Reply
rayarnold
Aspirant

DoS attack: smurf attack packets in Nighthawk R7000 logs

I see [DoS attack: Smurf] attack packets in the logs on my R7000 router. Hundreds of them, most all coming from my public IP address. I've disconnected extenders and all but one device and I still see the attack packets in the logs. Pls help! 

 
Model: R7000|AC1900 Smart WIFI Router
Message 1 of 5

Re: DoS attack: smurf attack packets in Nighthawk R7000 logs

Greetings,

The likelyhood of you as an individual being targeted for DOS attack is extremely low.  I'm sure they are safe to ignore. 

 

If they are legitimate and being blocked, the router is doing its job.  More times than not however, these are false positives. If you spend a little time here, you wil lsee this has been discussed many times. 

 

Here is an exerpt of my log:

 

[DoS attack: Fraggle Attack] from source 98.210.4.1,port 67 Wednesday, Mar 25,2020 07:26:33
[DoS attack: Fraggle Attack] from source 96.120.91.237,port 67 Wednesday, Mar 25,2020 07:26:29
[DoS attack: Fraggle Attack] from source 67.188.152.1,port 67 Wednesday, Mar 25,2020 07:24:44
[DoS attack: Fraggle Attack] from source 96.120.91.237,port 67 Wednesday, Mar 25,2020 06:57:55
[DoS attack: ACK Scan] from source 151.101.41.38,port 443 Wednesday, Mar 25,2020 06:49:03
[DoS attack: ACK Scan] from source 151.101.41.38,port 443 Wednesday, Mar 25,2020 06:48:34
[DoS attack: ACK Scan] from source 151.101.41.38,port 443 Wednesday, Mar 25,2020 06:48:19
[DoS attack: ACK Scan] from source 151.101.41.38,port 443 Wednesday, Mar 25,2020 06:48:05
[DoS attack: ACK Scan] from source 151.101.190.2,port 443 Wednesday, Mar 25,2020 06:48:00
[DoS attack: ACK Scan] from source 151.101.190.2,port 443 Wednesday, Mar 25,2020 06:47:43
[DoS attack: ACK Scan] from source 151.101.42.49,port 443 Wednesday, Mar 25,2020 06:47:42
[DoS attack: ACK Scan] from source 151.101.190.2,port 443 Wednesday, Mar 25,2020 06:47:42
[DoS attack: ACK Scan] from source 151.101.41.44,port 443 Wednesday, Mar 25,2020 06:47:42
[DoS attack: ACK Scan] from source 151.101.190.2,port 443 Wednesday, Mar 25,2020 06:47:41
[DoS attack: ACK Scan] from source 151.101.41.44,port 443 Wednesday, Mar 25,2020 06:47:41
[DoS attack: ACK Scan] from source 151.101.42.49,port 443 Wednesday, Mar 25,2020 06:47:41
[DoS attack: ACK Scan] from source 151.101.190.2,port 443 Wednesday, Mar 25,2020 06:47:32
[DoS attack: ACK Scan] from source 23.50.42.21,port 443 Wednesday, Mar 25,2020 06:46:15
[DoS attack: ACK Scan] from source 104.86.192.182,port 443 Wednesday, Mar 25,2020 06:46:08
[DoS attack: ACK Scan] from source 104.96.122.50,port 443 Wednesday, Mar 25,2020 06:45:52
[DoS attack: ACK Scan] from source 23.1.245.175,port 443

 

Does some of this traffic possibly exist.  Maybe.  Am I worried aboout it.  Absolutely not.

 

~Comcast 1 Gbps/50 Mbps SB8200 > R8000P
~R8000P FW:1.4.1.68 ~R7000 FW:1.0.9.42
~R6400 FW:1.0.1.52 ~Orbi-AC3000 FW:2.5.1.8
~EX3700 FW:1.0.0.84

Message 2 of 5
rayarnold
Aspirant

Re: DoS attack: smurf attack packets in Nighthawk R7000 logs

@shadowsports thanks, tho almost every entry is coming from my WLAN IP. Could it be an issue with my modem (arris tm822r)? 

 

Maybe unrelated: every few days my extender's 5GHz network goes down. Maybe the extender (netgear AC1900 EX7000) is just faulty...or maybe the router is doing its job incorrectly and bringing extender network down thinking it's the source of DoS attack? Worth noting, even when extender is unplugged, there are still hundres of DoS attack smurf entries in the router logs. 

 

 

Message 3 of 5

Re: DoS attack: smurf attack packets in Nighthawk R7000 logs

Greetings,

Could your modem be the cause of false DOS attacks..  absolutely.  Why or what, I couldn't say without knowing more about your environment.  Considerations:  What is performing DHCP?  Is the modem your DHCP server and the router being used as an access point?  Is the modem in bridge or pass-through mode?  Do you have any phones hooked up to the modem?

 

If you do have voice devices connected to the modem, then normal communication (them talking to the sever) might be incorrectly identified as an attack originating from your WAN.  There are too many possible causes to cover here.  I think its safe to say that truely malicious IP / port scans do not originate from your WAN IP.  Thats an older modem too, no telling what its doing. 

 

I think you're fine.

 

 

~Comcast 1 Gbps/50 Mbps SB8200 > R8000P
~R8000P FW:1.4.1.68 ~R7000 FW:1.0.9.42
~R6400 FW:1.0.1.52 ~Orbi-AC3000 FW:2.5.1.8
~EX3700 FW:1.0.0.84

Message 4 of 5
rayarnold
Aspirant

Re: DoS attack: smurf attack packets in Nighthawk R7000 logs

Thanks @shadowsports. Appreciate the response. 

 

R7000 is configured to get IP address dynamically from ISP, and to use router as DHCP server (in LAN setup). 

 

Have any recommendations for a new modem? 

 

Currently, no voice devices connected to modem. Not sure how to tell modem configuration.

Current specs: 

ARRIS DOCSIS 3.0 / PacketCable 2.0 Touchstone Telephony Modem/Retail
HW_REV: 2
VENDOR: Arris Interactive, L.L.C.
BOOTR: 1.2.1.62
SW_REV: 9.1.103M2AS.SIP.PC20.CT
MODEL: TM822R

Firmware Name: TS0901103M2AS_112019_MODEL_7_8_PC20_CT

Status

System Uptime:11 d: 18 h: 36 m
Computers Detected:staticCPE(1), dynamicCPE(1)
CM Status:Telephony-DHCP
Time and Date:Wed 2020-04-01 08:13:27
Message 5 of 5
Top Contributors
Discussion stats
  • 4 replies
  • 2328 views
  • 2 kudos
  • 2 in conversation
Announcements