Discussion stats
  • 18 replies
  • 60523 views
  • 10 kudos
  • 10 in conversation
Announcements

Top Contributors
Reply
Highlighted
Aspirant

DoS Attacks in Logs

I notice these dos attacks on my router and I am wondering if I should contact my ISP. 

admin login] from source 192.168.1.17, Saturday, July 01, 2017 20:05:39
[DHCP IP: 192.168.1.17] to MAC address 18:d6:c7:b8:e5:0a, Saturday, July 01, 2017 20:05:29
[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Saturday, July 01, 2017 20:04:30
[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Saturday, July 01, 2017 20:04:29

 

These two right here shut off my internet for about 2 minutes. I had no interent access. Which makes me think it was a real dos.

 


[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Saturday, July 01, 2017 20:02:37
[DoS Attack: ARP Attack] from source: 98.122.0.1, Saturday, July 01, 2017 19:59:16
[DoS Attack: TCP/UDP Chargen] from source: 184.105.139.117, port 15283, Saturday, July 01, 2017 19:58:53
[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Saturday, July 01, 2017 19:58:34
[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Saturday, July 01, 2017 19:57:46
[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Saturday, July 01, 2017 19:56:31
[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Saturday, July 01, 2017 19:56:15
[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Saturday, July 01, 2017 19:56:05
[DoS Attack: ARP Attack] from source: 30.49.48.1, Saturday, July 01, 2017 19:54:47
[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Saturday, July 01, 2017 19:53:49
[DoS Attack: SYN/ACK Scan] from source: 37.182.9.32, port 80, Saturday, July 01, 2017 19:53:06
[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Saturday, July 01, 2017 19:50:46
[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Saturday, July 01, 2017 19:44:59
[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Saturday, July 01, 2017 19:44:57
[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Saturday, July 01, 2017 19:42:40
[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Saturday, July 01, 2017 19:42:23
[DoS Attack: SYN/ACK Scan] from source: 37.182.9.32, port 80, Saturday, July 01, 2017 19:40:07
[DoS Attack: ARP Attack] from source: 98.122.0.1, Saturday, July 01, 2017 19:38:07
[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Saturday, July 01, 2017 19:37:17
[DoS Attack: ARP Attack] from source: 98.122.0.1, Saturday, July 01, 2017 19:36:40
[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Saturday, July 01, 2017 19:32:40
[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Saturday, July 01, 2017 19:32:32
[DoS Attack: ARP Attack] from source: 98.122.0.1, Saturday, July 01, 2017 19:30:20
[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Saturday, July 01, 2017 19:28:06
[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Saturday, July 01, 2017 19:25:03
[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Saturday, July 01, 2017 19:23:36
[DoS Attack: SYN/ACK Scan] from source: 37.182.9.32, port 80, Saturday, July 01, 2017 19:23:16
[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Saturday, July 01, 2017 19:22:39
[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Saturday, July 01, 2017 19:21:59
[DoS Attack: ARP Attack] from source: 98.122.0.1, Saturday, July 01, 2017 19:21:07
[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Saturday, July 01, 2017 19:16:07
[DoS Attack: ARP Attack] from source: 98.122.0.1, Saturday, July 01, 2017 19:13:44
[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Saturday, July 01, 2017 19:13:41
[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Saturday, July 01, 2017 19:13:17
[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Saturday, July 01, 2017 19:11:29
[DoS Attack: ARP Attack] from source: 98.122.0.1, Saturday, July 01, 2017 19:11:06

 

Also ive noiticed i would lag spike a lot when im playing online and I traced the IPs and they were coming from Ohio, Germany, and Arizona. I am just wondering if this is something I should worry about. 

Model: WNDR4300v2|N750 Wireless Dual Band Gigabit Router
Message 1 of 19
Highlighted
Prodigy

Re: DoS Attacks in Logs

I have the same logs with the same IP's oddly enough. I imagine someone is port scanning  looking for vulnerabilities maybe with netgear routers, the logs are packed with so called attacks. I'm not having any loss of internet and you should check your logs to see if that was a coincendence rather than being knocked off by a DoS attack. Also make sure you have the latest firmware. As long as the logs are showing the attacks the royter is doing its job.

Message 2 of 19
Highlighted

Re: DoS Attacks in Logs

This is a common refrain:

 

Solved: Can someone tell me why my Nighthawk x10 is making...

 

A search of the forum will find many more like that.

 

They may or may not be genuine attacks.

 

Did you check to see who owns the domains that are "attacking" you?

 


@Killhippie wrote:

As long as the logs are showing the attacks the royter is doing its job.

 


 

Yup.Or it is creating false positives.

 

Just another user.

My network DM200 -> R7800 -> GS316 -> PL1000 -> Orbi RBR40 -> Orbi RBS50Y -> RBS40V
Message 3 of 19
Highlighted
Prodigy

Re: DoS Attacks in Logs

They are site sites like go daddy, and unified Layer cloud storage and one was a  vodafone IP that is listed for abuse, mine are the same IP adresses as the OP and I'm not not sure if we are even in the same country but that makes me suspicious we have exactly the same attack logs. Also the last week has had hardly any attacks logged false or otherwise (i know netger routers are very paranoid logging wise), this started on July 1st like the OP so maybe just the usual port scanning for vulnerabilitoies as a few routers have been updated for security recently. The IP's 'attacking;' can and probably are spoofed anyway and are mostly port 80. Pretty standard probably,  but there is a hell of a lot of them listed, hundreds in fact in a few hours.

Message 4 of 19
Highlighted
Aspirant

Betreff: DoS Attacks in Logs

I have the same attacks like the OP, with same IP's.. R7800.. Central Europe Country...

Message 5 of 19
Highlighted
Aspirant

Betreff: DoS Attacks in Logs

kann mir jemand helfen hab DoS Attacks am laufendem Band? I hope everyone can answer in German. My Eng. is so bad.

Message 6 of 19
Highlighted
Apprentice

Re: DoS Attacks in Logs

Same ips in my log. Mine our every 15s. So should we be worried?
Message 7 of 19
Highlighted
Prodigy

Re: DoS Attacks in Logs

I've passed my logs onto a guy with netgear who is on SNB forums, as its odd we all seem to be having the same IP's hitting us, but I looked at my download for today and its not high so its not a DoS. The logs show either the routers logging has gone a bit weird or there are more port scans than usual, but as long as they are logged as has been said they are either false or blocked so nothing to worry about. I'll get back when I here when I here more from the Netgear guy.

Message 8 of 19
Highlighted
Aspirant

Re: DoS Attacks in Logs

Been watching this post for the last few days. I have had intermittant issues with connecting with my ISP for about the past week. They sent their technician out and signal strength was within paramaters. Everything was in normal condition. Same IP addresses as the ones that have been posted, China, Arizona, Germany, etc. 
I shut off UPnP only to have the attacks diminish but still there. I had this pop up in my log which is new. I dont go to any websites hosted by france. 
[DoS Attack: SYN/ACK Scan] from source: 149.202.197.140, port 2234, Monday, July 03, 2017 17:43:57
Port 2234 Being TCP/UDP
Otherwise all logs were using ports 80 and 443 previously

Edit: Also noticed that my 100Mbps service was slowed down to 25Mbps when that log showed up.

Message 9 of 19
Highlighted
Aspirant

Re: DoS Attacks in Logs

mine is doing the exact same thing. My internet slows

Message 10 of 19
Highlighted
Prodigy

Re: DoS Attacks in Logs

Its possible its internal modules in the router and Netgear have updated something at their end so the router is trying to contact services, and since its seems to mostly have started in the last week the buggy Netgear firewall will see this as a DoS attack when its not, these routers are famous for calling wolf with network traffic. This Info comes from Voxel, he compiles his own firmware for the R7800 under MyOpenRouter the firmware is a lot more secure than Netgears as he updates packages like OpenSSL to the latest version with each of his releases plus many other OpenGPL ones too where as netgear have been using a ten year old version of OpenSSL on many other routers including the R7800 till they updated to 1.0.2h which is now out of date and has current CVE's on it. No router manufacture seems to keep their code up to date, yet a man who works in a full time job can compile the latest packages in a day or so! That says a lot about the attitude towards customer safety from Netgear etc <sigh>
Message 11 of 19
Highlighted
Apprentice

Re: DoS Attacks in Logs

So does that mean we have nothing to worry about and all these entries in the log are false positives? How do you explain the disconnects for some of the users? Seems to slowing down their wifi usuage.

Message 12 of 19
Highlighted
Aspirant

Re: DoS Attacks in Logs

Its not jsut Wi-FI but direct connections by ethernet

Message 13 of 19
Highlighted
Aspirant

Re: DoS Attacks in Logs

I believe you are right about the attacks for just Netgear routers. I have the same problem. I do still have an email that supposedly came from Netgear instructing me to click the link and download the new firmware update. Instead I logged into my router and checked for a formware update and there was none. I did it 3 times since June 2017 and there still is no real firmware update. I believe the attackers are scanning the ports now hoping someone installed the fake update. This is not the entire URL but the email link goes to "click.e.netgear.com/qs=(LARGE STRING OF NUMBERS AND LETTERS)", but I never clicked it or checked it. Maybe someone that has a secure system or virtual setup can confirm of I'm right or wrong. If they're attacking Netgear they are also probably going after other routers too.

Message 14 of 19
Highlighted
Aspirant

Re: DoS Attacks in Logs

It says on my phone that my Internet is being attacked, I don't know if it's real, but it's a bit fishy. What should I do?

Message 15 of 19
Highlighted

Re: DoS Attacks in Logs

Did you read the whole of this discussion?

 

Do you know that these are real attacks or false positives?

Just another user.

My network DM200 -> R7800 -> GS316 -> PL1000 -> Orbi RBR40 -> Orbi RBS50Y -> RBS40V
Message 16 of 19
Highlighted
Guide

Re: DoS Attacks in Logs

Does anyone have an update on this? I think these attacks are affecting my speeds.

Model: WNDR4300v2|N750 Wireless Dual Band Gigabit Router
Message 17 of 19
Highlighted
Prodigy

Re: DoS Attacks in Logs

They are either false positives or port scans, they happen all the time. I doubt they limit your speed, there are probably other reasons for that. Netgear routers are notorious for false positives but equally if they are real attacks the router is stopping them. Unless you have a fixed IP address rebooting your router will give you a new IP address so that would mitigate these attacks to just your present IP address, as far as your speed thats a different thing all together with many things that could effect it other than these logs and I have seen hundreds of these in my logs and have never taken a speed hit from them. I think tbh you have nothing to worry about as these scans happen every day and will continue to do so as long as you are online.

Message 18 of 19
Highlighted

Re: DoS Attacks in Logs

One way to test the notion that these are, as is likely, false positives is to copy of a few of the IP addresses in those logs and then to track them down with whois, or some other tool.

 

I have done that with some of the logs people have posted here. They often turn out to be Google, the user's ISP or some other harmless source.

 

Just another user.

My network DM200 -> R7800 -> GS316 -> PL1000 -> Orbi RBR40 -> Orbi RBS50Y -> RBS40V
Message 19 of 19