Start a New Discussion

Start a New Discussion

Orbi WiFi 7 RBE973
Reply

C6900 - Repeated DOS Attacks from same source ip

Msgs2Me
Follower
Follower
‎2018-03-11 05:13 PM
‎2018-03-11 05:13 PM

C6900 - Repeated DOS Attacks from same source ip

My home internet has been dropping to near 0MBS for the past week.  I checked the logs and see the following the below DOS attacks which continue to repeat over and over.   I tried calling my provider (Comcast) and they basically said there was nothing they could do.   I looked up the source IP (in Thailand) and emailed their abuse email, but seriously doubt that will have any impact.

 

My Norton Antivirus is up to date.

 

The only suggestion from Comcast was to return this modem and purchase one that will let me block specific INCOMING IP addresses.   Does Netgear offer that - as I can't find it on this model (AC1900-C6900).

 

Anyone have any other suggestions?

 

[DoS attack: Ping Of Death] from 1.0.213.112, port 02Sun Mar 11 18:10:02 2018172.97.162.168:01.0.213.112:0
[DoS attack: Teardrop or derivative] from 1.0.213.112, port 01Sun Mar 11 18:09:50 2018172.97.162.168:01.0.213.112:0
[DoS attack: Ping Of Death] from 1.0.213.112, port 03Sun Mar 11 18:08:16 201825.54.225.1:01.0.213.112:0
[DoS attack: Teardrop or derivative] from 1.0.213.112, port 01Sun Mar 11 18:02:49 2018116.150.69.226:01.0.213.112:0
[DoS attack: Ping Of Death] from 1.0.213.112, port 02Sun Mar 11 18:02:46 2018116.150.69.226:01.0.213.112:0
Message 1 of 3
Labels:
0 Kudos
Reply
TheEther
Guru
Guru
‎2018-03-11 07:39 PM
‎2018-03-11 07:39 PM

Re: C6900 - Repeated DOS Attacks from same source ip

It won't help to block a specific incoming IP address at your modem. Your Internet connection will still be clogged by the attack. Besides, your modem is already dropping the traffic.

If Comcast won't block the traffic on their end, then the only way to stop these kinds of attacks is to change your public IP address. If you had a router that was separated from your modem, then changing the router's MAC address will often coax the ISP to assign you a new address. But with a combination modem/router, like the C6900, there's nothing you can do; you can't change the MAC address on a modem/router.
Message 2 of 3
0 Kudos
Reply
ErnestTheGreat
NETGEAR Employee Retired
‎2018-03-14 05:07 PM
‎2018-03-14 05:07 PM

Re: C6900 - Repeated DOS Attacks from same source ip

When C6900 shows DoS in the logs it could mean that an actual DoS attack is taking place or it could be a false positive. Sometime, certain IPv6 multicast fragmented packets may be mistaken by the C6900 firewall as DoS attack and that will show up in the logs. In most cases, these logs are harmless and should not cause any network degradation. You should not see these false positives with regular IPv6 or IPv4 traffic.

 

If you believe that these attacks are false positives or not you can try the following work arounds:

  1. If you have any printers on the network disable the IPv6 on the Printer and use only IPv4 if it supports both IPv4 and IPv6. Many printers with IPv6 enabled will generate IPv6 multicast fragmented packets. If the issue still occurs check other devices on network and use similar approach.
  2. Disable the DoS attack setting by login to the C6900 Web UI and go to ADVANCED -> Setup -> WAN Setup, then uncheck the “Disable Port Scan and DoS Protection” button by doing this the DoS and Port Scan protection will be enabled. 
Message 3 of 3
0 Kudos
Reply
Discussion stats
  • 2 replies
  • ‎2018-03-11 05:13 PM
  • 1553 views
  • 0 kudos
  • 3 in conversation
Announcements

Orbi WiFi 7