NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
DoS attacks RBR750
Hi there. I have been bombarded with alerts from my Orbi app that say that individual devices on my network are being targeted for attacks. The message says "Netgear Armor detected and blocked a Denial of Service attack on XXXX from (Various MAC Addresses). Denial of Service attacks try to overload a machine by flooding it with multiple requests simultaneously, thus making it inaccessible for use. An external attempt to start such an attack on your device was blocked. You're protected and don't need to do anything else."
It's been going on for about the past week every day. The MAC addresses don't match anything on my local network and nothing is showing up on my log. Do I have reason to be concerned? Is this a feature of the new firmware update or something that may have always been happening but I just wasn't being made aware?
7 Replies
A curious situation since the Orbi firewall has not detected any suspicion patterns of connections attempts. (which do happen constantly and cannot be stopped)
The inference is that something inside the network (on the LAN) is doing something screwy. If these MAC addresses do not match any device on the network, I would suspect rogue software that is generating a lot of data packets with bogus MAC addresses so that the packets cannot be traced back to the device.
Is the target always the same device?
Different devices but the ones that get blocked are my smart TV's, iphones, and ipads so far. In fact, I may be calling it a MAC address when it in fact isn't. This number is also different almost every time. It appears to be an ipv6 ip address. Here is the format it shows with random letters and numbers after the fe80.
fe80::f7:522:ab3c:92b4
AngryGreenGiant wrote:
It appears to be an ipv6 ip address. Here is the format it shows with random letters and numbers after the fe80.
fe80::f7:522:ab3c:92b4
This is correct. fe80:: is the 64 bit long identification of a "Link Local" IPv6 address:
https://en.wikipedia.org/wiki/Link-local_address
Armor is complaining that these devices are creating "too many" IPv6 packets. Not having enabled Armor, I have no idea if it would complain about my network (or not).
Many devices display their various "addresses", for example:
pi@raspberrypi:~ $ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether dc:a6:32:12:30:20 txqueuelen 1000 (Ethernet)inet 192.168.1.30 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::bcf5:ba6f:51e2:c9a prefixlen 64 scopeid 0x20<link>
inet6 2603:8000:403:bd7c:9cfa:abe7:547e:fdc prefixlen 64 scopeid 0x0<global>This Raspberry Pi ethernet card (eth0) has three "addresses":
- IPv4 Address - 192.168.1.30
- IPv6 Public address - 2603:8000:403:bd7c:9cfa:abe7:547e:fdc
- IPv6 Link Local address - fe80::bcf5:ba6f:51e2:c9a
All of them tie to one hardware MAC address on the network: dc:a6:32:12:30:20
(I am not particularly anxious about sharing this information because the Orbi firewall totally blocks access to this Raspberry Pi from the Internet.)
It would have been useful if those Armor reports would list the actual hardware MAC address of the device it was complaining about. That should lead to a physical device on the network.
If it is in fact an internal ipv6 ip address, I don't know how considering I have ipv6 disabled.
AngryGreenGiant wrote:
If it is in fact an internal ipv6 ip address, I don't know how considering I have ipv6 disabled.
The IPv6 router option pertains to whether the router will process IPv6 traffic, and has no effect on the LAN subnet. Many devices create IPv6 addresses by default unless they are specifically told not to. In Windows, for example, there are numerous network settings which can be enabled or disabled:
Mac's may have similar choices. Smartphones, tablets, Internet of Things (IoT) devices usually very few.
Suppose you decide to remove your telephone, and thus have no means to make or receive calls. Can you and a neighbor still shout at each other from one yard to the other? Sure thing. IPv6 devices can communicate all they want on that small local subnet. Once any of them attempt to use IPv6 to access the rest of the world, the router will ignore them unless IPv6 is enabled.
