Reply

[DoS attack: FIN Scan] attack packets in last 20 sec

[DoS attack: FIN Scan] attack packets in last 20 sec

I'm concerned about these entries in the log.  Lots of different countries appearing to attack/portscan.  I've disabled UPnP.  There's no option in the interface>Security menu to block IPs.  The router has a built in FW but i'd like to be able to manage this?  Anything else I should be disabling?  Not a network bod ;-)

 

[DoS attack: FIN Scan] attack packets in last 20 sec from ip [52.215.69.151], Saturday, Feb 02,2019 14:12:44

[DHCP IP: (192.168.1.3)] to MAC address B0:93:5B:FE:BDSmiley Very HappyA, Saturday, Feb 02,2019 14:08:57
[WLAN access rejected: incorrect security] from MAC

 

[LAN access from remote] from 159.203.169.16:40431 to 192.168.1.13:80, Saturday, Feb 02,2019 14:05:57

[DoS attack: ACK Scan] attack packets in last 20 sec from ip [104.127.28.49], Saturday, Feb 02,2019 13:51:17
[LAN access from remote] from 152.250.26.127:32817 to 192.168.1.13:80, Saturday, Feb 02,2019 13:51:03
[LAN access from remote] from 152.250.26.127:32816 to 192.168.1.13:80, Saturday, Feb 02,2019 13:51:03
[LAN access from remote] from 152.250.26.127:57591 to 192.168.1.13:80, Saturday, Feb 02,2019 13:51:03
[LAN access from remote] from 201.95.2.190:33670 to 192.168.1.13:80, Saturday, Feb 02,2019 13:50:30
[LAN access from remote] from 201.95.2.190:33671 to 192.168.1.13:80, Saturday, Feb 02,2019 13:50:30
[LAN access from remote] from 201.95.2.190:59980 to 192.168.1.13:80, Saturday, Feb 02,2019 13:50:30

 

 

Model: R8000|Nighthawk X6 AC3200 Smart WIFI Router
Message 1 of 16
duckware
Prodigy

Re: [DoS attack: FIN Scan] attack packets in last 20 sec

What device is 192.168.1.13 and what is running on port 80 on that device?

Message 2 of 16
microchip8
Master

Re: [DoS attack: FIN Scan] attack packets in last 20 sec

These are false positives and NG is very aggressive at logging such things, not to mention that NG's log is next to useless. You can disable in WAN Setup under Advanced -> Setup tab

 

btw, many people come here asking about the same. As said, false positives. If someone is attacking you, you'd feel it

 

Also disable Remote Access

Routing: NETGEAR R7800 - Voxel Firmware 1.0.2.89SF & Kamoj addon
Switching: 2x NETGEAR 8-ports (GS108v4) / 1x NETGEAR 16-ports (JGS516v2)
Desktop: AMD Ryzen 7 3700X - Server: Intel Core i7-7700K - NAS: Intel Pentium G4400, 16 TB
Message 3 of 16

Re: [DoS attack: FIN Scan] attack packets in last 20 sec

192.168.1.13 is my synology nas.

 

Model: R8000|Nighthawk X6 AC3200 Smart WIFI Router
Message 4 of 16

Re: [DoS attack: FIN Scan] attack packets in last 20 sec

From WAN setup menu:

Disable port scan and DoS protection not checked;

Default DMZ server not checkedRemote management.

 

From Admin Remote management menu:

Turn on remote management not checked.

Message 5 of 16
duckware
Prodigy

Re: [DoS attack: FIN Scan] attack packets in last 20 sec

So someone in the internet connected to your NAS?  Do *you* do anything that connects to your own NAS from the internet?

 

What do you see when you connect http://192.168.1.13.  Hopefully a page that is protected so you can't access much?

 

You want to get to the bottom of why an outside initiated connection make it inside your network.  Any DMZ?  Any port forwarding?  And yes, UPnP off.

 

 

Message 6 of 16

Re: [DoS attack: FIN Scan] attack packets in last 20 sec

Hi Duckware, cheers for the replies!

 

I'm not seeing anything on the NAS logs tbh.  I've got a strong account password set (thankfully).  Port 80 used for the photostation but will disable for the time being.

 

Yeah, want to get to the bottom of this.  The NG router seems a very good bit of kit, and I went for it after using an ISP router that was very insecure after each managed update from them. 

 

Thanks for your help/advice on this ;-)  

 

Message 7 of 16

Re: [DoS attack: FIN Scan] attack packets in last 20 sec

also, no dmz or port forwarding set.

Message 8 of 16
duckware
Prodigy

Re: [DoS attack: FIN Scan] attack packets in last 20 sec

OK maybe NAS is to blame for everything?? A quick Google search turned up this:

 

    https://forum.synology.com/enu/viewtopic.php?t=134127

 

This suggests that the NAS opened up ports in the router (to foward to NAS) via UPnP.

 

Yes, too many false positives and I also turned off the bogus FIN messages, etc.

 

But my experience is that "LAN access from remote" messages in the log are real events (not false positives).  The was a real remote access.

 

If you are satisfied that you have a log of things (maybe copy/paste log), verify UPnP off, and then power cycle router and confirm settings remain how you want them.  And hopefully that will be end of this...

 

 

Message 9 of 16

Re: [DoS attack: FIN Scan] attack packets in last 20 sec

The log looks better after turning off UPnP and port 80 on the NAS.  Going to go through all devices next and set reservations.  Want to lock everything down a bit more.

 

Top of the router log below.  Again, thanks for your advice. 

 

[Admin login] from source 192.168.1.5, Sunday, Feb 03,2019 09:45:13
[Admin login] from source 192.168.1.5, Sunday, Feb 03,2019 09:45:02
[DHCP IP: (192.168.1.5)] to MAC address 94:65:9C:BA:1B:7A, Sunday, Feb 03,2019 09:44:47
[DHCP IP: (192.168.1.7)] to MAC address B8:E9:37:19:FC:72, Sunday, Feb 03,2019 09:43:46
[DHCP IP: (192.168.1.24)] to MAC address F8:77:B8:55:BA:F8, Sunday, Feb 03,2019 09:42:01
[DHCP IP: (192.168.1.18)] to MAC address E4:B2:FB:39:8B:47, Sunday, Feb 03,2019 09:41:59
[DHCP IP: (192.168.1.30)] to MAC address F4:06:8D:80:BBSmiley Very Happy2, Sunday, Feb 03,2019 09:41:43
[DHCP IP: (192.168.1.7)] to MAC address B8:E9:37:19:FC:72, Sunday, Feb 03,2019 09:41:21
[DHCP IP: (192.168.1.7)] to MAC address B8:E9:37:19:FC:72, Sunday, Feb 03,2019 09:38:48
[DHCP IP: (192.168.1.7)] to MAC address B8:E9:37:19:FC:72, Sunday, Feb 03,2019 09:37:36
[DHCP IP: (192.168.1.7)] to MAC address B8:E9:37:19:FC:72, Sunday, Feb 03,2019 09:35:59
[DHCP IP: (192.168.1.7)] to MAC address B8:E9:37:19:FC:72, Sunday, Feb 03,2019 09:34:35
[DHCP IP: (192.168.1.7)] to MAC address B8:E9:37:19:FC:72, Sunday, Feb 03,2019 09:30:26
[DHCP IP: (192.168.1.7)] to MAC address B8:E9:37:19:FC:72, Sunday, Feb 03,2019 09:27:12
[DHCP IP: (192.168.1.15)] to MAC address 0C:47:C9:A8Smiley Very Happy8:4D, Sunday, Feb 03,2019 09:26:06
[DHCP IP: (192.168.1.7)] to MAC address B8:E9:37:19:FC:72, Sunday, Feb 03,2019 09:25:30
[DHCP IP: (192.168.1.7)] to MAC address B8:E9:37:19:FC:72, Sunday, Feb 03,2019 09:24:43

Message 10 of 16
schumaku
Guru

Re: [DoS attack: FIN Scan] attack packets in last 20 sec


@duckware wrote:

But my experience is that "LAN access from remote" messages in the log are real events (not false positives).  The was a real remote access.

Correct! Already the initial establishment of the TCP connection will be logged. And then the NAS will serve some Web login or more likely a Web page allowing at least some username and password authentication.

 

 

Message 11 of 16
IrvSp
Master

Re: [DoS attack: FIN Scan] attack packets in last 20 sec

@dmitchell1975, your 192.168.1.7 device sure looks like what I see? Is that a Windows 10 Pro PC? Continual IP Address requests, seconds to minutes apart and it stops? PC coming out of SLEEP? USB wireles network Adapter?

 

Driving me up a wall. 2 PC's with W10 here... one Home, on Pro... 2 different Wireless USB Adapters. Both PC's running V1809, same Security Suite too. Been going on for what seems to be forever.

 

Only the Pro does this, I switched USB adapters between the two and both work OK (only ask for IP Address once) on the Home PC. On the Pro sometimes it is slow reconnecting, sometimes immediate, and then sometimes (rarely) it has to be done manually. Router used didn't matter either, been happening on 2 different NG routers.

 

This was the worst one yesterday that required a manual reconnect:

 

[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Friday, Feb 01,2019 20:27:48
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Friday, Feb 01,2019 20:26:41
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Friday, Feb 01,2019 20:26:29
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Friday, Feb 01,2019 20:14:34
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Friday, Feb 01,2019 20:06:33
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Friday, Feb 01,2019 20:05:37
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Friday, Feb 01,2019 19:52:11
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Friday, Feb 01,2019 19:51:45
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Friday, Feb 01,2019 19:48:18
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Friday, Feb 01,2019 19:47:17
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Friday, Feb 01,2019 19:39:35
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Friday, Feb 01,2019 19:38:04
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Friday, Feb 01,2019 19:35:51
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Friday, Feb 01,2019 19:26:50
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Friday, Feb 01,2019 19:26:40
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Friday, Feb 01,2019 19:26:13
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Friday, Feb 01,2019 19:25:01
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Friday, Feb 01,2019 19:24:51
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Friday, Feb 01,2019 19:23:00
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Friday, Feb 01,2019 19:22:50

Other times it looks more like this:

 

[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Friday, Feb 01,2019 08:13:17
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Friday, Feb 01,2019 08:13:07

Since it happens on 2 different USB devices I'm sure it is somehow machine specific. I've played with Power settings and device properties... nothing changes it?

 

I only responded as I see you've got about the same type of enties. Wondering if you had a clue about that, something I missed?

Message 12 of 16

Re: [DoS attack: FIN Scan] attack packets in last 20 sec

Hi mate,

 

I have a w10 Pro laptop and a w10 home pc.  The first one is the w10 pro laptop , onboard wifi adapter.  It does drop into sleep mode pretty quickly so that will be what you're seeing there ;-)

 

 

Message 13 of 16

Re: [DoS attack: FIN Scan] attack packets in last 20 sec

after making the changes, i'm not seeing the remote access connections in the NG logs.  Will check later when i get home from work.  I'm going to disable external access on my NAS now as don't need it. 

 

Strong authentication on the NAS......but always concerned when seeing IPs from Russia, China, Holland etc.......

Message 14 of 16
IrvSp
Master

Re: [DoS attack: FIN Scan] attack packets in last 20 sec


@dmitchell1975 wrote:

Hi mate,

 

I have a w10 Pro laptop and a w10 home pc.  The first one is the w10 pro laptop , onboard wifi adapter.  It does drop into sleep mode pretty quickly so that will be what you're seeing there ;-)

 

Are you seeing this on BOTH the HOME and PRO versions? Like I said, I have 2 PC's, one HOME, the other PRO and 2 different USB Wifi AC adapters. Doesn't matter which one (or drivers used on them) I put on PRO, I see the repeated IP requests. On the HOME, both USB Wifi AC adapters show only ONE IP Address request. Annoying... and on PRO both do not always reconnect coming out of sleep all the time.

Message 15 of 16

Re: [DoS attack: FIN Scan] attack packets in last 20 sec

Hey IrvSP,

 

No USB adapters on either for me.  I'm getting exactly the same as you.  Reckon its the polling/log settings that we can't get into......maybe ssh and come funky commands that we don't yet know? 

On the whole I like this router, but the interface/console could be better.  A future update perhaps.... I also have some Devolo wifi adapters and i'd love to be able to manage them from NG Genie or web console.....

 

Message 16 of 16
Top Contributors
Discussion stats
  • 15 replies
  • 23310 views
  • 2 kudos
  • 5 in conversation
Announcements

Orbi WiFi 6E