Orbi WiFi 7 RBE973
Reply

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

rebop
Tutor

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

New C7000 firmware last night to 1.0.28 if I recall the numbers did not change this DDoS attcks nor the ability to email logs. No idea what it did change, but yet another Netgear letdown.

 

~Bob

Message 51 of 89
Left4Dead2
Guide

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

JollyRoger72 (Tutor),

 

Nice! Its something...wish I could have tried that while I had the C7000, but unfortunately after a frustrating time with support being bounced from one to the other even to L2, and they were asking to gather some more information?  I said, "Forget it!" I even had Comcast come out to the home to check the interface and lines, at no charge since I was bounced to their support and go no where either...hence the courtesy check. Funny enough, the tech had made a reference to what you were saying, but I didn't consider to go into it any further do to all the conversations we were having. I do still have my old C3000 though and a couple of other gateways too...may have to give that a try.  Ultimately, I will probably end up getting a different modem altogether.  Thanks for the reply and hope that works out for you long term, I would be interested in finding out down the road.

Message 52 of 89
Left4Dead2
Guide

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

Bob,

 

Thanks for your update, thats disappointing to hear:( Netgear support is really frustrating too, don't bother with it. I don't think they check these forums? Check JollyRoger72 (Tutor) response...

Message 53 of 89
Pipedope290
Initiate

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

I found my HP Printer is sending "Ping of Death" to my Router.

New HP Printer, 2 weeks old.

Returning tomorrow!

Message 54 of 89
jwjwjw
Guide

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

Same issue here, although it seems only the Apple devices are being associated with the public IP behind all the public attacks.   It also only seems to assoicate with wifi devices.  I have turned off all apple devices and currenly only have a Windows laptop on the wifi and the public attacks have stopped and no macs are associated with the public IP.  I currently have three devices plugged in (not on wifi) and they have never "grabbed" that public IP.   This is the public IP that devices have been getting 128.60.129.150.  They have been attacking all random public IPs.  I did a factory reset on the wifi router but that didn't do anything.  I just don't understand why apple devices are only affected?!  See the screenshot and it shows the "source" as that 128 which hops from the Apple mac adddresses only.

Message 55 of 89
Pipedope290
Initiate

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

I contacted HP, they told me it's not there fault.

Bought a Epson Printer, problem solved!

Message 56 of 89
jwjwjw
Guide

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

I have an HP printer as well.  I unplugged it (no power).  Problem still continues.  Its not an HP issue.

Message 57 of 89
rebop
Tutor

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

They are al getting worse, btw. More and more IP's being attacked daily. Unthinkable Netgear does nothing about this.

 

I am ready to buy a new NAS. Guess what company will not be getting my business?

 

No more routers, gateways, NAS's, etc. An irresponsive and irresponsible company in my opinion.

 

~Bob

Message 58 of 89
ErnestTheGreat
NETGEAR Employee Retired

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

I am not sure how much knowledge there is on this thread regarding Ping of Death, Teardrop, DoS and DDoS attacks but to me it seems there is lot of paranoia about being hacked. So I wanted to set the record straight as far as Netgear cable product go it appears that lot of the DoS entries that appear in the event logs. Upon further examination it appears that there is lot of cases where devices such as printer, mobile devices and etc. support IPv6 and lot of these devices are generating discovery packets or fragmented multicast IPv6 packets which cause the Netgear Cable firewall to belive it is being DoS’d when in fact it isn’t.

 

There is couple of mentions about HP printers with IPv6 support causing these issues and it seems that it does not matter whether you have a HP printer or not issue keeps happening. HP printers are not the only devices out there that send discovery or fragmented packets there is other devices that use these.  My suggestion is if you have a device that has IPv6 but it is not using it disable it, also other device that use multicast and discovery packets like Chromecast and so on should also be update as there was a recent issue with Google devices causing packet flooding issues which some routers believed to be DoS attacks.

 

As far as iOS devices showing IPs outside the subnet goes for example user that mentioned 128.60.129.150 according to public IP info this IP belongs to AS48 Navy Network Information Center ISP and based on the approximate location report this is approximate location of the Norfolk Naval Station so I doubt they you be hacking anyone’s cable gateway. In cases where mobile devices are reporting IPs outside of subnet goes I would check and make sure you are not connecting to any suspicious sites with your browsers, have any questionable apps, apps that mine your information and report it to public server installed or any type of malware infection if android OS is used.

 

As far as the issue with HP and other printers is concerned Netgear will be addressing that in the upcoming firmware releases once the firmwares have been tested and certified by ISPs of course.

Message 59 of 89
rebop
Tutor

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

I have to disagree with your observations and opinion. Since day 1, the Netgear C7000 will CHANGE the connected IP of my iPhone to an IP address for an AT&T customer in Dallas Texas (I am in California and iPhone is on 192.168.etc). THIS ip in Dallas then attacks 's multiple other IP's sending DDoS and other pings of death to multiple IP's including the DOD, China, France, you name it. Can be anywhere. MANY times a day, every day.

 

Ony changes the iPhone. Never iPad, Kindle, etc.

 

Help clarify?

 

~Bob

Message 60 of 89
jwjwjw
Guide

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

That IP, 128.60.129.150, is showing inside, on my lan.  For whatever reason the Netgear ARP table associates it with our Apple devices.  It changes each time it wants to scan to whatever random Apple device we have online. That "device" is then targeting random public IPs.  You can see them clearly in the logs.  I only started investigating the due to my 1.4TB of data usage this month.  That usage may or may not be realated but something is very odd here.  Netgear factory reset does not do anything.   ISP does not have a newer firmware version.  I  have a Vizio tv, Roku, desktop computers (I disabled IPv6), ipads and iphones.  I had an HP wifi printer that I've unplugged as well and a Windows laptop unplugged as well.  I even setupIP reservations on all the devices (just to try something!), and the 128 IP still associated with one of the Apple devices with an IP reservation.

Message 61 of 89
jwjwjw
Guide

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

I should also mention I even changed the IP of the router and have a 128 bit administrator password.

Message 62 of 89
Left4Dead2
Guide

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

hey, all i know is when i connected your guys's product to my network...it brought my internet down to a crawl...u guys need to fix your products:(

Message 63 of 89
jwjwjw
Guide

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

Just with my iphone and ipad on the wifi network there is no "malicious" activity.  My devices do not show up in the netgear genie as having a public IP.  If my wife or kids add their iphones or ipads then it starts almost instantly.  One of the connected apple devices will show up with the public IP and the logs will show that public IP attacking random public IPs.  Its always one device, never more than one at a time.  Definately something apple related but I can't find what is different about my two devices compared to all of theirs.  We looked for apps they have that i don't and also device settings.  Could not isolate the difference.  Its driving me crazy!  No issues with anything wired.  

 

Also should be noted that all throughout the day when no one was here, no iphones at home, there was no malicious activity.  There were three ipads at home all day.   The malicious activity stopped and started at the moment the last person with an iphone left home and returned home.  When I did a test at night with just those three ipads (to confirm they were not the issues) the malicious activity started again , although not mine.  So i think that just confirms if the ipads are asleep that nothing is "calling out".  All the other ipads and iphones by themselves on the network cause these attacks when in use, but never my own ipad and iphone.............

Message 64 of 89
Kingsquest
Tutor

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

Wow it will be 2 years since this message for this to be fixed. I new firmware will be out soon to fix the Dos Attacks. 

Message 65 of 89
ErnestTheGreat
NETGEAR Employee Retired

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

As I mentioned before lot of these events are false positive events that generate these DoS attack, Teardrop or derivative and Ping of Death events in the event logs. As described by Netgear before devices like printers and etc. are generating discovery packets or fragmented multicast IPv6 packets which cause the Netgear Cable firewall to belive it is being DoS’d when in fact it isn’t.

 

Netgear has a firmware that fixes this issue but it will take time to roll it out as it has to go through certification with ISPs. So we just need to sit tight and wait for the ISPs to push the new firmware out to our devices.

 

As far as the iPhones and iDevices having strange non-DHCP IP address shown for them under the WiFi section on the C7000's "Attached Devices" page so looks like the issue here is related to IPv6 NAT64 feature which is a translation mechanism for algorithmically mapping IPv6 addresses to IPv4 addresses, and IPv4 addresses to IPv6 addresses. For more info on NAT64 feature you can check out RFC 6145 and 6146.

 

So basically what’s happening is that the IPv6 addresses associated with iPhone and other iDevices are benign translate to random IPv4 addresses as result of NAT64 feature and for some odd reason those addresses are being shown under attached devices leading us to belive that there is a non-DHCP address assigned to our device. Coincidently some of those IPs are valid addresses that show as being registered to valid 3rd parties and some are not.

 

So I do not think there is anything to worry about here just make sure that you go to your C7000 UI under Advanced --> Setup --> WAN Setup and uncheck Disable Port Scan and DoS Protection to enable the protection since by default it is disabled. 

Message 66 of 89
jwjwjw
Guide

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

I agree its a false positive.  Looking at the logs again, no "attacks" when no one is here.

Message 67 of 89
Gzabar
Aspirant

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

Any idea if/when the new firmware will be deployed to Optimum Online? I’ve been dealing with this and very high corrected/uncorrectables for months and both your and their support have been abysmal. No one is willing to help and keeps telling me the other group is responsible for firmware updates. PLEASE help me out, I really enjoy the product but hope I didn’t waste $200 on a bad product. Thank you!

Model: C7000|Nighthawk - AC1900 WiFi Cable Modem Router
Message 68 of 89
NtwrkG3ek
Initiate

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

i am having same issue with new HP Envy Photo 7155 printer.  The printer is generating hundreds of UPnP packets.  The router thinks it detects a teardrop attack, and apparently resets the connection.  All of my devices lose connectivity.  I work from home, so this is especially frustrating during conference calls!

 

Here is one example:

[DoS attack: Teardrop or derivative] from 10.x.x.x, port 49087

Source: 10.x.x.x:49087 (HP Printer)

Target: 239.255.255.250:65535

Count: 816 packets

 

So, my router thinks the printer is generating a DoS attack.  However, this has to do with UPnP and SSDP uses 239.255.255.250 for the unicast and multicast adress.

 

Cannot decide which to return to the store... Netgear router, or the HP printer.  One of these must go!

 

Model: C3700|N600 Cable Gateway Docsis 3.0
Message 69 of 89
Kingsquest
Tutor

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

If you turn off IPv6 on the HP printer the DOS attacks will stop! Both HP and Netgear have a fix for this issue. The patch is in testing now and will be released through your ISP. 

Message 70 of 89
Bob94301
Guide

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

About time, if there is a fix. However, my situation is a bit different. iPhone sends packets always to port 0 and to sites like the Dept of Defense or something usually in the news whether  corporate or geoivernment foreign agency. Does not seem random and I still belive it is not.

Message 71 of 89
Kingsquest
Tutor

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

Your printer (7155) and your Router (C7000,C6900, C7000v2, C3000, C3700, C6220, C7100V ) combination causes DOS errors. 

Turning off IPv6 on the Printer will stop the DOS attacks from the router and printer. You sending packets on your iPhone is not part of the fix. 

It sounds like you have a virius on your phone...

Message 72 of 89
Bob94301
Guide

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

I do not have a virus. The ip address of the iPhone changes to the same IP address in Texas and sends packets. 100's of Netgear owners have this. 100's. Many posts. Its a netgear bug well know for several years and nothing done. Google it.

Message 73 of 89
Kingsquest
Tutor

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

Sorry... I only know about HP printers and how they react to Netgear routers. It was just a guess from the info you supplied. 

Message 74 of 89
NtwrkG3ek
Initiate

Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

Thanks, this worked!  The HP printer events stopped.  Network seems stable.

 

I still see suspected teardrop attacks in the logs where both To and From addresses are not on my network.  Apparently, the volume of packets (hundreds per log entry) from my HP printer caused the router to reset.  The other events have less than 20 packets per log log entry.

 

Target: 64.64.75.252:0 Source: 192.1.143.208:0
Message 75 of 89
Top Contributors
Discussion stats
Announcements

Orbi WiFi 7