Reply

Re: Need help to understand why this is happening

MatthewC2
Tutor

Need help to understand why this is happening

[DoS attack: FIN Scan] attack packets in last 20 sec from ip [70.186.10.96], Wednesday, May 03,2017 17:52:11
[DHCP IP: (192.168.1.9)] to MAC address 5xxxx, Wednesday, May 03,2017 17:51:39
[UPnP set event: Public_UPNP_C5] from source 192.168.1.6, Wednesday, May 03,2017 17:51:01
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [45.57.34.135], Wednesday, May 03,2017 17:50:48
[DHCP IP: (192.168.1.8)] to MAC address xxxxx, Wednesday, May 03,2017 17:50:38
[DHCP IP: (192.168.1.7)] to MAC address xxxxx, Wednesday, May 03,2017 17:50:32
[DHCP IP: (192.168.1.6)] to MAC address xxxxx, Wednesday, May 03,2017 17:50:28
[DHCP IP: (192.168.1.5)] to MAC address xx:xx:xx:E3:72:51, Wednesday, May 03,2017 17:50:27
[Time synchronized with NTP server] Wednesday, May 03,2017 17:50:27
[Internet connected] IP address: 9x.xxx.xxx.xx, Wednesday, May 03,2017 17:50:27
[Internet disconnected] Wednesday, May 03,2017 17:50:26
[DHCP IP: (192.168.1.5)] to MAC address xxxxxx, Wednesday, May 03,2017 17:50:26
[Initialized, firmware version: V1.0.3.36_1.1.25] Wednesday, May 03,2017 17:50:25
[DHCP IP: (192.168.1.4)] to MAC address xxxxx, Wednesday, May 03,2017 17:50:25
[DHCP IP: (192.168.1.3)] to MAC address xxxx, Wednesday, May 03,2017 17:50:23
[DHCP IP: (192.168.1.2)] to MAC address xxxxx, Wednesday, May 03,2017 17:50:22
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [184.180.124.8], Wednesday, May 03,2017 17:49:24
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [70.186.11.27], Wednesday, May 03,2017 17:49:06
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [63.251.252.12], Wednesday, May 03,2017 17:48:44

 

I been getting this for a month now and today was the worth day out of all those other days. I know i should have gotten help but i thought it wasnt that serious but its been getting annoying lately and i have no idea why this is happening. I already had two factory resets and so far nothing and i also changed the ip and still nothing but my ip isnt getting leaked but i wanted to make sure of it. 

 

I looked up the ip's and they been from my isp, google, netflix, or games that i played from their servers. This has never happened when i first got the router and it was good but then this happened and i havent gotten to do a lot of stuff like my hw because of dc from websites.

Model: R8000|Nighthawk X6 AC3200 Smart WIFI Router
Message 1 of 23
William10a
Master

Re: Need help to understand why this is happening


@MatthewC2 wrote:

[DoS attack: FIN Scan] attack packets in last 20 sec from ip [70.186.10.96], Wednesday, May 03,2017 17:52:11
[DHCP IP: (192.168.1.9)] to MAC address 5xxxx, Wednesday, May 03,2017 17:51:39
[UPnP set event: Public_UPNP_C5] from source 192.168.1.6, Wednesday, May 03,2017 17:51:01
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [45.57.34.135], Wednesday, May 03,2017 17:50:48
[DHCP IP: (192.168.1.8)] to MAC address xxxxx, Wednesday, May 03,2017 17:50:38
[DHCP IP: (192.168.1.7)] to MAC address xxxxx, Wednesday, May 03,2017 17:50:32
[DHCP IP: (192.168.1.6)] to MAC address xxxxx, Wednesday, May 03,2017 17:50:28
[DHCP IP: (192.168.1.5)] to MAC address xx:xx:xx:E3:72:51, Wednesday, May 03,2017 17:50:27
[Time synchronized with NTP server] Wednesday, May 03,2017 17:50:27
[Internet connected] IP address: 9x.xxx.xxx.xx, Wednesday, May 03,2017 17:50:27
[Internet disconnected] Wednesday, May 03,2017 17:50:26
[DHCP IP: (192.168.1.5)] to MAC address xxxxxx, Wednesday, May 03,2017 17:50:26
[Initialized, firmware version: V1.0.3.36_1.1.25] Wednesday, May 03,2017 17:50:25
[DHCP IP: (192.168.1.4)] to MAC address xxxxx, Wednesday, May 03,2017 17:50:25
[DHCP IP: (192.168.1.3)] to MAC address xxxx, Wednesday, May 03,2017 17:50:23
[DHCP IP: (192.168.1.2)] to MAC address xxxxx, Wednesday, May 03,2017 17:50:22
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [184.180.124.8], Wednesday, May 03,2017 17:49:24
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [70.186.11.27], Wednesday, May 03,2017 17:49:06
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [63.251.252.12], Wednesday, May 03,2017 17:48:44

 

I been getting this for a month now and today was the worth day out of all those other days. I know i should have gotten help but i thought it wasnt that serious but its been getting annoying lately and i have no idea why this is happening. I already had two factory resets and so far nothing and i also changed the ip and still nothing but my ip isnt getting leaked but i wanted to make sure of it. 

 

I looked up the ip's and they been from my isp, google, netflix, or games that i played from their servers. This has never happened when i first got the router and it was good but then this happened and i havent gotten to do a lot of stuff like my hw because of dc from websites.


The a ip address like 192.168.1.2 should be the ip addresses of devices on your network on the private side of the nat server of the router while 184.180.124.8 is external source on the public side of the nat server so you have the normal ip address going to your modem 192. range I notice the ip address lease release and renewal from from log as well.

I also see the time update for the router.

I do not what programs you have running or the total number of address you have accessing your network hard to tell if programs auto updating or what.

Message 2 of 23
MatthewC2
Tutor

Re: Need help to understand why this is happening

So it been a few week since this happen and everything was all well when i switch to a older update. But netgear released a new firmware on the 19 and i decided to update the router. 

But when i did i got 

[DoS attack: FIN Scan] attack packets in last 20 sec from ip [151.101.40.230], Monday, May 22,2017 18:52:36
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [104.67.107.137], Monday, May 22,2017 18:47:40

 

This happen when the router came back up and when i went back to the older firmware, i got the same thing. 

I also want to know if i go to a custom firmware will this happen less? Because whenever i game i get a huge lag spike and disconnect after. 

 

If there is a solution please help me.

 

 

Message 3 of 23
FURRYe38
Guru

Re: Need help to understand why this is happening

I'd talk to your ISP and give them these IP addresses to see if they can help block or find out where they are comming from. Use domaintools site as well to see where these IP addresses are from.

 

What is your ISP service? 

What is your ISP modem Mfr and model #? 

My Setup (Cable 1Gbps/50Mbps)>CAX80 v2.1.2.1(LAG Disabled)>RBK853 v4.6.3.16
Additional NG HW: C7800/CM1100/CM1200CM2000, Orbi CBK40, CBR750, RBK50(v22), SXR30(v110), R7000(v34), R7800(v84), R7960P(v82), EX7500/EX7700, XR450(v120) and WNHDE111
Message 4 of 23
IrvSp
Master

Re: Need help to understand why this is happening

Note sure about the first one, but the 2nd is Akaimai, quite normal to be going there at a LOT of web sites as they do call that one for details for advertising.

 

I would think these are 'false positives'. That is it is normal traffic that the router was 'confused' on. Real attacks would be repeated within seconds and eventually the router would shutdown, at least for that connection.

 

I get them frequently. If you Google 'DOS Attacks' you'll find many reports of same, and for some reason a vast majority are reports from Netgear users. I personally think the router either missed the outgoing TCP/IP packet that the PC sent and then gets what it thinks is an unsolicited TCP/IP packet and reports it and throws it away. Meanwhile TCP/IP didn't get a response within the allotted time and does another request. Packet sent back and since the router knew to expect it it sends it onto the PC. This is done within seconds so you do not realize there was something going on.

 

Hard to verify unless you kept a time log of what you were doing when these 'attacks' occur.

Message 5 of 23
GearNetRouter
Virtuoso

Re: Need help to understand why this is happening

Turn upnp off.
Message 6 of 23
MatthewC2
Tutor

Re: Need help to understand why this is happening

Did it and so far i still get 

[DoS attack: FIN Scan] attack packets in last 20 sec from ip [146.20.132.161], Tuesday, May 23,2017 12:52:36

 

Message 7 of 23
MatthewC2
Tutor

Re: Need help to understand why this is happening

The ISP is cox and the modem is a DPQ3212 that cox gave my family 

Message 8 of 23
FURRYe38
Guru

Re: Need help to understand why this is happening

Contact Cox support and have ask them about this. 

My Setup (Cable 1Gbps/50Mbps)>CAX80 v2.1.2.1(LAG Disabled)>RBK853 v4.6.3.16
Additional NG HW: C7800/CM1100/CM1200CM2000, Orbi CBK40, CBR750, RBK50(v22), SXR30(v110), R7000(v34), R7800(v84), R7960P(v82), EX7500/EX7700, XR450(v120) and WNHDE111
Message 9 of 23
IrvSp
Master

Re: Need help to understand why this is happening

That is coming from RACKSPACE HOSTING...

 

Are you running Torrents?

 

You can contact them at if you want at

abuse@rackspace.com

 and see what they say.

Message 10 of 23
schumaku
Guru

Re: Need help to understand why this is happening

The ISP won' be able to do anything. Neither on Akamai (which is by far not for hosting advertisements only) nor for Fastly (another cloud service provider).

 

In brief, all the DoS alerts are triggered much to early on the Netgear routers, and worst case, they execute some actions against these connections, what can and will lead to connectivity issues, as you experienced already.

 

It's of course typical of rebooting the router, one or many clients on the (W)LAN can have active connections to the outside world, and these connections can be terminated ... by notrmal TCP/IP stack behavior - what can lead to these faux DoS alerts (and actions).

Message 11 of 23
MatthewC2
Tutor

Re: Need help to understand why this is happening

I just disable port scan,Dos Protection, UpnP and everything seemed to work better than before without having to disconnect every 30 mins.

Thanks for the help. 

If anything comes up ill just call my isp if they can help with finding a solution. 

Message 12 of 23
GearNetRouter
Virtuoso

Re: Need help to understand why this is happening

Hmmm, You disabled DOS protection?

 

See if your ISP can change your public IP address.

 

https://www.podfeet.com/blog/tutorials-5/how-to-turn-off-upnp-on-netgear-nighthawk-routers/

Message 13 of 23
FURRYe38
Guru

Re: Need help to understand why this is happening

Probably not uPnP related as disabling would not prevent scans from happening. 

 

Agree about having the ISP change this WAN IP address. 

My Setup (Cable 1Gbps/50Mbps)>CAX80 v2.1.2.1(LAG Disabled)>RBK853 v4.6.3.16
Additional NG HW: C7800/CM1100/CM1200CM2000, Orbi CBK40, CBR750, RBK50(v22), SXR30(v110), R7000(v34), R7800(v84), R7960P(v82), EX7500/EX7700, XR450(v120) and WNHDE111
Message 14 of 23
IrvSp
Master

Re: Need help to understand why this is happening

I got a really odd one last night. When I know the PC's were off and maybe the only thing working and being used was my iPad....

 

=============

[Self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is dropped! Tuesday, May 23,2017 21:36:14

=============

 

Plenty of hits for this on Google searches, but the first time I've seen it, and on an R7000 with the new 1.0.8.34 flash.

 

Oddly enough the first time just now when I tried to use the browser to look at the router via Genie using Firefox I get the p/w recovery screen? I use FF to fill in the UID and PW. Confused over that so I canceled and tried again, this time it worked fine? Log is clean, no activity other than e-mail sent, my PC getting an address (fixed), and me logging into the Admin?

 

Wonder what is going on with this flash?

Message 15 of 23
GearNetRouter
Virtuoso

Re: Need help to understand why this is happening

Personally I would call the ISP and have then change your IP.  If they refuse just shut it all down for a few days and they might assign you a new one.

 

I would also return the hardware and get a new one, maybe a different brand. 

 

If you are enamoured with NG, then I would reset the hardware and start new.

 

Conflicting opintions:

 

https://community.netgear.com/t5/DSL-Modems-Routers/Self2WAN-ICMP-type-b-Detected/td-p/502914

 

 

https://www.reddit.com/r/Rainbow6/comments/4f0swh/this_denial_of_service_bs_is_getting_old/

 

 

Google the topic and let us know whats up?

Message 16 of 23
IrvSp
Master

Re: Need help to understand why this is happening


@GearNetRouter wrote:

Personally I would call the ISP and have then change your IP.  If they refuse just shut it all down for a few days and they might assign you a new one.

 

I would also return the hardware and get a new one, maybe a different brand. 

 

If you are enamoured with NG, then I would reset the hardware and start new.

 

Conflicting opintions:

 

https://community.netgear.com/t5/DSL-Modems-Routers/Self2WAN-ICMP-type-b-Detected/td-p/502914

 

 

https://www.reddit.com/r/Rainbow6/comments/4f0swh/this_denial_of_service_bs_is_getting_old/

 

 

Google the topic and let us know whats up?


What is this with 'calling your ISP'? They are usually useless (IMHO) anyway, and certainly once you say you have a router.

 

This new flash is starting to give me a lot of attacks... to me a sign something is wrong in the firmware.

 

BTW, I did see those links suggested (and more).

 

As I think back on the time, it might have been close to the time I tried using a specific app on my iPad that failed to start. I closed it and erased it from RAM and tried again and it worked. That app (from my ISP to watch TV) was updated on 5/18 and I've been experiencing problems with it started for a few days... wonder if that was related now?

Message 17 of 23
schumaku
Guru

Re: Need help to understand why this is happening

Virtually all DoS log entries we have in the logs from the Netgear routers are remaining fractals of valid, previously correctly established connections - or false positives caused by activities on the attached networks, being WAN or (W)LAN.

 

Neither a new public IP, nor a router reset, nor whatever will change anything. the Netgear router DoS is over-sensitive, and not reflecting today's typical workload on a router. Where today translates to some x minus 15 or 20 years.

 

Instead of contacting the ISP (an absolute waste of time - they can't do nothing) complain with Netgear about all these false DoS positives.

Message 18 of 23
IrvSp
Master

Re: Need help to understand why this is happening


@schumaku wrote:

Virtually all DoS log entries we have in the logs from the Netgear routers are remaining fractals of valid, previously correctly established connections - or false positives caused by activities on the attached networks, being WAN or (W)LAN.

 

Neither a new public IP, nor a router reset, nor whatever will change anything. the Netgear router DoS is over-sensitive, and not reflecting today's typical workload on a router. Where today translates to some x minus 15 or 20 years.

 

Instead of contacting the ISP (an absolute waste of time - they can't do nothing) complain with Netgear about all these false DoS positives.


Absolutely agree. Especially about the recent rash of contacting your ISP.

 

I also do not think ANY log entry coincides with any lost data or performance issues. Googling almost ANY DOS attack and you'll find generally only ONE MFG.'s router associated with it, NETGEAR's!!!

 

I would either think this is a bug in the router flash where there could be a timing issue of not realizing that it should be getting a TCP/IP packet back due to it was busy and missed an outgoing packet, or a plain old bug somewhere where the logging function was called when it shouldn't have been. TCP/IP doesn't really care though because if it doesn't get a return packet when it is expecting one it just issues the request again, and that one generally comes through and the user never notices a lag.

Message 19 of 23
GearNetRouter
Virtuoso

Re: Need help to understand why this is happening

do what you need to do. u asked for help. if you already know what you want to do why bother to get hand holding? u go.

Message 20 of 23
MatthewC2
Tutor

Re: Need help to understand why this is happening

I just started to get the dos attacks, again. I did some investigating and found out the dos attacks were coming from my mom's phone. I thought that upnp or having dos protecton disable was going to help by having it limited but no, my mom was having her phone screen repair on the day I disable those things. I updated her phone and deleted some apps to see if those could be it but no result. I was still getting dos attacks. If anyone knows how to resolve this reply. Or should I have two routers running, with her on the other router? 

Message 21 of 23
FURRYe38
Guru

Re: Need help to understand why this is happening

What phone and OS is she using? If this is comming from here her phone then dont' allow it on your network. Haveing two routers won't help either since it's on the LAN side. 

 

Does this happen if you disconnect her phone from the Wifi? 

Might do a full factory reset on the phone after you back up her contacts or profile and then see if it continues to happen with out installing any other apps on the phone after the factory reset. 

 

You might contact the phone Mfr or phone service provider and get additional help. 

My Setup (Cable 1Gbps/50Mbps)>CAX80 v2.1.2.1(LAG Disabled)>RBK853 v4.6.3.16
Additional NG HW: C7800/CM1100/CM1200CM2000, Orbi CBK40, CBR750, RBK50(v22), SXR30(v110), R7000(v34), R7800(v84), R7960P(v82), EX7500/EX7700, XR450(v120) and WNHDE111
Message 22 of 23
IrvSp
Master

Re: Need help to understand why this is happening

Not really unusual that the attacks show an IP Address on the LAN.

 

Happens one of two ways.

 

  • Device reported as the IP Address is sending out some improper TCP/IP packets. Either from an application or the router isn't handling requests properly.
  • You can be under an attack, but it is more like probing. It is a spoofed IP Address though. Router does its job and rejects the packet. Probably a low 192.168.1.xxx number too, an xxx of 2 or 3....

First thing I'd try and do is figure out by TIMESTAMP if your mother's phone was being used, and if so, what for and what was it using? You'll also need to know what was going on in the Router as well. See from the timestamps what was being done by all devices... it could be as simple as an overload on the router and it was missing packets.

 

One thing I'd do is ENABLE in LOGGING the log itself and ALL options. That will help possibly with timestamps seeing what is going on by whom.

 

There are tools that might help track it down too, such as WireShark or ActivTrak, but that isn't as easy as it sounds.

 

Some links for network data analysis to read:

 

http://techwiser.com/what-others-are-browsing-on-your-wifi/

http://lifehacker.com/how-to-tap-your-network-and-see-everything-that-happens-1649292940

https://kb.netgear.com/24224/How-do-I-view-the-activity-logs-of-my-Nighthawk-router

https://www.acrylicwifi.com/en/blog/sniffer-traffic-wifi-windows-7-8/

https://www.acrylicwifi.com/en/blog/how-to-capture-wifi-traffic-using-wireshark-on-windows/

 

 

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 23 of 23
Top Contributors
Discussion stats
  • 22 replies
  • 6345 views
  • 8 kudos
  • 6 in conversation
Announcements