Orbi WiFi 7 RBE973
Reply

DoS and Ping sweep attacks

crus4d3r_1211
Aspirant

DoS and Ping sweep attacks

Just had a look through the logs this morning and boy am I surprised. The logs are showing that my router is being attacked from multiple IP addresses. Here's the log for more context

 

[DoS Attack: SYN/ACK Scan] from source: 79.132.137.148, port 443, Saturday, October 15, 2022 08:16:06
[DoS Attack: SYN/ACK Scan] from source: 79.132.137.148, port 443, Saturday, October 15, 2022 08:16:05
[DoS Attack: SYN/ACK Scan] from source: 79.132.137.148, port 443, Saturday, October 15, 2022 08:16:02
[DoS Attack: SYN/ACK Scan] from source: 79.132.137.148, port 443, Saturday, October 15, 2022 08:16:01
[DoS Attack: SYN/ACK Scan] from source: 5.61.253.157, port 80, Saturday, October 15, 2022 07:56:35
[DoS Attack: SYN/ACK Scan] from source: 116.203.234.5, port 2, Saturday, October 15, 2022 06:55:25
[DoS Attack: Ping Sweep] from source: 69.94.52.219, Saturday, October 15, 2022 06:54:01
[DoS Attack: Ping Sweep] from source: 69.94.52.219, Saturday, October 15, 2022 06:52:42
[DoS Attack: SYN/ACK Scan] from source: 40.113.105.173, port 443, Saturday, October 15, 2022 06:52:33
[DoS Attack: Ping Sweep] from source: 69.94.52.219, Saturday, October 15, 2022 06:51:23
[DoS Attack: Ping Sweep] from source: 69.94.52.219, Saturday, October 15, 2022 06:51:12
[DoS Attack: Ping Sweep] from source: 72.12.223.53, Saturday, October 15, 2022 06:46:19
[DoS Attack: Ping Sweep] from source: 72.12.223.53, Saturday, October 15, 2022 06:44:59
[DoS Attack: SYN/ACK Scan] from source: 15.204.34.155, port 80, Saturday, October 15, 2022 06:44:56
[DoS Attack: SYN/ACK Scan] from source: 15.204.34.155, port 80, Saturday, October 15, 2022 06:44:56
[DoS Attack: SYN/ACK Scan] from source: 15.204.34.155, port 80, Saturday, October 15, 2022 06:44:55
[DoS Attack: SYN/ACK Scan] from source: 15.204.34.155, port 80, Saturday, October 15, 2022 06:44:55
[DoS Attack: SYN/ACK Scan] from source: 15.204.34.155, port 80, Saturday, October 15, 2022 06:44:54
[DoS Attack: Ping Sweep] from source: 72.12.223.53, Saturday, October 15, 2022 06:43:40
[DoS Attack: Ping Sweep] from source: 72.12.223.53, Saturday, October 15, 2022 06:43:30
[DoS Attack: SYN/ACK Scan] from source: 5.61.253.157, port 80, Saturday, October 15, 2022 06:36:14
[DoS Attack: SYN/ACK Scan] from source: 91.218.213.49, port 8000, Saturday, October 15, 2022 06:22:49
[DoS Attack: SYN/ACK Scan] from source: 162.241.216.182, port 443, Saturday, October 15, 2022 05:55:45
[DoS Attack: Ping Sweep] from source: 69.94.52.208, Saturday, October 15, 2022 05:48:07
[DoS Attack: Ping Sweep] from source: 69.94.52.208, Saturday, October 15, 2022 05:48:07
[DoS Attack: SYN/ACK Scan] from source: 40.113.105.173, port 443, Saturday, October 15, 2022 05:46:30
[DoS Attack: SYN/ACK Scan] from source: 40.113.105.173, port 443, Saturday, October 15, 2022 05:46:30
[DoS Attack: RST Scan] from source: 168.119.146.46, port 443, Saturday, October 15, 2022 05:12:07
[DoS Attack: SYN/ACK Scan] from source: 195.208.6.1, port 53, Saturday, October 15, 2022 05:05:08
[DoS Attack: SYN/ACK Scan] from source: 195.208.6.1, port 53, Saturday, October 15, 2022 05:05:08
[DoS Attack: RST Scan] from source: 17.253.144.10, port 443, Saturday, October 15, 2022 04:13:20
[DoS Attack: RST Scan] from source: 17.253.144.10, port 443, Saturday, October 15, 2022 04:13:20
[DoS Attack: SYN/ACK Scan] from source: 222.92.255.14, port 61709, Saturday, October 15, 2022 03:52:56
[DoS Attack: ACK Scan] from source: 71.225.210.239, port 443, Saturday, October 15, 2022 03:19:06
[DoS Attack: SYN/ACK Scan] from source: 51.91.8.30, port 443, Saturday, October 15, 2022 03:14:02
[DoS Attack: TCP/UDP Chargen] from source: 64.62.197.240, port 5006, Saturday, October 15, 2022 03:11:55
[DHCP IP: 192.168.1.5][Device Name: ] to MAC address 3e:bf:9e:26:b6:6c, Saturday, October 15, 2022 03:06:06
[DoS Attack: SYN/ACK Scan] from source: 5.61.253.157, port 80, Saturday, October 15, 2022 01:56:05
[DoS Attack: SYN/ACK Scan] from source: 78.47.78.109, port 80, Saturday, October 15, 2022 01:54:00
[DoS Attack: SYN/ACK Scan] from source: 5.61.253.157, port 80, Saturday, October 15, 2022 01:51:06
[DoS Attack: RST Scan] from source: 17.253.144.10, port 443, Saturday, October 15, 2022 01:22:54
[admin login] from source 192.168.1.3, Saturday, October 15, 2022 01:20:15
[admin login failure] from source 192.168.1.3, Saturday, October 15, 2022 01:20:10
[admin login] from source 192.168.1.3, Saturday, October 15, 2022 01:12:09
[DoS Attack: SYN/ACK Scan] from source: 116.203.53.28, port 80, Saturday, October 15, 2022 01:11:58
[DoS Attack: ACK Scan] from source: 35.186.224.42, port 443, Saturday, October 15, 2022 01:09:23
[DoS Attack: ACK Scan] from source: 35.186.224.42, port 443, Saturday, October 15, 2022 01:09:23
[DoS Attack: ACK Scan] from source: 35.186.224.42, port 443, Saturday, October 15, 2022 01:09:23
[DoS Attack: ACK Scan] from source: 35.186.224.42, port 443, Saturday, October 15, 2022 01:09:23
[DoS Attack: ACK Scan] from source: 35.186.224.42, port 443, Saturday, October 15, 2022 01:09:23
[DoS Attack: ACK Scan] from source: 35.186.224.42, port 443, Saturday, October 15, 2022 01:09:23
[DoS Attack: ACK Scan] from source: 35.186.224.42, port 443, Saturday, October 15, 2022 01:09:23

 

 

 

I did a reverse DNS lookup on some of the IP addresses and was utterly surprised that there it came from a combination of legitimate and rather shady sources. 

 

148.137.132.79.in-addr.arpa domain name pointer 218912.fornex.cloud.

10.144.253.17.in-addr.arpa domain name pointer apple.fr.

10.144.253.17.in-addr.arpa domain name pointer livepage.apple.com.

10.144.253.17.in-addr.arpa domain name pointer asia.apple.com.

10.144.253.17.in-addr.arpa domain name pointer seminars.apple.com.

10.144.253.17.in-addr.arpa domain name pointer aperturetrialbuy.apple.com.

10.144.253.17.in-addr.arpa domain name pointer apple.com.ai.

10.144.253.17.in-addr.arpa domain name pointer apple.de.

10.144.253.17.in-addr.arpa domain name pointer podcast.apple.com.

10.144.253.17.in-addr.arpa domain name pointer apple.com.pe.

10.144.253.17.in-addr.arpa domain name pointer guide.apple.com.

10.144.253.17.in-addr.arpa domain name pointer shake.apple.com.

10.144.253.17.in-addr.arpa domain name pointer apple.es.

10.144.253.17.in-addr.arpa domain name pointer apple.com.uy.

10.144.253.17.in-addr.arpa domain name pointer icloud.com.

10.144.253.17.in-addr.arpa domain name pointer apple.nl.

10.144.253.17.in-addr.arpa domain name pointer brkgls.com.

10.144.253.17.in-addr.arpa domain name pointer apple.ca.

10.144.253.17.in-addr.arpa domain name pointer iphone.apple.com.

10.144.253.17.in-addr.arpa domain name pointer applejava.apple.com.

10.144.253.17.in-addr.arpa domain name pointer apple.com.co.

10.144.253.17.in-addr.arpa domain name pointer apple.com.gy.

10.144.253.17.in-addr.arpa domain name pointer applescript.apple.com.

10.144.253.17.in-addr.arpa domain name pointer apple.com.au.

10.144.253.17.in-addr.arpa domain name pointer apple.com.my.

10.144.253.17.in-addr.arpa domain name pointer www.brkgls.com.

10.144.253.17.in-addr.arpa domain name pointer apple.com.sg.

10.144.253.17.in-addr.arpa domain name pointer itunespartner.apple.com.

10.144.253.17.in-addr.arpa domain name pointer apple.com.mx.

10.144.253.17.in-addr.arpa domain name pointer apple.com.tt.

10.144.253.17.in-addr.arpa domain name pointer world-any.aaplimg.com.

10.144.253.17.in-addr.arpa domain name pointer apple.com.py.

10.144.253.17.in-addr.arpa domain name pointer apple.com.lk.

10.144.253.17.in-addr.arpa domain name pointer apple.com.cn.

10.144.253.17.in-addr.arpa domain name pointer apple.com.pa.

10.144.253.17.in-addr.arpa domain name pointer apple.com.

10.144.253.17.in-addr.arpa domain name pointer apple.com.bo.

10.144.253.17.in-addr.arpa domain name pointer apple.it.

10.144.253.17.in-addr.arpa domain name pointer iworktrialbuy.apple.com.

10.144.253.17.in-addr.arpa domain name pointer apple.co.uk.

10.144.253.17.in-addr.arpa domain name pointer apple.com.hn.

10.144.253.17.in-addr.arpa domain name pointer firewire.apple.com.

10.144.253.17.in-addr.arpa domain name pointer squeakytoytrainingcamp.com.

10.144.253.17.in-addr.arpa domain name pointer advertising.apple.com.

10.144.253.17.in-addr.arpa domain name pointer apple.com.do.

1.6.208.195.in-addr.arpa domain name pointer a.auth-nsdi.ru.

 

Is this a false positive, or is this something that I should be concerned about?

Message 1 of 2

Re: DoS and Ping sweep attacks


@crus4d3r_1211 wrote:

 

Is this a false positive, or is this something that I should be concerned about?


Hard to tell without knowing what Netgear stuff uou are using, but Netgear's firmware is great at creating false reports of DoS attacks. Many of them are no such thing.

 

Search - NETGEAR Communities – DoS attacks

 

Use Whois.net to see who is behind some of them and you may find that they are from places like Facebook, Google, even your ISP.

 

Here is a useful tool for that task:

 

IPNetInfo: Retrieve IP Address Information from WHOIS servers

 

If these events are slowing down your router, that may be because it is using up processor time as it writes the events to your logs. Anything that uses processor power – event logging, QoS management, traffic metering – may cause slowdowns. Disable logging of DoS attacks and see if that reduces the problem. This does not prevent the router from protecting you from the outside world.

 

 

 

Message 2 of 2
Top Contributors
Discussion stats
  • 1 reply
  • 476 views
  • 0 kudos
  • 2 in conversation
Announcements

Orbi WiFi 7