Orbi WiFi 7 RBE973
Reply

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

vwwanted
Aspirant

DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

I'm getting lots of Dos attacks logged in my C3000 modem/router. They appear to be coming from inside my network, from my wifi. I keep seeing a device attached to my wifi with an IP address of 1.1.153.128. I've block it several times, but have seen its MAC address change and it re-connects. I've since blocked all new devices from connecting through access control. I had started investigating this because we were having severe connectivity problems to the internet. Does anyone know what this rogue device might be? I suspect that it might be an iPhone connected to the wifi.

Model: C3000|N300 Cable Gateway Docsis 3.0
Message 1 of 89
netwrks
Master

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

https://db-ip.com/all/1.1.153

 

Qestion, did you change the default router password, default wifi passphrase on the router?

Message 2 of 89
vwwanted
Aspirant

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

Yes, and I changed the passwords again after seeing the strange access in the logs. What's strange is that the 1.1.153.x address is showing up as connected to my Wireless. Last night, a different iPhone on my wireless had that IP address. I've just about given up on the router features of this device. Tonight, I'm going to disable DHCP on the device, and hookup a trusty old Linksys router to it to see if it resolves the problems. Thanks for your input, but it's just insane that Netgear doesn't provide even email supoort after 90 days. They used to be my go-to brand for networking equipment, but I guess all companies are feeling the squeeze of the poor economy.

Message 3 of 89
Floresca
Aspirant

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

I'm seeing this also. I've started watching this the last couple of days and I see a lot of DOS attacks. The source is listed as 2.x.x.x and the target is multiple other websites.  One day the rogue ip of 2.x.x.x was from my son's iPhone. Then the next day it took over my husband's iPad. Now it is listed as the ip for my phone.

 

My next step is to set my router back to the default settings. And then, if I can ever find out the current version #, I will update the firmware. 

 

Anyone have any any other ideas?

 

i have a C3000. I have remote management turned off. I have a different password that the default (can't find out how to change the admin username so that has stayed the same)

 

thanks for your help. 

Becky

Model: C3000|N300 Cable Gateway Docsis 3.0
Message 4 of 89
Daddi0
Initiate

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

I'm getting the same exact thing.  I was checking into things because we keep getting kicked off multiple times a day for no apparent reason and saw the logs of attacks and the rogue IP address that moves around to different devices.

Model: C7000|Nighthawk - AC1900 WiFi Cable Modem Router
Message 5 of 89
tmcribbs
Initiate

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

Has anyone found the solution yet?  I'm having the same issues.  One of my Android phones will show up as a 176.10.32.0 address in the "attached devices" but that phone shows the correct 192.168.0.10 DHCP address on the device itself.  I verified this phone via MAC to be sure I was looking at the same device. I reset the phone and removed it in the device list.  Same issue.  Oddly, that IP address will switch between phones (I have 2 Android phones) seemingly at random.  I can ping the phone by it's correct address 192.168.0.10 (or .11 if it's the other phone affected) , but since the 176.10.32.0 address isn't a valid host address, I can't ping that one.  The only pleace I see the 176 address is in the attached device list and in the log with periodic, but often, 'teardrop or derivative' attack targeting a host in New Jersey. I'm wondering if this is a bug in NetGear Genie... I don't have a means of capturing data to run thru Wireshark from the outside NetGear interface.  

 

NetGear N450

Firmware Version

V3.01.06
Message 6 of 89
Retired_Member
Not applicable

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

While I'm glad to see I'm not the only one with this issue, it is unfortunate that there doesn't seem to be an answer.

I've been noticing intermittent network slowdown pretty recently, and when I've checked the logs I notice that an IP (34.8.16.0) has been causing DOS attack logs to various IPs.

It is also showing that IP address as my sister's iPhone on the network, while every other device has the standard local IP.

The rogue IP will also jump to my mother's iPhone when my sister's isnt connected.

I'm not sure what I can do to prevent this, but hopefully someone can help out.

Model: C3700|N600 Cable Gateway Docsis 3.0
Message 7 of 89
jvillalba
Aspirant

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

I just had the exact same thing happening with -what I figured out- was my fiance's iPhone 6!  Her iPhone's IP address was spoofed and shown as a similar-looking IP to the one you mentioned under my router's 'attached devices' --> 33.1.152.0.  The strangest part about this happening is that I have manually assisgned all of the IP addresses to devices on my network AND I had enabled 'access control' so that no new devices/IP addresses can join the network.  

 

I reset her iPhone's network settings and then rejoined the network.  My router's 'attached devices' suddenly showed the correct IP 192.168.1.xx for her iPhone.  After 10-20 seconds, I clicked 'refresh' in the 'attached devices' section and the IP switched back to 33.1.152.0

So I tried blocking her iPhone from joining the network via 'Access Control' and that worked just fine.  I had her iPhone forget the network.  Then, I re-enabled network access for her iPhone and manually rejoined the WiFi network successfully.  After doing this, her iPhone maintained it's proper IP address. The DoS attacks stopped happening completely!  

 

About 45 minutes later I noticed my iPhone had stopped appearing in the 'attached devices' section even though my it still had an active conection to the Internet over WiFi.  I had my iPhone forget and re-join the network.  After doing this, my iPhone reappeared under 'attached devices' and it still maintained it's proper iPv4 address.   As soon as my iPhone reappeared under 'attached devices' my fiance's iPhone immediately reverted back to being shown as 33.1.152.0 -_-

 

Two Things:

*I know this can be spoofed, but I used a website to look up the location for 33.1.152.0 and it's listed as belonging to a US-based defense contractor

*the night this started happening, I walked by my Mac running OS X 10.6.11 and saw that someone was controlling my cursor/keyboard via remote access SSH.  I saw them open my bookmark for PayPal and they opened the 'send money to someone' page where my saved login info was just sitting there.  I disconnected my router from power, went to bed and I've spent all day today trying to figure out how that could have happened with no luck.

 

I would love any suggestions/input/feedback or a fix!  I just want the peace of mind that I’m not vulnerable to an attack.

Model: C7000|Nighthawk - AC1900 WiFi Cable Modem Router
Message 8 of 89
SamirD
Prodigy

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

Holy *****.  I have never known anyone to actually watch their computer being controlled like that and money stolen.  I am completely speechless because otherwise it's a string of obscenities.

 

Here's what I would do.  One, disconnect everything from the Internet--period.  No phones, no computers, no nothing on any network, anywhere.

 

Two, get all your personal data off of those machines by backing them up to an external hard drive (or two or three if the data is important).

 

Three, go to the apple store and tell them to wipe all of those devices clean and start them over, explaining that all your accounts were compromised.

 

Four, contact banks or anyone else you had any electronic communications with using those devices and confirm if anything was stolen.

 

Five, contact the police and your insurance company.

 

This is the real deal and no drill--your identity and life were being stolen before your eyes.  And no router could have ever prevented that.

 

Be sure to factory reset your router too.  And don't plug it in or go online ANYWHERE until all of this is under control and you know what's going on.

Message 9 of 89
Jammy
Aspirant

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

On my router the factory def settings in the wan setup have

disable port scan and dos protection

Toggled ON !!!

 

meaning there is no protection. I can not imagine netgear having this toggled on as default but I did a hard reset and it was ON!

 

i got dos attacks and similar symptoms as discussed with ip changes on devices to outside my local network. I am now going through all the set up again.

 

wtf is netgear doing ?

Model: C6250|AC1600 WiFi Cable Modem Router,C6300|AC1750 Cable Modem Router Docsis 3.0
Message 10 of 89
SamirD
Prodigy

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

Disabling a port scan is a protection that prevents an external source from port scanning.  (having it checked enabled the protection.)

 

Enabling DOS protection (checking it) protects you as well.

 

I think you simply misinterpreted what those meant.  Most consumer routers (netgear included) ship with all protections turned on.

Message 11 of 89
Jammy
Aspirant

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

"By default, the router uses port scan and DoS protection (it is enabled) to help guard a network against those attacks that inhibit or stop network availability. If someone selects the Disable Port Scan and DoS Protection check box on the WAN screen, that disables the protection."

 

That is from the netgear site. The default factory settings on the router I received had it checked. I did not change it. On my other netgear routers it is unchecked as delivered which is correct. I'm getting the dos attacks and port scans on the new router as described by others in this post.  Having these disabled by checking that box, may have contributed  I now can not stop these attaacks as others in this post have said.  IOS devices have their ips on the router changed which seems like a virus on the router. I will update the firmware and NOT check the box

Message 12 of 89
Khrisz
Aspirant

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

In light of recent DDOS attacks on major websites like Amazon, Twitter, Reddit, etc... I read an article talking about botnets and how you could be part of one without you knowing. So i decided to check my logs on my c3700 and saw a couple of DOS Teardrop or derivitive logs. The Ip was one i havent seen before in my network, 100.131.130.0. The target was 73.241.60.32, which i believe is located in Rodeo California. I read Amazon has servers in Northern California but didn't say any city in specific. Question is, should I be concerned? Is my personal information conpromised? Am I overreacting? 

Model: C3700|N600 Cable Gateway Docsis 3.0
Message 13 of 89
dezmodious
Aspirant

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

I have run into this issue as well. I just purchase the c7000 today and withing minutes of setting it up (yes I changed the default settings and passwords) and browsing around the admin settings I noticed that my log was showing DoS attacks: Ping of Death, Teardrop...etc. All were coming from ip address 78.197.43.0 port 0 (shows France when googled). When I checked connected devices I had one device with that particular IP assignment. I determined it was my Iphone 6S. I switched it over to the 5G network and that solved it for that device. I checked back a few minutes later and I now have the same ip address showing in the connected devices but it is no longer my iphone, it's just an undefined device (listed as ---). Does not appear to be affecting speed or connectivity at the moment

 

For reference, Time Warner customer in Raleigh, NC

Model: C7000|Nighthawk - AC1900 WiFi Cable Modem Router
Message 14 of 89
pfear
Aspirant

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

I am running into the same problem.  I have owned the Nighthawk AC1900 for a month.  When I first set it up the first thing I did was change all the default passwords.  Even so, I almost immediately started seeing two symptoms:

1) Everyone in the family would sporadically get kicked off the network, and

2) When I looked at the logs there were entries about DOS attacks. They said that there was a device on the network that was causing much of the problem.  This device had an IP that was not in the range of my DHCP server.  When I dug into it, I found that it was an iPhone.  The thing was, it was jumping between all the iPhones in the family.  At first it was just the kid's phones, but soon my phone was also hit with that IP address.  

 

I have played with everything (e.g. segregating the iPhones to the "guest" network, blocking their acces, etc) and all that happens is that rogue ip address gets transferred to some other iphone address.  

 

This is unsettling.  I am not impressed with the support options from Netgear.  Any help would be great.

Message 15 of 89
tmcribbs
Initiate

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

I think it's a bug in the Netgear equipment.  I sold mine and went with another brand.

Message 16 of 89
xnav
Star

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

Message 17 of 89
cbk1200
Initiate

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

I have been getting a ton of DOS attacks like this in the past month. I'm also having this issue where none of my devices will suddenly no longer recognize my correct wifi password. I end up having to reset it every time this happens. Not sure if this is related to the DOS attacks but something tells me it is. Anyone else still having this problem and if not what was the resolution? I actually bought a new Motorola router to see if the issue persists so we'll see. I am at my wits end with this.
Message 18 of 89
fqm889
Initiate

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

I also have this problem. My iPad always have this ip address associated with its MAC address. I'm using C3000 with Comcast.

By looking into this problem I realized that it's not hacking.

The fact is that NETGEAR is not supporting IPV6 well. It's mistaking part of the ipv6 address in ipv6 packets as the src and dst of ipv4 packets.

 

The ipv6 packat is something like this

|   --- 32 bit ---                                   |  Info

|   --- 32 bit ---                                   |  Info

|   --- 32 bit ---                                   |  source ip   e.g.    1111:2222

|   --- 32 bit ---                                   |  source ip   e.g.    3333:4444

|   --- 32 bit ---                                   |  source ip   e.g.    5555:6666

|   --- 32 bit ---                                   |  source ip   e.g.    7777:8888

|   --- 32 bit ---                                   |  destination ip    e.g.    9999:aaaa

|   --- 32 bit ---                                   |  destination ip    e.g.    bbbb:cccc

|   --- 32 bit ---                                   |  destination ip    e.g.    dddd:eeee

|   --- 32 bit ---                                   |  destination ip    e.g.    ffff:0000

 

 

While ipv4 is like this

|   --- 32 bit ---                                   |  Info

|   --- 32 bit ---                                   |  Info

|   --- 32 bit ---                                   |  Info

|   --- 32 bit ---                                   |  source ip   e.g.    111.222.111.222

|   --- 32 bit ---                                   |  destination ip    e.g.    000.111.000.111

|   --- 32 bit ---                                   |  options

 

Netgear is mistaking the line 4 and 5 of an ipv6 packet, which are part of the ipv6 address, as the src and dst of an ipv4 packet.

The source and destination ip addresses in my log is exactly part of my ipv6 address, which is in heximal, of my iPad.

You can verify that by yourself.

 

ipv6 address:

xxxx:xxxx:aabb:ccdd:eeff:gghh:xxxx:xxxx

Change aa bb cc dd ee ff gg hh from heximal to decimal AAA BBB CCC DDD EEE FFF GGG HHH

Then you can find that AAA.BBB.CCC.DDD is your source and EEE.FFF.GGG.HHH is your destination of 'DoS' packets.

 

Message 19 of 89
cbk1200
Initiate

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

Interesting. Thanks for looking into this. I ended up buying a Motorola router and haven't had any issues since. 

Message 20 of 89
SamirD
Prodigy

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

Wow!  Congrats on finding the exact source of this bug!  Now, hopefully Netgear sees this and will fix the code.

Message 21 of 89
PGillard
Guide

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

Any body have any detailed instruction on how to change the IPv6 addresses in above 

Model: C7000|Nighthawk - AC1900 WiFi Cable Modem Router
Message 22 of 89
PGillard
Guide

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

Might you be able to point me towards a more detailed set of steps to follow to fix the ipv6 issue?

 

thank you

Paul

 

Message 23 of 89
PGillard
Guide

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

Might you be able to point me towards a more detailed set of steps to follow to fix the ipv6 issue?

 

thank you

Paul

 

Model: C7000|Nighthawk - AC1900 WiFi Cable Modem Router
Message 24 of 89
wgroks
Aspirant

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

Why do I keep buying netgear? I guess cause cheap, and it shows.

Message 25 of 89
Top Contributors
Discussion stats
Announcements

Orbi 770 Series