter/Spectrum not assisting in changing the IP address.  It's not that they cant, they can, and will, if you have a business account. But they wont, cuz you dont, have a business account.  I'm a poet and didnt even know it. Like I said some true, some not true. Downgrading works, the DoS goes away entirely with 2.1.3.5. But! It is also a complete waste of time since it is auto updated every single night by Spectrum, and you cant stop it, thanks NG! So, your warning not to downgrade is correct and incorrect all at the same time.

I have been having firmware 2.1.3.7 issues for a while as well.  I am not going to go over everything I've done nor provide logs.  I just finalized my RMA and NG is sending me a new (or used, who can really tell with these guys) cax80, with all the stupid turns, twists, and jump though hoops involved with that process.  It's takin almost two months to get to this point.  Dumbest support ever.  A complete waste of time but hey... you guys keep saying your not having issues so... worth a shot, right.  See?  Correct and incorrect all at the same time.

As for the Null attacks, the cax80 is reporting them rarely and from everything i've seen, it's doing its job and stopping them.  As for the [DoS attack] LAND Attack SPT:2190 DPT:2190, that is 100% 2.1.3.7 firmware related. Since I am not always right, a very slim 0.05% possibility it is a defective hardware issue... that could be addressed by correcting the dang firmware!

Not to be ungrateful or anything, I appreciate the assistance as do others.  But there are many threads and a MASSIVE security alert dump on 6/29/2022 that covers this problem on the CAX80 but on previous firmware revisions.  Unfortunuately, I'm going to make you do the same thing I had to, go through them all one by one, since there is nothing to indentify the content in the alert. No direct link for you! Here is the link to all alerts... https://www.netgear.com/about/security/ I would highly recommend that if your going to assist, you go through them all, make a few notes... well, unfortuantely, a S*** ton of notes with that crazy dump... Holy Jebers!  Its like the Whitehouse and their weekly Friday night news dump to hide stuff.  Remember the other multiple threads you read or assisted with that dealt with the exact same or very similar topic which can be directly attributed to the same issues.

In this thread,

https://community.netgear.com/t5/Cable-Modems-Routers/CAX80-keeps-rebooting/td-p/2231370/page/2  you can see FURRYe38 respond to kinghq1.  I am not sure if FURRYe38 didnt read kinghq1's post and also ignored all the others discussing and posting detailed information, but the response was lacking at the very least.  I've seen this from FURRYe38 many times, asks a ton of questions, ignores the answers, provides incorrect or scripted answers that have nothing to do with the facts at hand. Frustrating but FURRYe38 isnt a NG employee or forum moderator.  I hope the intent is to help but i've seen rapid fire post reponses with no actual need for the question since it was provided in the OP. I have no idea why anyone would want to up their post count on the NG community board, so I will keep hoping its to help.  Even though furry later posts switching to the CM2000, possibly/probably before the issue presented itself but after the 2.1.3.7 firmware update.

To sum it all up, I beleive it is the 2.1.3.7 firmware, I am 99.9% certain of that (.01% ... I could be wrong, a broken clock is right twice a day).  NG doesnt appear to be responding (appropiately) to the "known" issue as far as I can tell (my CAX80 RMA, what they have said, emailed, and their inadaquate lack of knowledge on NG product alerts). There are multiple community posts and i'm willing to bet a large number of support tickets that are being ignored or at least not tracked or cataloged effectively.  Not everyone lurks the NetGear community board and reads 300+ threads researching this specific issue, not even the mods and NG employees... the customer just wants their product to work or be fixed. I've got to tell you, it is extremely difficult, far beyone what it should be. Just my 2 cents.

This issue has plagued for years and in all firmware. I am really not happy with Netgear on this modem at all. First of all, for a modem which i paid almost 500 for, does not have QOS setting and this LAND attack every 30 minutes. 

I have tried looking out for solutions over the years and even though Netgear tells this will not affect your browsing experience as LAND attacks are ignored, i have found a correlation where these LAND attacks create this terrible latency while online gaming. Everytime i have a huge network latency inside a game, i have noticed these logs occur at the same time. While browsing, streaming OTT platforms this may not be observable, but it has broken online gaming for me.

With really high blufferbloat and these constant Land port scan, this modem/router has the highest blufferbloat/latency i have encountered in any modems.

What FW version are you using? 

Please post a copy and paste of the modems connection status and event log page.
https://kb.netgear.com/30007/How-do-I-obtain-the-cable-connection-information-from-a-NETGEAR-cable-m...
https://kb.netgear.com/30008/How-do-I-view-or-clear-the-event-logs-on-my-NETGEAR-cable-modem-or-mode...

---

@Userneedshelp wrote:

This issue has plagued for years and in all firmware. I am really not happy with Netgear on this modem at all. First of all, for a modem which i paid almost 500 for, does not have QOS setting and this LAND attack every 30 minutes. 

I have tried looking out for solutions over the years and even though Netgear tells this will not affect your browsing experience as LAND attacks are ignored, i have found a correlation where these LAND attacks create this terrible latency while online gaming. Everytime i have a huge network latency inside a game, i have noticed these logs occur at the same time. While browsing, streaming OTT platforms this may not be observable, but it has broken online gaming for me.

 

With really high blufferbloat and these constant Land port scan, this modem/router has the highest blufferbloat/latency i have encountered in any modems.

---

Everyone in this thread, please disable DLNA on the modem. I go some info from NG that seems to point to DLNA and it's tivo protocol using that port. So if your seeing this item in the logs, try disabling DLNA on the modem. 

@tamanaco @Trickabounce @nomidlname @steveberry10 @Userneedshelp