Start a New Discussion

Start a New Discussion

Orbi WiFi 7 RBE973
Reply

D7000[v1] (V1.0.1.78) Intermittent Internet traffic slows/stops

antinode
Guru
Guru
‎2020-11-18 03:11 PM
‎2020-11-18 03:11 PM

D7000[v1] (V1.0.1.78) Intermittent Internet traffic slows/stops

   CenturyLink (resold) DSL service.  ADSL, PPPoA,  "V1.0.1.78_1.0.1".

 

   For the past month or so, I've seen recurring problems with
connections to the outside world.  Internet traffic slows and/or stops.
"ping 1.1.1.1" or "ping 8.8.8.8" degrades (increased times, packet
loss), typically continuing to complete failure ("100% packet loss").

Days can go by without an occurrence; an instance can persist for
minutes or hours.

 

   Restarting the D7000 typically restores service, but often only
temporarily.  Also effective (and much faster):
      ADVANCED > Advanced Home > Internet Port : Connection Status :
       Disconnect, (pause), Connect.

 

   Logs show nothing unusual.  LED indicators remain white, but show
less activity.  The DSL connection status and data rates remain
unchanged (according to the D7000).  ISP so far unhelpful, but did
observe that their "ping" to me also fails.

 

   "/debug.htm" threatens to "Save a copy of WAN interface packet
trace", but I've seen no actual data from that (only short,
identical-looking blobs of ".pcap" data), whether or not the problem
occurs.  (Sounded good, though.)

 

   My guess (and that's all it is) is that this is some kind of
denial-of-service attack which affects only the D7000, not any of my LAN
stuff.  Perhaps the D7000 is so busy handling whatever's happening that
it's too busy to do any useful work.

 

   But, so far as I know, I have no way to see any of the WAN activity,
so guessing is all I've done.  (Guessing, and using Wget to automate the
"Disconnect+Connect" operation when the problem is detected.)

 

   Suggestions are welcome, but my main goal here is to record the
problem symptoms, in case anyone else experiences anything similar.

Model: D7000|Nighthawk AC1900 VDSL/ADSL Modem Router
Message 1 of 2
0 Kudos
Reply
antinode
Guru
Guru
‎2021-02-05 08:08 PM
‎2021-02-05 08:08 PM

Re: D7000[v1] (V1.0.1.78) Intermittent Internet traffic slows/stops

   This recurred again today, with more persistence than usual, and I
made some progress.  I caught some of the activity in the router log
before it got flushed out.  Apparently, it's a DDoS attack on my DNS
server from a collection of AWS servers.  Log sample (one second):

 

[LAN access from remote] from 18.178.186.85:32821 to 10.0.0.140:53 Friday, February 05,2021 20:51:31
[LAN access from remote] from 13.115.50.0:63697 to 10.0.0.140:53 Friday, February 05,2021 20:51:31
[LAN access from remote] from 13.112.46.189:12738 to 10.0.0.140:53 Friday, February 05,2021 20:51:31
[LAN access from remote] from 52.196.220.128:49324 to 10.0.0.140:53 Friday, February 05,2021 20:51:31
[LAN access from remote] from 3.113.43.121:11791 to 10.0.0.140:53 Friday, February 05,2021 20:51:31
[LAN access from remote] from 54.64.218.138:30175 to 10.0.0.140:53 Friday, February 05,2021 20:51:31
[LAN access from remote] from 3.112.179.64:50547 to 10.0.0.140:53 Friday, February 05,2021 20:51:31
[LAN access from remote] from 35.78.14.10:43354 to 10.0.0.140:53 Friday, February 05,2021 20:51:31
[LAN access from remote] from 54.199.124.175:45150 to 10.0.0.140:53 Friday, February 05,2021 20:51:31
[LAN access from remote] from 35.72.7.132:31615 to 10.0.0.140:53 Friday, February 05,2021 20:51:31
[LAN access from remote] from 54.150.121.105:32695 to 10.0.0.140:53 Friday, February 05,2021 20:51:31
[LAN access from remote] from 52.198.135.20:7745 to 10.0.0.140:53 Friday, February 05,2021 20:51:31
[LAN access from remote] from 52.195.131.209:10203 to 10.0.0.140:53 Friday, February 05,2021 20:51:31
[LAN access from remote] from 35.79.36.204:62854 to 10.0.0.140:53 Friday, February 05,2021 20:51:31
[LAN access from remote] from 54.64.246.35:32667 to 10.0.0.140:53 Friday, February 05,2021 20:51:31
[LAN access from remote] from 18.178.4.252:8142 to 10.0.0.140:53 Friday, February 05,2021 20:51:31
[LAN access from remote] from 35.76.33.137:37348 to 10.0.0.140:53 Friday, February 05,2021 20:51:31
[LAN access from remote] from 52.198.14.219:21508 to 10.0.0.140:53 Friday, February 05,2021 20:51:31
[LAN access from remote] from 52.192.128.142:38762 to 10.0.0.140:53 Friday, February 05,2021 20:51:31
[LAN access from remote] from 13.231.7.178:6205 to 10.0.0.140:53 Friday, February 05,2021 20:51:31
[LAN access from remote] from 35.79.184.158:43974 to 10.0.0.140:53 Friday, February 05,2021 20:51:31
[LAN access from remote] from 52.192.8.85:47594 to 10.0.0.140:53 Friday, February 05,2021 20:51:31
[LAN access from remote] from 35.73.178.24:39122 to 10.0.0.140:53 Friday, February 05,2021 20:51:31


   I've complained to AWS.  I may try disabling the logging, to see if
that helps.  On this occasion, a little normal network traffic passed
through, but even "ping 10.0.0.1" from a system on the LAN was failing.

 

   Note that I can reject some of this stuff at the actual BIND-server
system, but the router itself gets too overworked (port forwarding,
logging, data transfers, ...?), so the only (unsatisfactory) remedy is
deleting the port-forwarding rule.

 

   Being able to disable a port-forwarding rule without deleting it
would be handy, too.

Message 2 of 2
0 Kudos
Reply
Top Contributors
See All
Discussion stats
  • 1 reply
  • ‎2020-11-18 03:11 PM
  • 739 views
  • 0 kudos
  • 1 in conversation
Announcements

Orbi 770 Series