Reply

Dos attack/back door?

ethantbk
Aspirant

Dos attack/back door?

[admin login] from source 192.168.1.2, Thursday, May 12, 2022 18:16:35
[admin login] from source 192.168.1.2, Thursday, May 12, 2022 18:15:54
[DoS attack:ACK_Scan] from source: 185.151.107.102,port 443, Thursday, May 12, 2022 17:57:53
[DoS attack:ACK_Scan] from source: 192.168.1.12,port 50587, Thursday, May 12, 2022 17:57:18
[DHCP IP: (192.168.1.11)] to MAC address 00:d2:b1:4e:b7:93, Thursday, May 12, 2022 17:50:51
[DHCP IP: (192.168.1.9)] to MAC address 74:ab:93:7b:91:2f, Thursday, May 12, 2022 17:31:56
[DoS attack:ACK_Scan] from source: 185.151.107.101,port 443, Thursday, May 12, 2022 17:25:09
[DHCP IP: (192.168.1.9)] to MAC address 74:ab:93:7b:91:2f, Thursday, May 12, 2022 17:21:45
[DHCP IP: (192.168.1.8)] to MAC address 74:ab:93:78:99:4e, Thursday, May 12, 2022 17:21:36
[DoS attack:ACK_Scan] from source: 192.168.1.12,port 54776, Thursday, May 12, 2022 17:20:42
[DoS attack:ACK_Scan] from source: 192.168.1.12,port 54775, Thursday, May 12, 2022 17:20:16
[DoS attack:ACK_Scan] from source: 17.248.230.30,port 443, Thursday, May 12, 2022 17:08:26
[admin login] from source 192.168.1.2, Thursday, May 12, 2022 17:06:21
[Log Cleared] Thursday, May 12, 2022 17:01:42

 

could someone please give me some information on if this is a false positive or a real dos attack

Message 1 of 8
FURRYe38
Guru

Re: Dos attack/back door?

Probably false positives. 

What is the device at 192.168.1.12? Thats on your LAN side of the router. 

 

Do a whois look up on 185.151.107.102

 

Try to no post MAC addresses in public forums for security reason.

My Setup ISP SparkLight | Internet Cable 1000↓/50↑ CBR750 Modem | Wifi Router CBR750(v.7) | Switches NG GS105/8 and XS505M | 

Additional NG HW: C7800/CAX80/CM1100/CM1200/CM2000, Orbi: CBK40, CBK752, RBK50, RBK853, RBK752, RBK953, SXK30 | NightHawk: R7000, R7800, R7960P, R8000, R8500, RAXE500, RAX50, XR450, EX7500/EX7700, GS308v3

Message 2 of 8

Re: Dos attack/back door?

Probably false positives. 

What is the device at 192.168.1.12? Thats on your LAN side of the router. 

 

Do a whois look up on 185.151.107.102

 


 

 

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Information related to '185.151.107.96 - 185.151.107.127'

% Abuse contact for '185.151.107.96 - 185.151.107.127' is 'abuse@ukrhub.net'

inetnum: 185.151.107.96 - 185.151.107.127
netname: UKRCOM-CUSTOMER-NET
country: UA
status: ASSIGNED PA
created: 2018-08-09T12:37:38Z
last-modified: 2018-08-09T12:37:38Z
source: RIPE
admin-c: YZ42-RIPE
tech-c: UHUB-RIPE
mnt-by: YZ42-RIPE-MNT
remarks: Customer connection

person: Koblyuk Andrei
address: vul. S. Khokhlovyh, 15
address: Kiev, Ukraine, 04050
phone: +380 44 2055570
e-mail: hostmaster@ukrhub.net
nic-hdl: UHUB-RIPE
notify: yuriz@ukr-com.net
mnt-by: YZ42-RIPE-MNT
created: 2007-05-10T07:08:53Z
last-modified: 2017-03-06T11:32:53Z
source: RIPE

person: Yuri Zlenko
address: 04119, Ukraine, Kiev
address: vul. Simyi Khokhlovyh, 15, 3-rd floor
phone: +380 44 205-5514
fax-no: +380 44 205-5525
e-mail: yuriz@ukr-com.net
nic-hdl: YZ42-RIPE
notify: yuriz@ukr-com.net
mnt-by: YZ42-RIPE-MNT
created: 2001-12-07T15:14:10Z
last-modified: 2017-03-06T11:28:28Z
source: RIPE

% Information related to '185.151.104.0/22AS12593'

route: 185.151.104.0/22
origin: AS12593
descr: Ukrcom, Ltd.
mnt-by: YZ42-RIPE-MNT
created: 2016-05-10T10:02:11Z
last-modified: 2016-05-10T10:02:46Z
source: RIPE

% This query was served by the RIPE Database Query Service version 1.103 (WAGYU)

 

 

 

Just another user.

My network DM200 -> R7800 -> GS316 -> PL1000 -> Orbi RBR40 -> Orbi RBS50Y -> RBS40V
Message 3 of 8
ethantbk
Aspirant

Re: Dos attack/back door?

That IP is my phone, also when those attacks happen my whole internet service cuts out for 20-30 seconds
Message 4 of 8
microchip8
Master

Re: Dos attack/back door?

Disable DoS protection. 99% of time these are false positives. I've been running for years without DoS protection and never had issues

Routing: NETGEAR RAX43 - Firmware: V1.0.11.112 (1 Gbps down, 50 Mbps up)
Switching: 2x NETGEAR 8-ports (GS108v4) / 1x NETGEAR 16-ports (JGS516v2)
Desktop: AMD Ryzen 7 3700X - Server: Intel Core i7-7700K - NAS: Intel Pentium G4400, 16 TB
Message 5 of 8
ethantbk
Aspirant

Re: Dos attack/back door?

Even if they're from Ukraine and messing up my internet?

Message 6 of 8
microchip8
Master

Re: Dos attack/back door?

It's the "DoS protection" that is cutting your Internet, not Ukraine. They're just scanning. Happens to all every time

Routing: NETGEAR RAX43 - Firmware: V1.0.11.112 (1 Gbps down, 50 Mbps up)
Switching: 2x NETGEAR 8-ports (GS108v4) / 1x NETGEAR 16-ports (JGS516v2)
Desktop: AMD Ryzen 7 3700X - Server: Intel Core i7-7700K - NAS: Intel Pentium G4400, 16 TB
Message 7 of 8

Re: Dos attack/back door?


@microchip8 wrote:

It's the "DoS protection" that is cutting your Internet, not Ukraine.


 

Beat me to it. 

 

A bit more on that.

 

"DoS protection" and other features, such as QoS and toys like Armor, require the router's processor to do some heavy lifting beyond the usual management of the flow of traffic. Throw too much work at the processor and it throws in the towel and grinds to a halt.

Just another user.

My network DM200 -> R7800 -> GS316 -> PL1000 -> Orbi RBR40 -> Orbi RBS50Y -> RBS40V
Message 8 of 8
Discussion stats
  • 7 replies
  • 297 views
  • 1 kudo
  • 4 in conversation
Announcements

Orbi WiFi 6E