Re: XR500 jolt2 & Teardrop ddos attacks

stanzo89 · ‎2021-06-05

Ive been searching all over for a fix and i think the ultimate fix may end up being that i need a new IP address from IP provider but maybe someone in the community could assist me on this issue.

This started up today that i noticed i have extremely slow network speeds and randomly my internet keeps dropping out for about 5 minutes or so. I looked into my DumaOS and the cpu1/2 are both at 100%. I did check that i have the latest firmware update installed and it displayed that there are no new updates that im on the latest available.

Below is a log that i pulled as well

[DoS Attack: Jolt2] from source: 175.138.25.202, Saturday, June 05, 2021 19:38:49
[DoS Attack: Jolt2] from source: 94.247.209.162, Saturday, June 05, 2021 19:38:44
[DoS Attack: Jolt2] from source: 94.247.209.162, Saturday, June 05, 2021 19:38:44
[DoS Attack: ACK Scan] from source: 104.244.42.194, port 443, Saturday, June 05, 2021 19:38:42
[DoS Attack: Jolt2] from source: 185.112.164.9, Saturday, June 05, 2021 19:38:42
[DoS Attack: Jolt2] from source: 85.103.143.163, Saturday, June 05, 2021 19:38:34
[DoS Attack: Jolt2] from source: 85.103.143.163, Saturday, June 05, 2021 19:38:34
[DoS Attack: Jolt2] from source: 217.146.219.148, Saturday, June 05, 2021 19:38:28
[DoS Attack: Jolt2] from source: 217.146.219.148, Saturday, June 05, 2021 19:38:28
[DoS Attack: UDP Port Scan] from source: 8.8.8.8, port 53, Saturday, June 05, 2021 19:38:25
[DumaOS] DHCP new lease allocated., Saturday, June 05, 2021 19:38:16
[DumaOS] DHCP new event., Saturday, June 05, 2021 19:38:16
[DHCP IP: 192.168.254.108] to MAC address b0:e4:d5:a3:0b:bc, Saturday, June 05, 2021 19:38:16
[DoS Attack: Jolt2] from source: 212.231.187.6, Saturday, June 05, 2021 19:38:14
[DoS Attack: Jolt2] from source: 212.231.187.6, Saturday, June 05, 2021 19:38:14
[DoS Attack: ACK Scan] from source: 104.244.42.194, port 443, Saturday, June 05, 2021 19:37:56
[DoS Attack: Teardrop] from source: 31.210.66.82, Saturday, June 05, 2021 19:37:51
[DoS Attack: Jolt2] from source: 91.221.51.10, Saturday, June 05, 2021 19:37:50
[DoS Attack: Jolt2] from source: 138.219.136.37, Saturday, June 05, 2021 19:37:50
[DumaOS] Marking device that is marked 192.168.254.103 14 74., Saturday, June 05, 2021 19:37:44
[DoS Attack: ACK Scan] from source: 149.154.175.50, port 443, Saturday, June 05, 2021 19:37:44
[DoS Attack: Teardrop] from source: 78.28.208.90, Saturday, June 05, 2021 19:37:38
[DoS Attack: Teardrop] from source: 78.28.208.90, Saturday, June 05, 2021 19:37:38
[DoS Attack: Teardrop] from source: 78.28.208.90, Saturday, June 05, 2021 19:37:38
[DoS Attack: Jolt2] from source: 78.28.208.90, Saturday, June 05, 2021 19:37:38
[DoS Attack: Jolt2] from source: 212.231.187.6, Saturday, June 05, 2021 19:37:36
[DoS Attack: SYN/ACK Scan] from source: 52.162.107.6, port 443, Saturday, June 05, 2021 19:37:31
[DoS Attack: ACK Scan] from source: 35.245.139.161, port 11095, Saturday, June 05, 2021 19:37:21
[DoS Attack: Jolt2] from source: 12.178.1.7, Saturday, June 05, 2021 19:37:08
[DoS Attack: Jolt2] from source: 12.178.1.7, Saturday, June 05, 2021 19:37:08
[DoS Attack: Jolt2] from source: 91.221.51.10, Saturday, June 05, 2021 19:37:00
[DoS Attack: Jolt2] from source: 91.221.51.10, Saturday, June 05, 2021 19:37:00
[DoS Attack: Jolt2] from source: 212.231.187.6, Saturday, June 05, 2021 19:36:35
[DoS Attack: Jolt2] from source: 212.231.187.6, Saturday, June 05, 2021 19:36:35
[DoS Attack: ACK Scan] from source: 149.154.175.50, port 443, Saturday, June 05, 2021 19:36:35
[DoS Attack: ACK Scan] from source: 149.154.175.50, port 443, Saturday, June 05, 2021 19:36:28
[DoS Attack: Jolt2] from source: 212.231.187.6, Saturday, June 05, 2021 19:36:18
[DoS Attack: Teardrop] from source: 31.210.75.89, Saturday, June 05, 2021 19:36:11
[DoS Attack: Teardrop] from source: 31.210.75.89, Saturday, June 05, 2021 19:36:11
[DoS Attack: Jolt2] from source: 31.210.75.89, Saturday, June 05, 2021 19:36:11
[DoS Attack: Teardrop] from source: 93.157.172.153, Saturday, June 05, 2021 19:36:06
[DoS Attack: Teardrop] from source: 93.157.172.153, Saturday, June 05, 2021 19:36:06
[DoS Attack: Teardrop] from source: 93.157.172.153, Saturday, June 05, 2021 19:36:06
[DoS Attack: Jolt2] from source: 93.157.172.153, Saturday, June 05, 2021 19:36:06
[DoS Attack: Jolt2] from source: 103.248.208.50, Saturday, June 05, 2021 19:36:01
[DoS Attack: Jolt2] from source: 103.248.208.50, Saturday, June 05, 2021 19:36:01
[DoS Attack: Teardrop] from source: 92.242.127.238, Saturday, June 05, 2021 19:35:51
[DoS Attack: Jolt2] from source: 92.242.127.238, Saturday, June 05, 2021 19:35:51
[DoS Attack: Teardrop] from source: 12.178.1.7, Saturday, June 05, 2021 19:35:40
[DoS Attack: Teardrop] from source: 12.178.1.7, Saturday, June 05, 2021 19:35:40
[DoS Attack: Teardrop] from source: 12.178.1.7, Saturday, June 05, 2021 19:35:40
[DoS Attack: Teardrop] from source: 12.178.1.7, Saturday, June 05, 2021 19:35:40
[DoS Attack: Teardrop] from source: 12.178.1.7, Saturday, June 05, 2021 19:35:40
[DoS Attack: Teardrop] from source: 12.178.1.7, Saturday, June 05, 2021 19:35:40
[DoS Attack: Jolt2] from source: 12.178.1.7, Saturday, June 05, 2021 19:35:40
[DoS Attack: Jolt2] from source: 12.178.1.7, Saturday, June 05, 2021 19:35:40
[DoS Attack: ACK Scan] from source: 149.154.175.50, port 443, Saturday, June 05, 2021 19:35:19
[DoS Attack: ACK Scan] from source: 35.245.139.161, port 11095, Saturday, June 05, 2021 19:35:18
[DoS Attack: ACK Scan] from source: 149.154.175.50, port 443, Saturday, June 05, 2021 19:35:12
[DumaOS] Marking device that is marked 192.168.254.103 14 74., Saturday, June 05, 2021 19:35:11
[DoS Attack: Jolt2] from source: 176.53.49.242, Saturday, June 05, 2021 19:34:39
[DumaOS] DHCP new lease allocated., Saturday, June 05, 2021 19:34:37
[DumaOS] DHCP new event., Saturday, June 05, 2021 19:34:37
[DHCP IP: 192.168.254.115] to MAC address 18:b4:30:76:03:4f, Saturday, June 05, 2021 19:34:37
[DoS Attack: Teardrop] from source: 213.128.89.103, Saturday, June 05, 2021 19:34:30

randomkhed101 · ‎2021-06-06

Yeah getting occasional DOS attacks daily is normal, but those are excessive so I'm pretty sure you're getting DDOS'd. You would need to get a new IP from your ISP. This can vary depeding on how your ISP assigns IPs. Most ISPs assign a DHCP IP to your Router, but sometimes, they also assign it to your Gateway/Modem/ONT instead. Assuming it's assigned to your XR500 via DHCP (And the no other Routers are in front of your XR500 except the translation device), then you can spoof the MAC address of your XR500 in the "Internet Setup" page. Make sure to power down the Gateway/Modem/ONT that your Router is connected to before spoofing the MAC address. Then power it back on afterwards, and you should hopefully get a new IP. Also, make sure the WAN IP of your XR500 isn't a private one (192.168.1.1, etc. are private ones). If you don't get a new IP, it's probably assigned to the MAC address of your Gateway/Modem/ONT. If this is the case, then you have 2 options. If you own the equipment and/or can spoof its MAC address, you can try doing that. However, some ISPs (Like Spectrum) won't let a Modem with an unapproved MAC address connect to it's network. If this is the case with your ISP, be ready to give them the new MAC address of the Modem and tell them you got a new Modem (Even though you didn't because they don't need to know your spoofing its MAC address). Now, unplug the Cable/Fiber-Optic Cable/Coaxial Cable/DSL Cable connected to the translator before spoofing its MAC addrees and then power-cycle it after doing so along with plugging all of the Cables back in. If you do/don't own the equipement and/or are unable to spoof the MAC address, then you can try unplugging the Gateway/Modem/ONT for a while and hopefully get a new IP. Howwver this doesn't always work. For example, even though Spectrum's DHCP lease time appears to be 24 hours, unplugging for 24 hours will still give you the same IP. Some ISPs like to keep your IP/MAC address in the server's pool for more than the lease time. Spectrum keeps assigning the same IP until about a week of no connection from the client. Some ISPs, however, will give a new IP after 30 minutes of inactivty. It really just depends on the ISP as they're the ones who assign your IP. If none of this works, you can resort to calling your ISP and telling them to change your IP so that you actually get the internet you pay for. If you're planning on taking a long vacation/being awat from home for awhile, be sure to unplug your equipment (If you can) to try and get a new IP. If you have a static IP, try using a different static IP that you bought, and/or buy a new one. To prevent future DDOS attacks and getting your new IP leaked, I HIGHLY suggest using the Hybrid VPN feature on the XR500. You can decide what devices/traffic goes through and doesn't go through the VPN which means you can VPN devices that don't have a VPN capabilty (Ex. Smart TVs, Smart cameras, etc.) and hide your real IP. If you can't VPN certain devices, try avoiding malicious links from people and avoid P2P applications (Ex. PS4 party chats, although I think you have the option to connect through a server, etc.). To learn more about Hybrid VPN, visit HERE.

Netduma-Fraser · ‎2021-06-06

Some very good advice above, if you have a dynamic IP address then turning off your modem for 10 minutes can then prompt the ISP to give you a new address and may then prevent this happening.

stanzo89 · ‎2021-06-06

Thank you for all of the great information. i set up the vpn portion to use once this issue is resolved. I spoke with IP provider and they are going to get back with me on giving me a new IP address.

Thank you again!