Reply

Block Attack

jimwill72
Tutor

Block Attack

Getting this log entry in the log about the same time I loose connection to my ISP:

[Block Attack] From source: 192.168.1.2, port 80, Wednesday, Jul 17,2019 20:19:57

What is it and what is causing it?

Conection to my ISP is lost for at 2-3 minutes.

Model: R6700|Nighthawk AC1750 Smart WiFi Router
Message 1 of 16
microchip8
Master

Re: Block Attack

False positive as it's a local IP too. Better disable Port Scan and DoS Protection in Advanced -> WAN Setup

Routing: NETGEAR R7800 - Voxel Firmware 1.0.2.88SF & Kamoj addon
Switching: 2x NETGEAR 8-ports (GS108v4) / 1x NETGEAR 16-ports (JGS516v2)
Desktop: AMD Ryzen 7 3700X - Server: Intel Core i7-7700K - NAS: Intel Pentium G4400, 16 TB
Message 2 of 16
jimwill72
Tutor

Re: Block Attack

Ok. But what would cause it?

Wouldn't this open me up to attacks?

Message 3 of 16
microchip8
Master

Re: Block Attack

wrong detection causes it. The NG DoS protection is nearly useless full with false positives.

I've been running routers without such "protection" for years and never had anything happen. I also run my current R7800 with DoS disabled

Routing: NETGEAR R7800 - Voxel Firmware 1.0.2.88SF & Kamoj addon
Switching: 2x NETGEAR 8-ports (GS108v4) / 1x NETGEAR 16-ports (JGS516v2)
Desktop: AMD Ryzen 7 3700X - Server: Intel Core i7-7700K - NAS: Intel Pentium G4400, 16 TB
Message 4 of 16
jimwill72
Tutor

Re: Block Attack

Ok, thanks. I will disable and see what happens.

 

It doesn't happen very often, but when it does, I loose my internet connection for about 2 minutes.

Message 5 of 16
jimwill72
Tutor

Re: Block Attack

I disabled port scan and DoS protection and am still getting the Block Attack and the loss of my internet connection. So that appears not to be the problem.

Message 6 of 16
jimwill72
Tutor

Re: Block Attack

Talked with netgear support and they could not tell me how to get the router to sto blocking my PC. Maybe it's time to get a different brand of router.

Message 7 of 16
IrvSp
Master

Re: Block Attack

I'd look at the 'attacker', 192.168.1.2? What is it doing when the 'block' happens?

 

Many times false positives are I think happening when the router is overwhelmed with traffic. It loses track of a TCP/IP packet going out and then when the response comes back it isn't expecting it and reports it as an attack?

 

Do you lose Internet access on ALL devices or just 192.168.1.2?

Message 8 of 16
jimwill72
Tutor

Re: Block Attack

That IP address is the main computer I use to access the internet. It has a wired connection to the router. I loose all internet connection with all devices that are using the internet. I notice on this PC because I am using the internet on it. I don't know what it could be causing it.

Message 9 of 16
IrvSp
Master

Re: Block Attack

Well, there is a 'hint' in here (if valid), "[Block Attack] From source: 192.168.1.2, port 80".

 

Port 80 is the normal HTML port:

 

============

Port 80 is the port number assigned to commonly used internet communication protocol, Hypertext Transfer Protocol (HTTP). It is the port from which a computer sends and receives Web client-based communication and messages from a Web server and is used to send and receive HTML pages or data.

============

 

So it seems what ever your main computer is doing at the TIME of the Block it is using Port 80 and the router doesn't like the contents.

 

Could be an infected website might being accessed on your main computer and it is responding? Could be very heavy traffic from you browser causing problems.

 

First thing to see, when the Internet stops, see if the router log agrees with the time and then note what your PC was doing? Open TASK MANAGER and see what is running. Look at the PERFORMANCE tab, and RESOURCE MONITOR at the bottom. Look at TCP Connections and Listening Ports and see if any are on port 80? "netstat -an" in a CMD prompt would also show you that info.

 

Could you be using 2 servers, like IIS and Apache at the same time? They both use that port? Could confuse the router?

Message 10 of 16
jimwill72
Tutor

Re: Block Attack

The log entry for the block attack occurs when I loose the internet connection. I'm usually not accessing anything special, just my usual web sites. I'm guessing it's just heavy traffic. But, I will check task manager the next time it happens to see what is going on.

Message 11 of 16
jimwill72
Tutor

Re: Block Attack

Switched out the Netgear Router for a older Belkin router and have been running for 2 days with no problems or block attacks in the log. I guess there is a problem with the router. I think I am going to return the Netgear router.

Message 12 of 16
IrvSp
Master

Re: Block Attack

Do what you wish, but there is no 'problem' with the router other than it produces many 'false positives' in the log. Google any type of logged attack and you generally will see 2 different forms of references, the meaning of that type of attack, and a Netgear router logging that attack. Rarely will you see another router mentioned.

 

Personally, I think NG just 'threw' something together for logging and are happy the way it works and it does log the basic functions notification.

 

On my R8000 I got these yesterday:

 

[DoS attack: ACK Scan] attack packets in last 20 sec from ip [104.96.86.223], Sunday, Jul 28,2019 15:58:58
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [172.217.2.42], Sunday, Jul 28,2019 08:10:59
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [64.233.177.95], Sunday, Jul 28,2019 08:10:57
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [172.217.2.42], Sunday, Jul 28,2019 08:10:54
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [13.249.109.139], Sunday, Jul 28,2019 08:10:52

I do not consider them real. The first one is Akamai, the 3rd party Cookie manager site, the last is Amazon, and the other 3 Google. Very rarely when I check the IP Addresses do I find anything 'odd'.

 

It is entirely possible that the Belkin isn't logging everything, or I guess possible it is working as it should and doesn't report false Positives. I'm sure some logging is better than others.

Message 13 of 16
jimwill72
Tutor

Re: Block Attack

I don't care what it logs. All I know is that when the Block Attack occurs, I loose my internet connection to all devices that are using it for 2 - 3 minutes. I do not get the log entry with the Belkin router nor have I lost my internet connection. If some one can tell me how to prevent the internet connection loss, I would be happy to stay with the Netgear router.

Message 14 of 16
IrvSp
Master

Re: Block Attack


@jimwill72 wrote:

 If some one can tell me how to prevent the internet connection loss, I would be happy to stay with the Netgear router.


Can't probably until it is known what is causing it?

 

Need to know what the PC was doing at the time of the log entry to begin with? PC's do a lot of things 'under the covers' that don't appear on the screen. Might need to disable a lot of things by even going into SAFE MODE (if on Windows) even.

 

Even capture TCP/IP packets (Wireshark for instance) and try to match those to the problem.

 

Wonder if turning off Logging might even solve the problem (with NG, almost anything is possibe)?

 

In any case, it will take some 'detective' work to figure this out. Starting with minimal router settings, maybe only using (and connecting) the problem PC and if wired, no settings changed from the Factory Reset ones, and go from there.

 

Or, of course, get another router if you are 100% sure it is the NG router? Me, I'd want to know why though? If might be 'real' would alway bother me?

 

Just a though? Do you have PARENTAL CONTROL active? Do you have any SERVICES BLOCKED? These could cause the same thing to happen.

Message 15 of 16
jimwill72
Tutor

Re: Block Attack

Everything is factory settings. I don't understand why the Belkin works with factory setting and the Netgear does not. I don't really have time to mess with it especially since I have one that works. Internet still has not gone down with the Belkin.

Message 16 of 16
Top Contributors
Discussion stats
  • 15 replies
  • 2557 views
  • 1 kudo
  • 3 in conversation
Announcements

Orbi WiFi 6E