Re: New - RS700S Firmware Version 1.0.7.80 Released

Hi I just got this Netgear RS700 and had no issues with DoS attacks

untill 2 days ago when there was a firmware update Firmware Version V1.0.7.80_2.0.79

Small network like 15 total PCs and devices in private home where most times maybe half of these are on so router is mostly idle

As soon as this was updated these DoS attacks began and never stop

I tried blocking UDP services for ports like 4-19 but that did nothing at all to stop this

What is this sudden cause and how to correct ?

Thanks for the help.  JR

Small example:

[DoS attack: RST Scan] from source 54.197.98.98,port 443 Thursday, Nov 30, 2023 20:18:56
[DHCP IP: (192.168.1.9)] to MAC address AC:E0:10:4E:60:DE, Thursday, Nov 30, 2023 20:17:26
[DoS attack: snmpQueryDrop] from source 147.203.255.20,port 58342 Thursday, Nov 30, 2023 19:57:05
[DoS attack: Fraggle Attack] from source 10.9.144.1,port 67 Thursday, Nov 30, 2023 19:55:12
[DoS attack: Fraggle Attack] from source 10.9.144.1,port 67 Thursday, Nov 30, 2023 19:54:57
[DoS attack: Fraggle Attack] from source 10.9.144.1,port 67 Thursday, Nov 30, 2023 19:54:55
[DoS attack: RST Scan] from source 95.100.155.249,port 443 Thursday, Nov 30, 2023 19:46:19
[DoS attack: RST Scan] from source 95.100.155.249,port 443 Thursday, Nov 30, 2023 19:34:19
[DHCP IP: (192.168.1.9)] to MAC address AC:E0:10:4E:60:DE, Thursday, Nov 30, 2023 19:26:11

I have the same issue with DoS attacks appearing in the logs even few seconds. From what support told me, it seems they are false positives. For now, I have disabled "Known DoS attacks and Port Scans" under "Include in Log" so it won't overflow the log:

Luckily, it doesn't seem to interfere with my port forwarding or internet speed.

Thanks for the quick reply

What they are saying is hide the fact in logs that this new firmware is not blocking DoS at a high rate per second, so really masking the problem and not knowing if those attacks are affecting the PCs and devices on my network

As it is these are coming from many different TCP/IP addresses

Did they say they are working on a fix and when that will happen

As I mentioned none of these occured with last firmware version

Thanks again . . JR

also I checked the address and shows it comes way over in Oregon and I am in Texas so clearly the DoS are not false positives I would think ?

[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:44:26
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:44:25
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:43:25
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:42:24
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:41:23
[DHCP IP: (192.168.1.9)] to MAC address AC:E0:10:4E:60:DE, Thursday, Nov 30, 2023 21:41:02
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:40:23
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:40:22
[DoS attack: RST Scan] from source 213.246.109.33,port 443 Thursday, Nov 30, 2023 21:30:25
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:30:17
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:30:11
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:29:38
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:29:37
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:28:37
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:28:36
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:27:36
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:26:35
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:24:14
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:24:13
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:23:13
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:22:13
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:22:12
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:21:12
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:20:09
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:19:42
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:19:35
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:19:12
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:18:49
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:17:36
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:17:35
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:16:35
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:16:34
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:16:13
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:15:22
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:15:13
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:14:29
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:14:12
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:14:08
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:13:57
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:13:12
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:13:11
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:08:21
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:07:21
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:07:20
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:04:19
[DoS attack: RST Scan] from source 52.89.243.158,port 443 Thursday, Nov 30, 2023 21:04:18
[DoS attack: RST Scan] from source 192.145.239.223,port 2096 Thursday, Nov 30, 2023 21:04:03
[DoS attack: RST Scan] from source 192.145.239.223,port 2096 Thursday, Nov 30, 2023 21:03:56
[Log Cleared] Thursday, Nov 30, 2023 21:03:38

It's a false positive, coming from Amazon. Regardless if it's in Oregon or somewhere else. Location doesn't matter.

Without looking into details, we cannot tell if each individual case is a real attack or not.

What we can say is, after the NAT loopback issue from the previous releases (e.g. v1.0.7.66) is fixed, it introduced some false alarms in the DoS attack detection. We still work on the fix and will release the fixed firmware soon.

When I received this RS700 2 weeks ago I checked the Netgear website and said a firmware update was needed so I downloaded and installed it and show version was V1.0.7.66

For that 2 weeks not 1 DoS was shown in logs until

the auto firmware update 2 days ago and as I mentioned the IP addresses and DoS types are many different ones and several per second showing in logs

Great to see your looking to correct this ASAP as real or false still has to have a cost to the router as processer, memory, bandwidth, downstream to nodes, etc

It is now two full weeks since I reported this bug and Netgear if seems to think it is fine to hide the DoS attacks by turning the reporting of this OFF

That is not a fix and looks like Netgear cares little about all types of DoS attacks non stop and not doing a firmware fix 😞

Again, these are NOT DoS attacks but FALSE POSITIVES. You are not getting DoS'd or hacked! Why don't you listen? If you were getting DoS'd, you won't be able to get on the Internet as your device will completely choke up.

Keep the false postives for yourself, one thing of a $70 router, not a $700 one people are paying for

So false that Netgear said they would have to do a firmware fix

Last 2 firmware updates before this one did not have this problem so it is clear Netgear Q/A or engineering did not do the testing before releasing this firmware version

Workaround to just limit the size of the log files was to turm OFF DoS beng reported

The routers CPU, memory, whatever still has to be used to even your false positives taking that away from customers data throughput

Yeah, I had similar issues on this firmware. Last weekend, I noticed my internet drop while connected to the RS700. Wasn't able to confirm if it was due to the influx of false positive DoS attacks on the router (I did see I was no longer able to ping it), but I ended up reverting back to 1.0.7.66. Have had no issues since then, but hopefully an updated firmware that fixes this will arrive soon.

I also back rev'ed the firmware, when turning DoS back on for logs and seeing

DOS attacks with TCP/IP addresses coming from as far as the UK and China 😞

Clearly Netgear has no problems when a $700 router does this but a $70 one does not

Also with older firmware the data throughput from/to Internet is better

Your 70 USD router does not even care about these - and nothing will be in the router logs anyway.

Even if you don't want to believe it: The majority of the DoS events are locally caused, from established TCP sessions,  for example a simple mobile roaming away (or roaming from the mobile network to your local WiFi) to the mobile network or a wireless notebook going to sleep, leaving dozens or hundreds of sessions in space. Virtually no real DoS will ever hit your router - the ISPs do much more than you can imagine. If you are DoS-ed from a high bandwidth or a distributed DoS attack, you will probably loose all your Internet connection. If the rare real attack attempts really happen, the DoS protection will jump in and also leave some log traces.

Yes, we (active community members, operators of many Netgear devices - most not average home users) know that the Netgear-implemented DoS detection tends to be over-sensible, leading to far to much false alerts. This is what Netgear is certainly working on, and this is what they are talking about.  Yes, each event is causing some traffic from logging and auditing. This is absolute normal industry standard. This is not exclusive to Netgear: Every network and service operator does see lots of events, collected in seconds, over hours and days. Most of these events and log entries can be explained if reviewed accordingly - mostly fully automated. And nobody is making any noise: This makes the big difference.

With the help of active intrusion prevention systems, it's easy to analyze. With the average but well collected DoS logs on the Netgear routers, many things can be explained - but by far not everything. This is all causing your big scare of DoS from other states, other countries, and the ubiquitous bad players. Almost every event is caused locally. Your computers, mobiles, applications, apps, cloud services and much more are active globally. It's not the big evil enemy - it's reality.

For reasons, no ISP provided consumer or SMB (and most business) routers don't tell us anything - including the 10 GbE Internet connection class.

FYI, New FW available:

https://community.netgear.com/t5/Nighthawk-with-WiFi-7-BE/New-RS700S-Firmware-Version-1-0-7-82-Relea...