Reply

R7800 reports [DoS Attack: ARP Attack] from source inside network

beernutz
Tutor

R7800 reports [DoS Attack: ARP Attack] from source inside network

My R7800 router log report includes:

[DoS Attack: ARP Attack] from source: 192.168.1.10, Sunday, March 19, 2017 15:18:05

but that IP address is my Windows 10 laptop on my home network.  When this happens I lose internet access from that laptop for 5 to 10 minutes which is pretty annoying as it happens almost daily.  I am usually just surfing the web when this type attack is recorded.

 

Is there a way to exclude a particular device from the router's DoS attack scans?  Other than this issue my router has been pretty solid.  

Model: R7800|Nighthawk X4S AC2600 Wifi Router
Message 1 of 7
ElaineM
NETGEAR Employee Retired

Re: R7800 reports [DoS Attack: ARP Attack] from source inside network

Those logs are providing you reports on what's happening on network.

There's no way to exclude a particular device from the list. It's either you want to see it all or uncheck the box that says "Known DoS attacks and Port Scans" and it will stop providing that information to you. 

ElaineM
NETGEAR Community Team
Message 2 of 7
beernutz
Tutor

Re: R7800 reports [DoS Attack: ARP Attack] from source inside network

If I understand your reply the check for "Known DoS attacks and Port Scans" applies to all devices or to none of them?  

That is unfortante because that Windows 10 laptop is my primary computing device connected to the laptop. I've run malwarebytes and other malicious software removal tools and the laptop is clean. It is the only device on the network (including 2 TVs, iphone 6, android phone, Windows 7 laptop, a Linux desktop server, a music server, and an Apple TV running Kodi) experiencing this problem of being logged as performing ARP Attacks during which time I lose network access from the laptop.

Message 3 of 7
ElaineM
NETGEAR Employee Retired

Re: R7800 reports [DoS Attack: ARP Attack] from source inside network

@beernutz Sorry, that should be it's either you want to see the reporting for all devices or nothing at all by unchecking the box, "Known DoS attacks and Port Scans".

Do you have any filesharing enabled or using torrent? Turn off any unnecessary programs that may be running on that machine and see if you will get the same logs. 

Try to install a 3rd party software in order to determine what packets are being sent. 

Or you could also try to reinstall the OS. 

ElaineM
NETGEAR Community Team
Message 4 of 7
schumaku
Guru

Re: R7800 reports [DoS Attack: ARP Attack] from source inside network

Sorry @ElaineM ... most of these DoS Attack reports are mostly simply false positives. Using some intensive or complex Web pages, having clients on the (W)LAN synching cloud stroage (ie. Dropbox) does cause plenty of entries, claiming iehter the cloud sotrge server on the Internet and/or the client on the LAN does DoS ... even if doing not any data update.

 

The DoS detection is either broken, or much to sensitive on all Netgear routers I've had in my hands the last years, inlcufing the current R9000. Simply a pain in the back ... reported on several router Betas I had the pleasure ... nobody ever cared!

 

-Kurt

Message 5 of 7
beernutz
Tutor

Re: R7800 reports [DoS Attack: ARP Attack] from source inside network

I don't run torrents or have filesharing enabled on the laptop.  I have experienced this problem when only running Chrome and browsing the web.  

I will try to do some packet analysis and report what is occurring before the ARP attack is logged however my guess is that the poster after yours, Kurt, is right and this is just a false positive, and an extremely annoying one at that.  It is too late to return this one but this is my last Netgear router for sure.

Message 6 of 7
schumaku
Guru

Re: R7800 reports [DoS Attack: ARP Attack] from source inside network

If we think a little bit further ... an ARP attack would have the target that another IP address is used ie. instead of the default gateway, so the traffic can be captured/tracked/monitored MITM ... say for DNS, say for another gateway, allowing to bypass a "securing" network infrastructure by ARP poisoning [think about the (sigh, limited use Web browse control] would make much more sense.

 

ARP for DoS ... well, this does not make much sense when it comes to the alert. Just an alert is meaningless. A consumer device must be able to take automated smart actions. As is said before, the ARP rate limit triggering the ARP attack alert is much to low - especially when it comes to complex Web pages containing data from many sources.

 

Are these log entries and the trigger values documented at all? I doubt ...

 

When I have it right, on the dark blue heavy iron on the real IOS (previous generation, yes I'm an OM), with dynamic ARP inspection (DAI?), we could limit the number of ARP requests to 15 per second on untrusted (general access) switch ports. Beyond there is DHCP snoop maintaining a ARP<->IPv4 table, reporting/blocking of there is any ARP spoofing ... one of the very basic feature I would expect today for router in the price range of an R8000/8500/9000. 

 

 

Both would not be difficult to implement btw.

 

Welcome to the year 2017, Netgear!

 

 

Message 7 of 7
Top Contributors
Discussion stats
  • 6 replies
  • 4914 views
  • 3 kudos
  • 3 in conversation
Announcements

Orbi WiFi 6E