Re: NetGear D6300 DOSAttack : 8 [STORM] packets detected in last 20 seconds, source ip (My IP)

marcokmoretti · ‎2021-04-26

Sorry for the discussion about DOSAttack, but I saw in other discussion that the solution would be to disable the security option because they are false positivies: are you sure ?

Marco Moretti

michaelkenward · ‎2021-04-27

@marcokmoretti wrote:

Sorry for the discussion about DOSAttack, but I saw in other discussion that the solution would be to disable the security option because they are false positivies: are you sure ?

It is hard to unravel what is going on here.

What "discussion about DOSAttack"? What was this "other discussion"?

You have some sort of problem on the D6300?

It is hard to see how the subject of your message has anything to do with the body text.

marcokmoretti · ‎2021-04-27

Sorry. You are right but searching for "dos attack" in the forum I found some messages regarding potential false positives.

Anyway, find attached an extract of my D6300 log. There are some DosAttack coming from Google or Facebook....

Also there are some others coming from internal...

I don't know which is the device that is doing that and / or if all of them are false positives..

Marco

[DHCP IP: (192.168.0.24)] to MAC address 50:A6:7F:B4:43:57, Sunday, Apr 25,2021 22:33:44

[DOS Attack] : 1 [FIN Scan] packets detected in last 20 seconds, source ip [108.177.127.109]

Sunday, Apr 25,2021 22:18:39

[DHCP IP: (192.168.0.18)] to MAC address B4:CD:27:90:D7:80, Sunday, Apr 25,2021 22:17:13

[DHCP IP: (192.168.0.25)] to MAC address F8:46:1C:1D:72:7A, Sunday, Apr 25,2021 21:26:12

[DOS Attack] : 112 [STORM] packets detected in last 20 seconds, source ip [2.235.237.253]

Sunday, Apr 25,2021 21:25:49

[DOS Attack] : 122 [STORM] packets detected in last 20 seconds, source ip [2.235.237.253]

Sunday, Apr 25,2021 21:25:27

[DOS Attack] : 22 [STORM] packets detected in last 20 seconds, source ip [2.235.237.253]

Sunday, Apr 25,2021 21:25:05

[DHCP IP: (192.168.0.25)] to MAC address F8:46:1C:1D:72:7A, Sunday, Apr 25,2021 21:21:42

[DHCP IP: (192.168.0.14)] to MAC address 68:57:2D:41:4E:EA, Sunday, Apr 25,2021 16:33:22

[DOS Attack] : 39 [STORM] packets detected in last 20 seconds, source ip [2.235.237.253]

Sunday, Apr 25,2021 16:33:06

[DOS Attack] : 66 [STORM] packets detected in last 20 seconds, source ip [2.235.237.253]

Sunday, Apr 25,2021 16:32:43

[DHCP IP: (192.168.0.29)] to MAC address 20:F8:5E:A0:7A:94, Sunday, Apr 25,2021 16:32:39

[DOS Attack] : 37 [STORM] packets detected in last 20 seconds, source ip [2.235.237.253]

Sunday, Apr 25,2021 16:32:21

[DHCP IP: (192.168.0.21)] to MAC address 6A:32:51:6A:6F:8A, Sunday, Apr 25,2021 16:30:06

[DHCP IP: (192.168.0.18)] to MAC address B4:CD:27:90:D7:80, Sunday, Apr 25,2021 15:48:56

[DOS Attack] : 109 [STORM] packets detected in last 20 seconds, source ip [2.235.237.253]

Sunday, Apr 25,2021 15:48:08

[DHCP IP: (192.168.0.18)] to MAC address B4:CD:27:90:D7:80, Sunday, Apr 25,2021 15:48:01

[DOS Attack] : 8 [STORM] packets detected in last 20 seconds, source ip [2.235.237.253]

Sunday, Apr 25,2021 15:47:47

[DHCP IP: (192.168.0.18)] to MAC address B4:CD:27:90:D7:80, Sunday, Apr 25,2021 15:24:48

[DHCP IP: (192.168.0.25)] to MAC address F8:46:1C:1D:72:7A, Sunday, Apr 25,2021 15:07:35

[DOS Attack] : 93 [STORM] packets detected in last 20 seconds, source ip [2.235.237.253]

Sunday, Apr 25,2021 15:07:06

[DHCP IP: (192.168.0.18)] to MAC address B4:CD:27:90:D7:80, Sunday, Apr 25,2021 15:02:31

michaelkenward · ‎2021-04-27

Sorry, but I still don't know what problem you are trying to solve. Is your Internet connection dropping? Problems with your wifi? Something else?

Netgear's firmware is great at creating false reports of DoS attacks. Many of them are no such thing.

Search - NETGEAR Communities – DoS attacks

Use Whois.net to see who is behind some of them and you may find that they are from places like Facebook, Google, even your ISP.

Here is a useful tool for that task:

IPNetInfo: Retrieve IP Address Information from WHOIS servers

If these events are slowing down your router, that may be because it is using up processor time as it writes the events to your logs. Anything that uses processor power – event logging, QoS management, traffic metering – may cause slowdowns. Disable logging of DoS attacks and see if that reduces the problem. This does not prevent the router from protecting you from the outside world.

marcokmoretti · ‎2021-04-27

Yes you're right - these traffics are blocked by the router, that is doing its job.

The problem is that during these "attacks" the router is slowing down and the performance of the internet also: I usually have 90Mbit/s download and 20Mbit/s with a wired connection that in these moments decrease to 0.3Mbit/s in upload and put in KO the video conferences).

I will disable the log in the Netgear D6300, but after how can I get the IP that is doing the "attack" and try to understand how's the source ?

Until today, the sources are 50% Yahoo, Google, Facebook, etc. and the other 50% it's internal because it's my 2.235.237.253, my static IP.

Marco