Reply
JackieMaus
Aspirant

Fake [dos attack: ip spoofing] from source 192.168.1.254/64

Model: WNDR4500v3

Firmware: V1.0.0.56

 

I regularly get these messages in my router's log:

 

     [dos attack: ip spoofing] from source: 192.168.1.254

     [dos attack: ip spoofing] from source: 192.168.1.64

 

Here are the facts:

 

  • Neither of the aforementioned IPs belong to devices on my LAN.
  • If I remove all devices from my LAN, disable all wireless support, and introduce a brand new wired device simply to view the router's log then [dos attack: ip spoofing] entries continue to be logged.
  • If I "Disable Port Scan and DoS Protection" in WAN Setup, then no [dos attack: ip spoofing] entries are logged.

What gives? Is there a bug in this router's port scanner / DoS detection logic?

 

Thanks.

 

Message 1 of 7

Re: Fake [dos attack: ip spoofing] from source 192.168.1.254/64


@JackieMaus wrote:

Neither of the aforementioned IPs belong to devices on my LAN.

 


Really?

 

They certainly aren't anything out there on the internet.

 

The default IP address of the WNDR4500v3 is 192.168.1.1.

 

There is a manual for the WNDR4500v3 somewhere at the end of this link:

 

>>>> WNDR4500v3 | Product | Support | NETGEAR <<<<

 

See page 98.

 

 

Just another user.

My network DM200 -> R7800 -> GS316 -> PL1000 -> Orbi RBR40 -> Orbi RBS50Y -> RBS40V
Message 2 of 7
JackieMaus
Aspirant

Re: Fake [dos attack: ip spoofing] from source 192.168.1.254/64

Really and truly. When I put devices on my LAN, they are all in the 192.168.1.x range of course. Anyhow, I am left with two unfortunate speculations. 1) This is a bug in the router - OR - 2) My router has been compromised with VPNFilter malware or some variant.

Message 3 of 7

Re: Fake [dos attack: ip spoofing] from source 192.168.1.254/64

The trouble is that some things appear there for legitimate reasons, but their origin is not obvious.

 

This is the first report I have see of anyone attributing this phenomenon to firmware or recently discovered security holes. Then there is the well known phenomenon that Netgear's logging creates many false "dos attack" reports, often from the local network.

 

My guess is that neither of your surmises is correct. I have seen no suggestions that the VPNFilter malware thing causes the symptoms you describe.

 

But if you want to follow it up, file a report with Netgear's security system.

 

If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR custo...

 

Just another user.

My network DM200 -> R7800 -> GS316 -> PL1000 -> Orbi RBR40 -> Orbi RBS50Y -> RBS40V
Message 4 of 7
JackieMaus
Aspirant

Re: Fake [dos attack: ip spoofing] from source 192.168.1.254/64

As suggested, I'll follow up with Netgear's technical support.

Message 5 of 7
Mistborn
Initiate

Re: Fake [dos attack: ip spoofing] from source 192.168.1.254/64

Any solution to this?  I'm seeing the same thing with my Orbi RBR50.  Ran through the same troubleshooting steps and can't identify internal device "192.168.1.20" making repeated "DoS Attack: IP Spoofing" entries in the logs.  Only started looking into it because I had to reboot the router a few times over several days.  Next step is to reset everything to defaults and see if it pops back up.

Message 6 of 7
schumaku
Guru

Re: Fake [dos attack: ip spoofing] from source 192.168.1.254/64

As it's IP Spoofing it's well possible a packet from the WAN/Internet side with spoofed source/destination are directed to the router. These might be a correct DoS detection for once. This does also explain that you are not able to find and identify a device with a 192.168.1.20 on your (W)LAN.   

Message 7 of 7
Top Contributors
Discussion stats
  • 6 replies
  • 6265 views
  • 3 kudos
  • 4 in conversation
Announcements