Reply
bascaves
Apprentice

R7000 Router report DDOS SMURF attack from R7000 AP's, part 2

Hello Community,

 

After I reported this about a year ago the issue never went a way that my R7000 router (192.168.1.1) reports a daily DOS_SMURF attack.

 

https://community.netgear.com/t5/Nighthawk-WiFi-Routers/R7000-Router-report-DDOS-SMURF-attack-from-R...

 

After firmware upgrades, reset etc in the meantime nothing changed to the symptom. Finally i found a moment to take a wireshark capture and guess what found. That was easy as the time moment is always about the same.

THe log message:

 

Admin login] from source 192.168.1.99, Tuesday, Aug 21,2018 20:17:35
[DoS attack: Smurf] attack packets in last 20 sec from ip [192.168.1.2], Tuesday, Aug 21,2018 20:15:52
[UPnP set event: Public_UPNP_C3] from source 192.168.1.90, Tuesday, Aug 21,2018 20:04:12
[DHCP IP: (192.168.1.115)] to MAC address C8:5B:76:3A:4F:CC, Tuesday, Aug 21,2018 20:00:25

 

Guess what I see the AP trying to resolve www.netgear.com, doing a ping and then checking for a firmware update.

See the attached picture of the capture.

So it looks that netgear sees it's own s/w update request from the R7000 AP as a DOS_SMURF attack to the R7000 Router.

 

BTW: the same is reported every 24 hours at the same time for the other AP 192.168.1.3. 

I still need to collect a wireshark capture at this time. However at mid-day I am seldomly home.

But I expect the same result as the attached picture of the capture showing this.

 

[Internet connected] IP address: 94.224.111.149, Tuesday, Aug 21,2018 15:49:46
[DoS attack: Smurf] attack packets in last 20 sec from ip [192.168.1.3], Tuesday, Aug 21,2018 15:38:53
[LAN access from remote] from 5.8.54.27:56449 to 192.168.1.90:8088, Tuesday, Aug 21,2018 15:22:30

 

 

Hardware:

1 x R7000 as Router

2  x R7000 as AP

All running Firmware Version 
V1.0.9.28_10.2.32

 

BTW:
Don't ask me at this moment to upgrade to 1.0.9.34_10.2.36 and see if it resolves the isssue.

I follow the threads about unstable wifi again. So I am reluctant without further positive feedback to upgrade all devices.

Also I wonder if this last s/w version address this problem. Release Notes don't mention anything about it.

So I rather stay with this what I see as a false positive log message.

 

BTW2:

If Netgear support want the real trace they can contact me in unicast.

 

Netgear remains a fustrating funny networking company struggling with their firmware stability and other strange side effects.

 

Bas.

 

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 1 of 5
microchip8
Master

Re: R7000 Router report DDOS SMURF attack from R7000 AP's, part 2

90% of these "attacks" are false positives. You shouldn't trust NG's logs that much

Routing: NETGEAR R7800 - Voxel Firmware 1.0.2.82.1SF
Switching: 2x NETGEAR 8-ports (GS108v4) / 1x NETGEAR 16-ports (JGS516v2)
Desktop: AMD Ryzen 7 3700X - Server: Intel Core i7-7700K - NAS: Intel Pentium G4400 - Cruncher: Intel Core i5-7400
Message 2 of 5
about_blank
Aspirant

Re: R7000 Router report DDOS SMURF attack from R7000 AP's, part 2

I own Asus .

Smiley Tongue

Message 3 of 5
IrvSp
Master

Re: R7000 Router report DDOS SMURF attack from R7000 AP's, part 2

True, we've all seen similar attacks, and if you Google those attacks you'll see almost all are on NG h/w.

 

I think it is poor f/w TCP/IP packet handling, and occasionally it 'loses track' of a few. Then when a TCP/IP packet comes in it doesn't know why or where to send it, hence the attack... could be another device on the LAN trying to communicate with another device, a WAN packet coming in, whatever. The reason you don't see any problems is because a packet gets resent if there is no ACK that it got to the place it was supposed to so it gets sent again.

 

Check the IP Addresses and you'll probably be able to figure out why with a timestamp and what you were doing.

 

Suspect logging has never been solid and NG has not done much to correct it.

 

I gave up trying to figure those out.

 

True attacks wouldn't be minutes or more apart either, they would be seconds apart and contineous as well. I think after too many in a row the router will close the WAN connection for a period of time too, at least that is what I recall reading but can't point to it now?

Message 4 of 5
bascaves
Apprentice

Re: R7000 Router report DDOS SMURF attack from R7000 AP's, part 2

Hello,

 

Netgears firmware is always with surprises. It is just funny that a R7000 marks messages from another R7000 as an attack.  Like Netgear never thought people would do that ;-) . It leaves you thinking what Netgear firmware truly detects :-)  

 

Irvsp thank you you for the reply.

 

Bas.

Message 5 of 5
Top Contributors
Discussion stats
  • 4 replies
  • 1097667 views
  • 4 kudos
  • 4 in conversation
Announcements