Reply

Re: DoS Attack?

JTLarkin
Aspirant

DoS Attack?

Hey all,

 

This issue has been annoying me for almost a month now. It seems to show up in the logs differently depending on the settings. Right now, with almost factory settings it is showing up in the log as,

 

(This is just a sampling, there are many more sources)

[DoS attack: ACK Scan] from source 184.25.146.65,port 443 Thursday, Jun 20,2019 19:45:44
[DoS attack: ACK Scan] from source 104.77.9.242,port 443 Thursday, Jun 20,2019 19:44:08
[DoS attack: RST Scan] from source 52.206.161.63,port 80 Thursday, Jun 20,2019 19:44:08
[DoS attack: ACK Scan] from source 104.77.9.242,port 443 Thursday, Jun 20,2019 19:44:07
[DoS attack: ACK Scan] from source 184.87.54.217,port 443 Thursday, Jun 20,2019 19:44:06

 

If I disable Port Scan and DoS Protenction it shows up as:

[UPnP set eventPublic_UPNP_C3] from source xxx.xxx.x.x

 

These "attacks" happen about every 10 minutes on every device on my network, causing bad lag spikes especially when gaming.

I have tried many different potential solutions online but almost all forum posts I have browsed are pretty outdated.

My Playstation is running on ethernet connection and still has this issue. 

We thought it was our outdated ASUS router, so we upgraded to this nighthawk (much better performance otherwise) and still have the issue.

I thought it could be some sort of malware on PC, but the spikes still happen with my pc completely off. 

 

As the only person in my house who somewhat understands this stuff it would be nice to find a solution and put and end to the complaining from my family . Thanks!

Model: R8000P|Nighthawk X6S AC4000 Tri Band WiFi Router
Message 1 of 5

Re: DoS Attack?

Netgear is great at creating false reports of DoS attacks. Many of them are no such thing.

 

Search - NETGEAR Communities – DoS attacks

 

Just use whois to see who is behind some of them. You may find that they are from places like Facebook, Google, even your ISP.

 

Here is a useful tool for that task:

 

IPNetInfo: Retrieve IP Address Information from WHOIS servers

 

Just another user.

My network DM200 -> R7800 -> GS316 -> PL1000 -> Orbi RBR40 -> Orbi RBS50Y -> RBS40V
Message 2 of 5
IrvSp
Master

Re: DoS Attack?

I don't think Netgear Logging is very good. If you Google any attack type and look at what h/w is it on, it is usually Netgear. The logs can be FULL of FALSE POSITIVES...

 

I beleive it is the router itself, when under load, losing track of a TCP/IP packet it sent out. Then one comes in due to that packet it wasn't expecting it and it logs it as an attack based on packet contents.

 

REAL attacks comes multiple times a second. Not usually to Port 80 (website HTML page requests) or port 443 which is generally the Secure HTML port.

 

I'd verify this by disconnecting all devices and seeing what happens with only one device. Probably will not, then add back connecting others one at a time.

 

If QoS is on, turn it off as well.. and Traffic Meter too, that can slow the router down.

 

Oh, when the router logs that 'attack', it does throw the packet away. TCP/IP however will know it never got a response back and ask for that packet again, probably a few milliseconds delay, and you may not notice it per se, but overall you notice slow internet.

Message 3 of 5
JTLarkin
Aspirant

Re: DoS Attack?

Thank you for the reply, 

 

It was actually my modem, which was from 2012. Upgraded it yesterday and have no problems since. 

Message 4 of 5
schumaku
Guru

Re: DoS Attack?


@JTLarkin wrote:

It was actually my modem, which was from 2012. Upgraded it yesterday and have no problems since. 


All kind of connectivity problems (to the Internet) or changes (clients not closing IP sessions because they sleep or roaming away to another wireless or the LTE/4G/5G network) are causing these false DoS detections, too.

Message 5 of 5
Top Contributors
Discussion stats
  • 4 replies
  • 1959 views
  • 0 kudos
  • 4 in conversation
Announcements

Orbi WiFi 6E