Orbi WiFi 7 RBE973
Reply

Re: Nighthawk D7000 keeps crashing - DoS?

Lutzie
Aspirant

Nighthawk D7000 keeps crashing - DoS?

I've recently puchased a D7000, and spent some time setting it up. Overnight, it crashed. Nothing could connect via any method. Switched it on and off again, and after rebooting everything seemed fine. A few minutes later, it's down again. Couldn't log on to check the logs, so felt a bit in a catch 22 situation. The third time though I was logged on in the even logs, and saw lots of DoS attack info. Seen it a few imes since, and after most DoS entries, the router locks up completely.

 

I've removed the boring gubbins from the full logs

 

[DoS attack: ACK Scan] from source: 109.159.156.99:80 Friday, January 29,2016 09:12:48        
[DoS attack: ACK Scan] from source: 109.159.156.99:80 Friday, January 29,2016 09:13:08        
[DoS attack: ACK Scan] from source: 109.159.156.99:80 Friday, January 29,2016 09:13:28        
[DoS attack: ACK Scan] from source: 134.170.0.216:443 Friday, January 29,2016 09:34:38        
[DoS attack: ACK Scan] from source: 157.55.235.174:40029 Friday, January 29,2016 09:22:04        
[DoS attack: ACK Scan] from source: 157.55.235.174:40029 Friday, January 29,2016 09:22:31        
[DoS attack: ACK Scan] from source: 157.56.124.106:443 Friday, January 29,2016 09:24:12        
[DoS attack: ACK Scan] from source: 173.241.240.220:80 Friday, January 29,2016 09:14:01        
[DoS attack: ACK Scan] from source: 173.241.240.220:80 Friday, January 29,2016 09:42:27        
[DoS attack: ACK Scan] from source: 198.47.127.15:80 Friday, January 29,2016 09:41:44        
[DoS attack: ACK Scan] from source: 216.52.1.12:80 Friday, January 29,2016 09:42:05        
[DoS attack: ACK Scan] from source: 216.52.1.12:80 Friday, January 29,2016 09:42:47        
[DoS attack: ACK Scan] from source: 216.52.1.12:80 Friday, January 29,2016 09:43:22        
[DoS attack: ACK Scan] from source: 216.58.213.98:443 Friday, January 29,2016 09:23:52        
[DoS attack: ACK Scan] from source: 74.125.206.189:443 Friday, January 29,2016 08:50:28        
[DoS attack: ACK Scan] from source: 91.190.217.43:12350 Friday, January 29,2016 09:27:27        
[DoS attack: ACK Scan] from source: 91.190.217.43:12350 Friday, January 29,2016 09:28:03        
[DoS attack: ACK Scan] from source: 91.190.217.43:12350 Friday, January 29,2016 09:28:39        

 

Thing is, the IP addresses that I've checked all seem legit. Apple, Google, Microsoft, my own ISP BT... a few I don't know like Openx, but whom seem to be fine.

 

So my worry is, is the router mis-interpreting the data of legit traffic, and falling over as a result??

 

I'm on Firmware V1.0.0.18_1.0.1 which is, AFAIK, the latest version.

 

Any help appreciated.


Stephen

 

Edit: Just to add, I used to have a BT Home Hub 5, which is a bog standard modem/router sent out by my ISP to all new customers. Whilst it couldn't handle all of my devices correctly (About 18) it never went offline itself, nor crashed. It'd just drop connections to individual devices. The D7000 is the other way around; keeps hold of all of the connections fine, but crashes. 😕

Message 1 of 15
Retired_Member
Not applicable

Re: Nighthawk D7000 keeps crashing - DoS?

I would check All your devices for MALWARE

Message 2 of 15
Lutzie
Aspirant

Re: Nighthawk D7000 keeps crashing - DoS?

Not that anything is infected, but also my BT Hub 5 router/modem works fine. Only this D7000 has issues. I don't think Malware is fussy about the type of router you have plugged in. 😉

Message 3 of 15

Re: Nighthawk D7000 keeps crashing - DoS?

Like you said:

 

109.159.156.99 = bt.com

134.170.0.216= Microsoft Corp

157.55.235.174= Microsoft Corp

 

I did a similar check on a bunch of local "DoS attack" reports. Got similarly nuts answers. Lot of it was Google, which may be evil, but not that evil.

 

It seems that Netgear likes to scare the bejeezus out of people by tagging legitimate activity as a DoS attack when it is no such thing.

 

At least that is the message I got when I investigated the issue on non-Netgear sites, where people are less than flattering about Netgear's reporting strategy for DoS attacks.

 

As one comment puts it "I know that Netgear are paranoid when it comes to DOS Attacks and at times you can just ignore them..."

 

I'd dig a bit deeper than the logs to find out what is really happening.

 

 

 

 

Message 4 of 15
Lutzie
Aspirant

Re: Nighthawk D7000 keeps crashing - DoS?

I'd be happy to dig deeper... but how? I don't know what to do next.

Netgears latest answer from their "support" is a hard reset. Yeah, really.

I mean, I'll try it, and you never know, but I'm not exactly optimistic, particularly because after I answered one of their emails with the info requested, they then replied with "We're glad this has worked for you! Glad it's resolved! Please close the case!" (Dear god please close the case cos we haven't got a clue...)

 

On the face of it this router is superb, but alas Netgear are not making this easy.

Message 5 of 15
elementaltm
Aspirant

Re: Nighthawk D7000 keeps crashing - DoS?

@Lutzie Hi, firstly I apologise for jumping onto your thread. That said, I too have exactly the same issue. Did you manage to resolve / improve anthing? What's your current status? I found that changing the NAT Filtering from "Secured" to "Open" does not seem to make any difference, i.e. Legitimate connections are still being flagged. If I understand correctly "Open" still offers some security, to quote from the Manual it offers "a less secured firewall". Ideally I'd like connection sources that are obviously trusted not to be flagged in the first place. At the very least I would like some level of control with expanded features such as more details for log entries and the ability to Whitelist trusted connections, etc. Can someone confirm for me if these connections that are being flagged up are actually blocked or just flagged? (FYI: My top priority is to get the thing stable and not lockup every couple of hours...) Thanks in advance.
Message 6 of 15
TheEther
Guru

Re: Nighthawk D7000 keeps crashing - DoS?

You can try disabling Port Scan and DoS protection on the WAN Setup screen.  This setting controls a set of heuristics that make the router more aggressive about tossing "bad" traffic.  I've seen many posts like yours where it appears to incorrectly mark legitimate traffic as DoS attacks.

 

Turning this feature off will NOT disable your router's firewall.  The firewall will continue to function as the primary means of defense for your network. 

Message 7 of 15
Lutzie
Aspirant

Re: Nighthawk D7000 keeps crashing - DoS?

After a significant number of emails back and forth between myself and Netgear they concluded that the D7000 was faulty. I sent it back, got a replacement, and it's working fine with no lock ups, ever. Never even needed to reboot it.

 

OTOH I also have a D6200 which is refusing to acknowledge the DSL cable, so you know... yay for crappy quality netgear products hey?

Message 8 of 15
Soupladel
Aspirant

Re: Nighthawk D7000 keeps crashing - DoS?

I would just add that I have this exact same problem, i have not checked for any sort of DoS attack but i highly doubt that is the cause.

 

I recently switched from a Netgear DGND4000 to the BT Home Hub 5 because i was about to switch over to a VDSL service, but thanks to the limitations of that ISP modem/router, I chose to buy the D7000 and have had no end of issues with it.

 

On the latest formware, I couldn't reserve IP addresses, so i downgraded to version 32 of the firmware.  Whilst this fixed my IP reservation issue, it didnt stop the router locking up and crashing.

 

What I did do was on Saturday morning after trying just about everything else, I switched off Wifi entirely and so far i have gone over 48 hours without the D7000 locking up.  I can only surmise that there is something in the settings for Wifi that are causing the problem, perhaps even something specific to where I live and the other networks about me, but its curious this issue oly occurs on the D7000.  I have raised a ticket with Netgera support and they have suggested a couple of things, but i am not hopeful it will work and i think i might just have a bad unit.

 

I should add that in addition to my previous DGND4000 not crashing, the BT HH5 never crashed and I am currently using an apple airport in bridge mode to provide the wifi for my network without issue which preatly neatly isolates the problem to the D7000 in some form.

Model: D7000|Nighthawk AC1900 VDSL/ADSL Modem Router
Message 9 of 15
elementaltm
Aspirant

Re: Nighthawk D7000 keeps crashing - DoS?

@Lutzie Thanks for the update and your feedback, much appreciated.

 

@Netgear @D7000 Users It goes without saying that none of us should have to jump through hoops, tweak settings endlessly or turn off functionality just to obtain a level of stablity that should be offered out of the box. I have used Netgear hardware for 20 odd years and over that time overall quality and user experience has definatley slipped, to the point where (assuming no Hardware fault) this D7000 and associated Firmware does not feel fit for purpose.

 

Rant over and moving on. My understanding has always been that the general concencious was that to "Disable Port Scan and DoS Protection" was not recommended for obvious reasons. As there is currently no "disable SPI Firewall" option in the latest Firmware (inc. the latest V1.0.0.34_1.0.1) I had assumed the SPI Firewall would also be disabled (along with NAT and DoS Protection) thus leaving the Local Network completley open. You seem to be suggesting this is not the case and in fact the SPI Firewall remains operational however this seems to contradict Information on the Netgear Forums and other sources. @Lutzie please understand I don't disbelieve you, I just want to be 100% sure before I take any action and disable etc. Smiley Wink

Model: D7000|Nighthawk AC1900 VDSL/ADSL Modem Router
Message 10 of 15
elementaltm
Aspirant

Re: Nighthawk D7000 keeps crashing - DoS?

Sorry my bad, unfortunately I don't have access to edit my own posts... Obviously I got confused in my last post and addressed part of my response to @Lutzie when I should have stated @Soupladel. Apologies for any confusion.
Message 11 of 15
TheEther
Guru

Re: Nighthawk D7000 keeps crashing - DoS?

It would be highly unlikely for NAT to be disabled along with Port Scan and DoS Protection.  If NAT was disabled, then you would either lose your private subnet (after all, NAT is what enables you to share your public IP address among several devices) or you would lose access to the Internet because private subnets are, well, private, hence unreachable from the Internet.  We know that neither of these are true.  Therefore, NAT is not disabled.

 

NAT, alone, does the main job of protecting your network.  When a device on the private subnet sends traffic to the Internet, NAT will replace the private, source IP address with the public one.  It will also replace the TCP or UDP source port with a temporary port number (it, in effect, opens that port).  Incoming traffic that matches the temporary port will be allowed through after, of course, the public IP address is converted back to the IP address of the device and the temporary port is converted back to the original source port.  Incoming traffic that does not match any opened port (temporary or permanent via port forwarding) is summarily dropped.  It has to be dropped; the router wouldn't know which device to send it to(*).

 

Where Disable Port Scan and DoS Protection come into play is to add checks on top of NAT to control bad traffic sent to opened ports.  Remember, packets to closed ports are summarily dropped.  These checks mainly drop malformed packets and rate limit other suspicious traffic.  I don't know where  you saw general consensus, but in the places I've seen, the consensus, if you will, has been the opposite.  Here are a few for reference.

 

Routers vs firewalls (Differentiates NAT from firewalls)

What are the consequences of disabling SPI? (Similar to above)

SPI Firewall Importance (answered by administrator of SmallNetBuilder)

RT-N66U Noob Questions (It's about Asus but see RMerlin (someone who builds enhanced firmware) respond at the bottom about DoS Protection)

 

(*) An exception would be a device configured as a DMZ, which receives all traffic that would otherwise be dropped.

Message 12 of 15
elementaltm
Aspirant

Re: Nighthawk D7000 keeps crashing - DoS?

@TheEther Hi and thanks for your input.

 

Oh dear I obviously need to get more sleep. In my previous post I incorrectly referred to "NAT and DoS Protection" what I actually meant to say was "Port Scan and DoS Protection". I do realise that NAT is completely different form "Port Scan and DoS protection" and as you rightly point out it serves a different function altogether.

 

The question I was trying to pose was If "Port Scan and DoS protection" is disabled is the SPI Firewall (that is also a feature of the D7000) also disabled? When I referred to general consensus it was in relation to disabling "Port Scan and DoS protection" not being recommended.

 

I hope I'm making sense now... I'm happy to stand corrected if not. So sorry for creating more confusion however it gave you the opportunity to explain NAT so eloquently. 😉

 

 

 

Model: D7000|Nighthawk AC1900 VDSL/ADSL Modem Router
Message 13 of 15
TheEther
Guru

Re: Nighthawk D7000 keeps crashing - DoS?

Yes, you are right that the consensus is to leave Port Scan and DoS Protection enabled.  Where there, perhaps, isn't consensus is whether this setting is also tied to the SPI Firewall.  I don't really know.  Whether or not it is, the important point is that you shouldn't lose that much protection by turning it off.  Like I said before, the main protection is provided by NAT, and that remains enabled.

Message 14 of 15
elementaltm
Aspirant

Re: Nighthawk D7000 keeps crashing - DoS?

@TheEther, I think it's time I raised a Support Ticket with Netgear as nothing I have tried so far has worked and the unit continues to lockup every couple of hours. I'll ask for clarification regarding SPI control and feedback as It's something that ought to be documented.

Message 15 of 15
Discussion stats
  • 14 replies
  • 7557 views
  • 4 kudos
  • 6 in conversation
Announcements

Orbi 770 Series