Reply

R7000 Under constant smurf DOS attack.

Ferrez
Aspirant

R7000 Under constant smurf DOS attack.

My router has been under nonstop smurf DOS attacks for a couple weeks now. The attacks have varied from every few seconds throughout the day to every minute. It never stops. I've tried many solutions, contacted my ISP, and nothing is working. The router is up to date. I've attached one picture of one of the logs from today. I've been unable to find any information or solutions about this kind of problem with this model of router. Any help is appreciated.

R700 Nighthawk AC1900 Dual Band Wifi Router

Firmware Version V1.0.9.18_1.2.27

Windows 10 OS

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 1 of 28
JamesGL
Master

Re: R7000 Under constant smurf DOS attack.

Message 2 of 28
Ferrez
Aspirant

Re: R7000 Under constant smurf DOS attack.

Thanks for the response,

 

I tried the firmware you linked me to. The attack is still ongoing even after the hotfix was installed. 

Message 3 of 28
JamesGL
Master

Re: R7000 Under constant smurf DOS attack.

Hi Ferrez,

 

Please send me via PM the logs of the router.

Message 4 of 28
Ferrez
Aspirant

Re: R7000 Under constant smurf DOS attack.

Hello, was wondering if you received the logs in the PM I sent you a couple months back. If you didn't receive the PM I originally sent I can send another.

Message 5 of 28
JamesGL
Master

Re: R7000 Under constant smurf DOS attack.

Hi Ferrez,

 

I have not received one. Please send it again.

Message 6 of 28
Ferrez
Aspirant

Re: R7000 Under constant smurf DOS attack.

I sent the logs and a picture of them as well to you just now. Labeled Re: R7000 Under constant smurf DOS attack.

Message 7 of 28
JamesGL
Master

Re: R7000 Under constant smurf DOS attack.

Hi Ferrez,

 

Thank you for sending it. I will check that one.

Message 8 of 28
JSandgaard
Aspirant

Re: R7000 Under constant smurf DOS attack.

Hi,

 

I'm facing a similar issue with smurf DOS attacks. But attacks are comming from my R7000 configured as AP. Configuration:

 

1 R7000 as Router (192.168.1.1) - lets call it R7000R

1 R7000 as Access Point (192.1.2) - lets call it R7000AP

 

When R7000R is attacked by R7000AP, R7000R turns off internet to R7000AP. I also see WiFi being closed at R7000AP at the same time. Then after a few minutes it works again. And then 5-10 minutes later, it starts all over again. Only 1 PC is connected to R7000AP WiFi - nothing wired. I'm using latest firmware V1.0.9.26_10.2.31. And I also tried a factory reset of R7000AP. But it didn't help. I have also disabeled DOS attack proptection on R7000R, but I assme it only have effect on the ISP WAN connection?

 

Here is an extract from log files (not from same event, as I by mistake cleard R7000R log) - more and syncronized logs can be provided if needed.

 

R7000AP:

[Admin login] from source 192.168.1.11, Monday, Jan 22,2018 23:01:23
[Time synchronized with NTP server] Saturday, May 19,2018 18:38:36
[Internet connected] IP address: 192.168.1.2, Saturday, May 19,2018 18:38:35
[Initialized, firmware version: V1.0.9.26] Saturday, May 19,2018 18:38:34
[Internet disconnected] Saturday, May 19,2018 18:38:33

 

R7000R:

...
[DoS attack: Smurf] attack packets in last 20 sec from ip [192.168.1.2], Saturday, May 19,2018 18:30:10
...
[Log Cleared] Saturday, May 19,2018 18:06:42

 

Serial Number: 4457617FA167B

Serial Number: 4457617EA2870

  

 

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 9 of 28
JamesGL
Master

Re: R7000 Under constant smurf DOS attack.

Hi JSandgaard,

 

This is the latest firmware.

 

https://kb.netgear.com/000057097/R7000-Firmware-Version-1-0-9-30-Hot-Fix

Message 10 of 28
JSandgaard
Aspirant

Re: R7000 Under constant smurf DOS attack.

I'll try that.

Message 11 of 28
JSandgaard
Aspirant

Re: R7000 Under constant smurf DOS attack.

Hi,

 

In my continued testing of the dos smurf issue, I might have found a way to reproduce the issue. If I use the internet speed test below (connected via WiFi to R7000AP, and nothing else is connected) R7000AP starts dos smurf "attacking" R7000R and shortly after R7000AP freezes and must be restarted. 

 

http://www.speedtest.net/

 

I hope the hot fix will help. Thanks.

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 12 of 28
StephenSin
Aspirant

Re: R7000 Under constant smurf DOS attack.

Hi, My R7000P also have this issue, being DoS fro unknown IPs

My R7000P Firmware Version is V1.3.1.26_10.1.3Capture.PNG

Model: R7000P|Nighthawk AC2300 Smart WiFi Router with MU-MIMO
Message 13 of 28
JamesGL
Master

Re: R7000 Under constant smurf DOS attack.

Hi JSandgaard,

 

Just let us know if it works for you.

Message 14 of 28
JamesGL
Master

Re: R7000 Under constant smurf DOS attack.

Message 15 of 28
JSandgaard
Aspirant

Re: R7000 Under constant smurf DOS attack.

Hi,

I've updated both R7000 with the provided hotfix. Until now, it's been working fine (30 minutes uptime till now). I have tried testing with SeedTest.NET on PC and iPhone agist the R7000AP. That works too (before the AP would crash at once).

Thanks a lot for great support.

Kind regards,

Jackie

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 16 of 28
StephenSin
Aspirant

Re: R7000 Under constant smurf DOS attack.

Hi, James, I still got the problem in the hot-fix firmwareCapture1.PNG

Model: R7000P|Nighthawk AC2300 Smart WiFi Router with MU-MIMO
Message 17 of 28
Blanca_O
NETGEAR Moderator

Re: R7000 Under constant smurf DOS attack.

@JSandgaard, keep us posted of the result. Thank you! 

 

 

@StephenSin, do you have the same network setup with JSandgaard (2 R7000 connected)? 

Message 18 of 28
StephenSin
Aspirant

Re: R7000 Under constant smurf DOS attack.

No, my R7000P is connected to the fiber model directly, no any other R7000P connected. I was attacked by some ips from the world wide.

Model: R7000P|Nighthawk AC2300 Smart WiFi Router with MU-MIMO
Message 19 of 28
jg121234
Tutor

Re: R7000 Under constant smurf DOS attack.


@StephenSin wrote:

No, my R7000P is connected to the fiber model directly, no any other R7000P connected. I was attacked by some ips from the world wide.


Your photo shows some "DOS attacks" that are hours apart.  You have nothing to worry about unless there are many thousands of these per second.  You can ignore these in the logs.  The other person was having an issue where his internal access point was attacking his own router and causing it to crash.

Message 20 of 28
JSandgaard
Aspirant

Re: R7000 Under constant smurf DOS attack.

Hi,

 

Sorry for late answer - been traveling.

 

https://kb.netgear.com/000057097/R7000-Firmware-Version-1-0-9-30-Hot-Fix did not fix it 100% after a 1-2 hours smurf attacks from the R7000AP (access point) on the R7000R (router towards my ISP). Then I see both radio signals turn off (they are configured to be on of course, that’s the whole idea of using it as a wired AP), and though Guest WiFi is turned off, Guest SIDs are suddenly visible…

I’ve now upgraded to latest firmware V1.0.9.32_10.2.34 and now I don’t see any smurf attacks and R7000AP doesn’t freeze. But WiFi radio turn of after a while (configured to be permanent on on both 2.4 and 5 GHz), and sometimes WiFi turns on again. A reboot also turns WiFi on again. I don’t see anything unusual in the log files. Guest WiFI doesn’t turn on as before.

 

 


If you like to see the logs/screen snapshots, I have uploaded a PDF file for you (rename from txt to zip. It appears the R7000R has reboot, and logs prior today are gone. But isn't the logs persistent until I reset the log?

 

Kind regards,

Jackie

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 21 of 28
JSandgaard
Aspirant

Re: R7000 Under constant smurf DOS attack.

After a couple of warm/cold reboots, I can still not get WiFi to start on R7000AP..... so next thing will be factory reset...... will keep you posted.

Message 22 of 28
JSandgaard
Aspirant

Re: R7000 Under constant smurf DOS attack.

I can now see that after R7000AP is rebooted, it does start Smurf attackes on R7000R (which in the past would make R7000AP close WiFI, turn on Guest WiFi and the frezz). Now it seems Smurf stops after a while, and WiFi is off, but R7000AP continues to run.....

 

See attached log. I have done the factory reset yet; but in the past that didn't cure the Smurfe attacks. What about the WiFi radio issue on R7000AP? 

Message 23 of 28
IrvSp
Master

Re: R7000 Under constant smurf DOS attack.

Have you contacted your ISP? You are doing a TIME SYNC every 30 minutes?

 

[Time synchronized with NTP server] Wednesday, Jun 27,2018 06:09:24
[Internet connected] IP address: 85.204.136.41, Wednesday, Jun 27,2018 06:09:23

 

[Time synchronized with NTP server] Wednesday, Jun 27,2018 05:39:24
[Internet connected] IP address: 85.204.136.41, Wednesday, Jun 27,2018 05:39:23

 

Highly unusual. Note the Internet Connected too. There was a FIX in the R7000 awhile back for bug that actually did a disconnect/reconnect with that operation. Wonder if that works if the router is in AP mode?

 

My ISP has a LEASE of 2 hours for my WAN IP Address, and every hour I have those 2 entries in my log. RENEW is done at 1/2 the time of the lease. You can see your lease time on the Advanced tab, Connection Status, in the Internet Port box.

 

I'd suggest calling the ISP to see if this is a problem on their end.

 

As for UPnP, I assume that 192.168.1.15 is an Xbox? Does it really require UPnP? If not, disable it and see what happens. If nothing else, do it for a short period as a test at least.

Message 24 of 28
JSandgaard
Aspirant

Re: R7000 Under constant smurf DOS attack.

My ISP is not configuring my R7000 router - my ISP only provide the plain fiber. And as I recall, I'm just running the default TIME SYNC, as I recall, on both R7000s. And I don't think this has any impact on the R7000AP not working. 

 

NETGEAR are working this issue, and I have recived two hotfixes so far and upgraded to latest firmware after I got the hotfix that fixed parts of the problem. It's getting better, but not completley fixed yet as you can see in the posts above. I don't think this is an issue for my ISP at all, as we are talking about communication problems between the R7000 Router and R7000 Access Point (in thread above called R7000R and R7000AP).

 

Above I also write that 192.168.1.15 is my business computer (that's a Dell laptop). Not an Xbox.

 

So, great with ideas on how to fix - but pls. also read the full thread and posts from NETGEAR too.

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 25 of 28
Top Contributors
Discussion stats
  • 27 replies
  • 14308 views
  • 2 kudos
  • 9 in conversation
Announcements

Orbi WiFi 6E