× Some paid Circle Parental controls customers may be showing free options only. Router firmware correcting this issue will be available ASAP. Visit Status.NETGEAR.com for updates.

Discussion stats
  • 12 replies
  • 2789 views
  • 4 kudos
  • 3 in conversation
Announcements

Top Contributors
Reply
Highlighted
Aspirant

DDOS ATTACKS!!! COPS CAME!!! PLEASE HELP !

Hello everyone,

 

I'm going through an odd problem here and I really don't know what else I have to do and try.

So, a month ago cops randomly showed up to our house like 8 of them and they told us someone with your ip address was at VETERANS CHAT ROOM and he was threatening to commit a suicide and it links back to your house. In our house no one is going through this and the problem is I'm the only one using the internet 80% of the times.

 

3 weeks passes by and the exact same thing happens and they show up once again, same story and everything, They search the house and see everything is OK, we try to login to the ROUTER and the secret questions don't work anymore. They leave and I reset the router to factory settings and just buy a brand new one which is this one R9000 with a brand new SPECTRUM Modem.

 

I setup the router with complicated passwords and everything with secret answers that don't even make sense... on purpose.

I login to the router settings and check my logs and I notice constant DDOS attacks and the internet just goes down completely. It's constant everyday thing, it happens every other hour.

 

I called Spectrum my internet company and they don't even know what to do and told me your IP address is DYNAMIC and it keeps changing, nothing to worry about. If it's dynamic how is it possible for this person to constantly attack my ip address and take it down?

So, they didn't even know what to do and just send a regular tech who barely knew anything about ip addresses and basic troubleshooting stuff. 

 

The Next day I called my Router company Netgear and explained to them what's going on and they were shocked and told me they've never heard of this and they don't know what to do,besides recommending me to USE a VPN, which slows down my internet and I already have 2 of them.

How am I suppose to get rid of this attacker? is there anyway I can change my default router ip address from 192.168.1 to something else? the other day I tried it and it completely went down and I couldn't bring it back on again.

 

Here are some of the logs.

[DoS Attack: SYN/ACK Scan] from source: 141.105.66.244, port 443, Friday, May 24, 2019 00:29:24

[DoS Attack: RST Scan] from source: 74.125.197.109, port 993, Friday, May 24, 2019 00:07:43
[DoS Attack: RST Scan] from source: 74.125.197.108, port 993, Friday, May 24, 2019 00:07:43
[DoS Attack: ACK Scan] from source: 52.201.182.69, port 443, Friday, May 24, 2019 00:07:28
[DoS Attack: ACK Scan] from source: 205.185.216.42, port 443, Friday, May 24, 2019 00:07:12
[DoS Attack: ACK Scan] from source: 20.36.246.152, port 443, Friday, May 24, 2019 00:07:07
[DoS Attack: ACK Scan] from source: 74.125.197.108, port 993, Friday, May 24, 2019 00:07:00
[DoS Attack: ACK Scan] from source: 52.201.182.69, port 443, Friday, May 24, 2019 00:06:51
[DoS Attack: SYN/ACK Scan] from source: 52.86.194.88, port 443, Friday, May 24, 2019 00:06:50
[DoS Attack: SYN/ACK Scan] from source: 216.58.193.198, port 443, Friday, May 24, 2019 00:05:58
[DoS Attack: SYN/ACK Scan] from source: 52.114.76.34, port 443, Friday, May 24, 2019 00:05:53
[DoS Attack: SYN/ACK Scan] from source: 54.70.55.114, port 443, Friday, May 24, 2019 00:05:51
[DoS Attack: SYN/ACK Scan] from source: 52.35.46.249, port 443, Friday, May 24, 2019 00:05:51
[DoS Attack: SYN/ACK Scan] from source: 216.58.193.198, port 443, Friday, May 24, 2019 00:05:50
[DoS Attack: ACK Scan] from source: 52.230.222.68, port 443, Friday, May 24, 2019 00:05:44
[DoS Attack: SYN/ACK Scan] from source: 52.39.55.138, port 443, Friday, May 24, 2019 00:05:44
[DoS Attack: SYN/ACK Scan] from source: 54.70.55.114, port 443, Friday, May 24, 2019 00:05:44
[DoS Attack: SYN/ACK Scan] from source: 52.39.55.138, port 443, Friday, May 24, 2019 00:05:44
[DoS Attack: SYN/ACK Scan] from source: 52.35.46.249, port 443, Friday, May 24, 2019 00:05:44
[DoS Attack: SYN/ACK Scan] from source: 216.58.193.198, port 443, Friday, May 24, 2019 00:05:44

[DoS Attack: SYN/ACK Scan] from source: 203.107.43.207, port 80, Thursday, May 23, 2019 23:59:18

 

Can anyone please help me out and suggest me what to do and how I can get rid of this attacker?

Router firmware is updated to latest settings. V1.0.4.28

 

Please help me out someone!

Really appreciate it, thanks!

Model: R9000|Nighthawk X10 AD7200 Smart WiFi Router
Message 1 of 13
Highlighted
Aspirant

Re: DDOS ATTACKS!!! COPS CAME!!! PLEASE HELP !

These ones are brand new as we speak, don't know why the time is 1hour behind.

 

[DoS Attack: WinNuke Attack] from source: 13.35.99.98, port 443, Sunday, May 26, 2019 18:18:22

[DoS Attack: TCP/UDP Chargen] from source: 52.73.169.169, port 40560, Sunday, May 26, 2019 17:16:49

 

[WLAN access rejected: incorrect security] Sunday, May 26, 2019 15:50:12
[WLAN access rejected: incorrect security]  Sunday, May 26, 2019 15:49:47
[WLAN access rejected: incorrect security]  Sunday, May 26, 2019 15:49:40

 

[DoS Attack: ACK Scan] from source: 190.106.206.50, port 443, Sunday, May 26, 2019 14:43:41

 

[DoS Attack: TCP/UDP Chargen] from source: 185.94.111.1, port 60328, Sunday, May 26, 2019 14:09:52

Message 2 of 13
Highlighted

Re: DDOS ATTACKS!!! COPS CAME!!! PLEASE HELP !

First.  Don't panic.   

 

Nothing you have shown us here appears abnormal or should give you any concern.  My router logs are full of the same attacks 24hrs a day, 7 days a week.

 

Your router, by default shields the devices on your LAN which are behind it. Run in its default configuration, it will do this. Not maybe, or sort of. It will. Does this mean you are 100% protected against security threats or becoming compromised, no, but the chances are pretty slim. If you did get breeched, I’d suspect it was the result of another service or system (behind it) which was less secure, opened, unpatched, compromised, etc.

 

What can announce your WAN’s IP (existence) on the internet.

-Disabling do not respond to ICMP ping

-Putting a computer or device on your LAN into DMZ

-Forwarding ports for a device or service on your LAN you want to access remotely

-Leaving UPnP enabled and running devices or services which open ports indiscriminately

 

Your WAN’s IP address will change if dynamic, as Spectrum stated. I don’t know how often their lease expires. If you turn your modem off prior to the lease expiration, it will get a new IP when you turn it on again. It is also possible to force the IP to change by changing what MAC address the router uses. The modem will “learn” MACs depending on the configuration you specify. Use default MAC, Use computers MAC, etc.

 

The take away here. You aren’t the Dept of Defense or some high profile desirable target. If you got compromised, its not because they “bruteforced” their way through your router. Again, I would suspect someone or something behind it being at fault or the culprit.

 

I’m not going to comment on your other issue. The police, someone spoofing an IP or what might or could have happened. I have seen people get letters from their ISP when they share their internet connection with neighbors and find out that the kids living next door are not observing the law. But it has to be pretty blatant.

 

Good luck with your issue.  Your router is not the problem.

 

 

 

~Comcast 1 Gbps/50 Mbps SB8200 > R8000P
~R8000P FW:1.4.1.50 ~R7000 FW:1.0.9.42
~R6400 FW:1.0.1.52 ~Orbi-AC3000 FW:2.5.1.8
~EX3700 FW:1.0.0.78

Message 3 of 13
Highlighted

Re: DDOS ATTACKS!!! COPS CAME!!! PLEASE HELP !

These are a neighbor or someone who is within the broadcast rand of your wireless.

 

[WLAN access rejected: incorrect security] Sunday, May 26, 2019 15:50:12
[WLAN access rejected: incorrect security]  Sunday, May 26, 2019 15:49:47
[WLAN access rejected: incorrect security]  Sunday, May 26, 2019 15:49:40

 

Some people don't read...  they might be trying to connect to your wireless broadcast in error.

 

This will show up over and over because they have saved the wireless profile on their system or device.

 

Block the MAC in access control.  3rd section very bottom of the page.

 

~Comcast 1 Gbps/50 Mbps SB8200 > R8000P
~R8000P FW:1.4.1.50 ~R7000 FW:1.0.9.42
~R6400 FW:1.0.1.52 ~Orbi-AC3000 FW:2.5.1.8
~EX3700 FW:1.0.0.78

Message 4 of 13
Highlighted
Aspirant

Re: DDOS ATTACKS!!! COPS CAME!!! PLEASE HELP !

Thank you for your reseponse.

 

The weird thing is 2 months ago someone tried to gain acess to my STEAM Gaming Account from Iran, I have the IP ADDRESS and everything and I got the message through my email. I had the 2step verification setup turned on and connected to my cellphone and they couldn't gain access to the account unless I approved it.

 

6 Months ago samething happened and it was from another country.

This steam account is my old account that I don't even use and it's from 6 to 8 years ago, do you think it's possible they found my Ip like that?

 

None of my neighbors have access to my internet and I've never shared it with anyone, it's bunch of old people in their 80's and 90's.

Every other hour the internet literally goes down and I can't do anything, it has to be something that's causing it.

Message 5 of 13
Highlighted

Re: DDOS ATTACKS!!! COPS CAME!!! PLEASE HELP !

Yes.  As I said. a service or system behind the router is likely to blame.

 

I get the same attacks in my logs.  We all do if logging is enabled.

 

[DoS attack: ACK Scan] from source 35.227.197.177,port 443 Sunday, May 26,2019 12:53:46
[DoS attack: ACK Scan] from source 69.171.250.25,port 443 Sunday, May 26,2019 12:46:32
[DoS attack: ACK Scan] from source 107.6.90.78,port 443 Sunday, May 26,2019 12:46:28
[DoS attack: ACK Scan] from source 35.227.197.177,port 443 Sunday, May 26,2019 12:33:34
[DoS attack: RST Scan] from source 172.217.5.106,port 443 Sunday, May 26,2019 12:24:32
[DoS attack: RST Scan] from source 172.217.5.106,port 443 Sunday, May 26,2019 12:16:27
[DoS attack: RST Scan] from source 216.58.194.206,port 443 Sunday, May 26,2019 12:08:59

 

But you may want to take a look at the settings on your router, port forwarding (if applicable), other serivces, UPnP that might be a potential issue.  If you are hosting a room or server for gaming, you have ports or services open, you will be more vulnerable.

 

~Comcast 1 Gbps/50 Mbps SB8200 > R8000P
~R8000P FW:1.4.1.50 ~R7000 FW:1.0.9.42
~R6400 FW:1.0.1.52 ~Orbi-AC3000 FW:2.5.1.8
~EX3700 FW:1.0.0.78

Message 6 of 13
Highlighted
Aspirant

Re: DDOS ATTACKS!!! COPS CAME!!! PLEASE HELP !

Ok, Thanks for all the help.

If I uninstall all the operating systems and install fresh OS. Do you think it'll help me out?

 

I'll disable UPNP and try it, but with UPNP disabled are you still able to play games on PS4?

Message 7 of 13
Highlighted

Re: DDOS ATTACKS!!! COPS CAME!!! PLEASE HELP !

I think reinstalling is a bit drastic.  So no, I do not recommend that.

 

Why not start by disconnecting or shutting devices down.

 

Its always prudent to disable any unused features.  Turn on what you need, turn off what you don't.  My XBox S works just fine without UPnP.  Reports Full Open NAT.  I'm about 1/3 of the way through Shadow Of The Tomb Raider.  Started Outcast Second Contact today.  I only play once or twice a month.  Have a stack of games I haven't opened.  Will probably give them away.  Too busy at work.   

   

~Comcast 1 Gbps/50 Mbps SB8200 > R8000P
~R8000P FW:1.4.1.50 ~R7000 FW:1.0.9.42
~R6400 FW:1.0.1.52 ~Orbi-AC3000 FW:2.5.1.8
~EX3700 FW:1.0.0.78

Message 8 of 13
Highlighted
Aspirant

Re: DDOS ATTACKS!!! COPS CAME!!! PLEASE HELP !

I'll try it out and see how it goes, I hope I can get rid of this issue.

Really frusterating man. 

 

Thanks,

Message 9 of 13
Highlighted
Master

Re: DDOS ATTACKS!!! COPS CAME!!! PLEASE HELP !

@shadowsports, I have Spectrum as well. I do NOT have a FIXED business account IP Address. Mine is RANDOM DHCP from Spectrum. However, in the last year or so my WAN IP Address has changed EXACTLY once. That was a few months ago when Spectrum added a new node and changed my connection over to it. Spectrum does NOT even change the IP Address with powering off the modem, UNLESS you change he MAC ADDRESS of the modem. Spectrum has sort of wised up to people doing things with the modems. The newer Technicolor E31's and the other similar modem end-users can NO LONGER geting into the GUI of the modem and make changes or even SEE the status.

 

The way we knew our WAN IP Address was changed? Well my wife got her GMAIL, and the next time she got a notice and unfamiliar IP Address had accessed here account. I Googled the IP Address, as the GMAIL notice did contain our city in it and it was Spectrum as the owner. Then looked at my GUI for the router on the ADVANCED tab and that was the WAP IP Address we had.

 

I'm wondering about the OP's use of a VPN? I had one and dumped it. It caused GMAIL to send unknown IP Address notices. But only once, that IP Address never changed. Seemed the VPN used the same IP Address, possibly for everyone. I wonder if the 'cops' we either 'real' or got the wrong info? Normally with a VPN they would need to contact the owner, the VPN, and then get the info based on TIME, and in some cases, that might require out-of-state help or even a court order? Also possible other users of that same VPN are assigned the same IP Address.

 

Something just even right here?

 

@sev_kouva, you should GOOGLE the ports and IP Address of those logged items. Port 443 is the Secure HTTPS port for websites that use SSL. Port 80 is the normal website start port.  Matter of fact, many of those IP Addresses are AMAZON! Quite normal even.

 

I'm wondering if the traffic via the router is heavy due to a lot of streaming and activity on the devices, even constant game play, it overloading the CPU and it is losing track of some TCP/IP packets? Lost packets result in what the router thinks is an unsolicited TCP/IP packet arriving (since it lost track of what to expect from a 'lost' packet it didn't remember but did send out) and that would be considered an attack and logged as one with the type depending on what was in the packet?

 

If you GOOGLE any of the attack type you got, you'd probably be surprised to find out that probably 90% of the links users HAVE NETGEAR routers! Logging is one of the worst parts of NG f/w I feel.

Message 10 of 13
Highlighted
Master

Re: DDOS ATTACKS!!! COPS CAME!!! PLEASE HELP !


@shadowsports wrote:

These are a neighbor or someone who is within the broadcast rand of your wireless.

 

[WLAN access rejected: incorrect security] Sunday, May 26, 2019 15:50:12
[WLAN access rejected: incorrect security]  Sunday, May 26, 2019 15:49:47
[WLAN access rejected: incorrect security]  Sunday, May 26, 2019 15:49:40

 

Some people don't read...  they might be trying to connect to your wireless broadcast in error.

 

This will show up over and over because they have saved the wireless profile on their system or device.

 

Block the MAC in access control.  3rd section very bottom of the page.

 


Yes, I've seen it too! My neighbor had company and they asked for the P/W to connect to his router with their phone. He gave it to them. He used the FIRST SSID he saw, mine... couldn't get in, and then asked him again which SSID. I get my log sent to me every day and I check it. I knew what it was and the next day asked my neighbor if his company used his router? He said yes and asked how I knew... I smiled... and told him. He didn't know you could see that even?

 

Can't block something unless you know he MAC, none in the log above.

Message 11 of 13
Highlighted
Aspirant

Re: DDOS ATTACKS!!! COPS CAME!!! PLEASE HELP !

I didn't post the actual mac, because I don't know if it's safe to post them online?

That mac address and 2 other ones, I don't even see it on any of my devices!!!

 

How am I supposed to block it when I can't even find it?

If you connect to a VPN does it change your MAC ADDRESS? maybe that's why I don't recognize it?

 

Thanks,

Message 12 of 13
Highlighted
Master

Re: DDOS ATTACKS!!! COPS CAME!!! PLEASE HELP !


@sev_kouva wrote:

I didn't post the actual mac, because I don't know if it's safe to post them online?

That mac address and 2 other ones, I don't even see it on any of my devices!!!

 

How am I supposed to block it when I can't even find it?

If you connect to a VPN does it change your MAC ADDRESS? maybe that's why I don't recognize it?

 

Thanks,


The MAC address is unique to each device, and when you search that address in Google it will with the first few numbers detail WHO made it. Sharing that is not a real problem. WAN IP Addresses are though.

 

VPN's change your WAN IP Address. The site you go to sees you coming from a different IP Address. Some use the SAME IP Address for EVERYONE, so can use a random IP Address depending which VPN server you connect to. Fixed VPN IP Addresses usually are more expensive.

 

You might want to READ this, https://appuals.com/fix-unknown-strange-devices-showing-network/.  You can see more if you Google "Ghost devices connected to LAN".

Message 13 of 13