Reply

Does Netgear logs show too much info?

IrvSp
Master

Does Netgear logs show too much info?

I'm starting to wonder. I've turned on the logging for the R7000 and it e-mails me results each day.

A few weeks ago I got this:

================
[DoS attack: Smurf] attack packets in last 20 sec from ip [68.202.181.xxx], Saturday, Mar 15,2014 04:58:37
================

The attack of course had my WAN IPAddress, which is normally does. The next wave never came in nor did the router shut off the Internet connection. Probably because it wasn't responded to, which is a good thing.

Yesterday it was Google's turn to 'attack' me:

=========================
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [74.125.21.113], Wednesday, Apr 02,2014 08:53:14
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [74.125.21.118], Wednesday, Apr 02,2014 10:31:02
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [74.125.21.149], Wednesday, Apr 02,2014 17:25:23
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [74.125.21.148], Wednesday, Apr 02,2014 21:24:51
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [74.125.21.155], Wednesday, Apr 02,2014 21:24:49
=========================

From what I've seen on a search this isn't usually a single instance, it is a flood. Too many different IP's to be bot's I'd think?

I'll assume if this is REAL and again, no response from the Router and the attack didn't continue.


A similar report was done 4 years ago on DSLREPORTS --> http://www.dslreports.com/forum/r24047561-Netgear-log-DOS-attack-FIN-Scan-and-DOS-attack-STORM-

I am pretty sure nothing got it or happened although I can't say I was using the computer at those times?

On other routers I have never seen anything like this? Are these 'bogus' reports or real and other routers don't bother reporting things blocked?
Message 1 of 8
IrvSp
Master

Re: Does Netgear logs show too much info?

I got this answer on my ISP forum:

===============
What you're seeing is caused by your firewall "forgetting" about the connections to Google prior to them finishing. This connection "memory" is referred to as state. Connection state is used to ensure proper routing and security policy in your router.

Essentially state is tracked in a small database your router uses to keep track of who it's talking to and at what stage the conversation is in. There are a bunch of factors that go into deciding how long state should be tracked ranging from TCP/IP RFC to higher stack protocols like HTTP and SPDY.

The alert you're seeing indicates FIN packets setting it off. This suggests that Google believed you still had an open session to their servers that had not yet been acknowledged for closure. Because of this they were sending you a packet to let you know there was no more data coming. Your router had already cleared the session from the state table though. Due to the entry being removed the FIN appeared to be unsolicited and therefore an "attack". Depending on your router and firmware it's likely you can tune your state table timings to not cause these false alerts.
===========

Could this be a F/W problem?

State in router cleared too soon?

I don't think the R7000 has a setting for time to clear the state table?
Message 2 of 8
Retired_Member
Not applicable

Re: Does Netgear logs show too much info?

A problem?

I've seen this behavior from SOHO routers for years.
Message 3 of 8
networking
Aspirant

Re: Does Netgear logs show too much info?

I think it is unfortunate for so many "false positives" as it makes seeing actual threats more time consuming.i wouldn't consider any consumer level router good for firewall logs (though there may one or some that are good). I see the built in firewall as a good protection feature, but not necessarily great for categorizing threats. probably would be better to have a dedicated firewall in front or the router that has good login capability.
Message 4 of 8
Retired_Member
Not applicable

Re: Does Netgear logs show too much info?

Agree with networking here.

I've never found the logs particularly useful on these types of devices.
Message 5 of 8
IrvSp
Master

Re: Does Netgear logs show too much info?

networking, I didn't really think anything got through. Was more wondering if the data was correct? Having not seen this before in other router's I've had, LinkSys or ASUS I'm left to wonder if this is even real and not a F/W bug? Odd part I've only seen it happen once, not again so far..?
Message 6 of 8
Mars Mug
Virtuoso

Re: Does Netgear logs show too much info?

I have a SOHO router that logs plenty of firewall events each day (incoming and outgoing), I rarely look at them and when I do it’s usually just to check that things are running OK. I don’t interpret the events as any kind of attack, but I’m fairly confident that if I ever was the target for an attack for some reason, I would get a clear indication of what is going on by looking at the firewall log (amongst other things).

So, what am I saying? Only spend time looking at your firewall log if you believe you are the subject of an attack (highly unlikely for most individuals) otherwise trying to interpret every event in the log will send you on wild goose chases.
Message 7 of 8
Retired_Member
Not applicable

Re: Does Netgear logs show too much info?

I see this happen every day when I log into my VPN for work. Norton Internet Security on my PC records a DoS attack because it isn't keeping track of state information with 100% accuracy so when I fire up the VPN without split tunneling, it forgets a couple of session source addresses and thinks they're DoS.
Message 8 of 8
Top Contributors
Discussion stats
  • 7 replies
  • 5752 views
  • 0 kudos
  • 4 in conversation
Announcements

Orbi WiFi 6E