Reply

DoS attack: ACK Scan

OlivierS
Aspirant

DoS attack: ACK Scan

Hi,

 

Could someone explain the below from the logs:

 

[DoS attack: ACK Scan] from source: 31.13.90.2:443 Friday, November 04,2016 14:49:24

[DoS attack: ACK Scan] from source: 104.69.244.168:443 Friday, November 04,2016 14:41:46

[DoS attack: ACK Scan] from source: 61.213.187.243:80 Friday, November 04,2016 14:22:04

[DoS attack: ACK Scan] from source: 61.213.187.243:80 Friday, November 04,2016 14:21:40

[DoS attack: ACK Scan] from source: 216.52.1.12:443 Friday, November 04,2016 14:17:54

[DoS attack: ACK Scan] from source: 216.52.1.12:443 Friday, November 04,2016 14:17:27

[DoS attack: ACK Scan] from source: 104.127.39.70:80 Friday, November 04,2016 14:06:46

 

Thank you

Message 1 of 3
IrvSp
Master

Re: DoS attack: ACK Scan

More that likely 'not real'. I've had them many times in the log (and others). Some from my ISP (do a WHOIS from one of the many sites that tell you who owns the site) and many times from Google even.

 

For instance 31.13.90.2 is Facebook in the Ireland. You are probably using that and somehow the router lost the fact that it was waiting for a response from FB. So when one came in it logged it as an attack. Meanwhile FB didn't get a response in time so it sent out another request for data and that did come in, so you'd never notice it.

 

You can use this site, http://whois.ipchecker.info

to check those IP Addresses. After the colon is the PORT they are using.443 is used for SSL at web sites, an Port 80 is what a web server listens to.

 

61.213.187.243 is Japan, 216.52.1.12 is USA (no owner listed), and 104.127.39.70 is the Netherlands as is 104.69.244.168, If you know what you were browsing at that time those might make sense to you.

 

True attacks happen seconds apart, not minuters usually too.

 

It also seems to be NETGEAR logs only that have this problem, just Google DoS attack: ACK Scan and see what comes up. Might amaze you...

Message 2 of 3
microchip8
Master

Re: DoS attack: ACK Scan

False positives most likely. NG's logging is crap

Routing: NETGEAR R7800 - Voxel Firmware 1.0.2.89SF & Kamoj addon
Switching: 2x NETGEAR 8-ports (GS108v4) / 1x NETGEAR 16-ports (JGS516v2)
Desktop: AMD Ryzen 7 3700X - Server: Intel Core i7-7700K - NAS: Intel Pentium G4400, 16 TB
Message 3 of 3
Top Contributors
Discussion stats
  • 2 replies
  • 21199 views
  • 2 kudos
  • 3 in conversation
Announcements

Orbi WiFi 6E