Re: Orbi Pro AC3000 Tri-Band SRR60 - DoS attacks in log files

texasTrio · ‎2022-07-06

I read numerous posts about DoS attacks in the log files. It wasn't clear to me if these are ghost messages are they are in fact DoS attacks and logged correctly. I am chasing Wi-Fi dropping at a church. I looked up several source IP addresses, and they include Amazon AWS, HostPapa, DropBox, etc. After the DoS messages are logged, several clients have dropped and given new IP addresses. See an example in bold below. I am not a networking expert but never had so much trouble debugging router issues such as with the Orbi. Should I be concerned and send email to the abuse emails of the source IP owners? Any chance the "attacks" are related to WiFi dropping (and ethernet working).

[DHCP IP: 192.168.1.36] to MAC address 1c:45:86:fd:e6:98, Wednesday, July 06, 2022 19:45:22
[DoS Attack: TCP/UDP Chargen] from source: 146.88.240.4, port 34646, Wednesday, July 06, 2022 19:37:41
[DoS Attack: ACK Scan] from source: 162.125.8.17, port 443, Wednesday, July 06, 2022 19:37:05
[DHCP IP: 192.168.1.83] to MAC address 14:7d:da:a6:fd:8b, Wednesday, July 06, 2022 19:34:33
[DHCP IP: 192.168.1.17] to MAC address 8a:05:63:71:fb:e4, Wednesday, July 06, 2022 19:34:30
[DHCP IP: 192.168.1.32] to MAC address 82:43:18:0e:a7:72, Wednesday, July 06, 2022 19:33:57
[DHCP IP: 192.168.1.17] to MAC address 8a:05:63:71:fb:e4, Wednesday, July 06, 2022 19:31:14
[DHCP IP: 192.168.1.47] to MAC address ea:28:ab:f0:62:95, Wednesday, July 06, 2022 19:30:43
[DHCP IP: 192.168.1.45] to MAC address fe:1c:12:dd:aa:4b, Wednesday, July 06, 2022 19:30:05
[DHCP IP: 192.168.1.37] to MAC address 4e:3f:2e:20:28:c1, Wednesday, July 06, 2022 19:30:03
[DoS Attack: ACK Scan] from source: 162.125.19.131, port 443, Wednesday, July 06, 2022 19:25:55
[DoS Attack: ACK Scan] from source: 162.125.19.130, port 443, Wednesday, July 06, 2022 19:25:29
[DHCP IP: 192.168.1.7] to MAC address 8c:85:90:4f:d5:2c, Wednesday, July 06, 2022 19:13:24
[DoS Attack: ACK Scan] from source: 162.125.19.131, port 443, Wednesday, July 06, 2022 19:11:30
[DoS Attack: ACK Scan] from source: 162.125.19.130, port 443, Wednesday, July 06, 2022 19:10:32
[DHCP IP: 192.168.1.36] to MAC address 1c:45:86:fd:e6:98, Wednesday, July 06, 2022 19:09:41
[DoS Attack: ACK Scan] from source: 162.125.19.9, port 443, Wednesday, July 06, 2022 19:04:20
[DoS Attack: ACK Scan] from source: 17.248.200.30, port 443, Wednesday, July 06, 2022 19:02:26
[DHCP IP: 192.168.1.7] to MAC address 8c:85:90:4f:d5:2c, Wednesday, July 06, 2022 19:01:37

DH_1 · ‎2022-07-07

Hi, I am just a user as well. I also have posted this very same thing on this site.
From what I was told, the router is doing exactly what is was designed to do. The router is picking up this "traffic". Is it blocking it? Yes I believe so. Is it recording it in the log? Yes.
I have had no issues with Netgear (other than some buggy firmware updates in the past). I have now simply disabled the log. There is no need for me to see this. Again, I have no issues with Netgear...maybe someone that is more technical may chime in. But I think you are good. I am not sure if emailing these companies would do any good. Have a great day...

texasTrio · ‎2022-07-07

So, if they are real DoS attacks, is the Orbi logging after one attempted access or after N attempted and successive accesses?

DH_1 · ‎2022-07-07

That I do not know.

schumaku · ‎2022-07-08

Most are not even true DoS attacks - causes are when mobile devices have connections open and disconnect eg due to power saving, connection loss, wireless disconnect, roaming to different SSIDs or AP connections, uplink (Internet connections going down or bouncing).

texasTrio · ‎2022-07-09

Note: I reserved IP addresses for known devices and most of the DHCP renewing and messages have gone away.

I looked up the IP address, organization and abuse email from the log messages. These look like bad players and not smart phone related. The church I am helping has a lot of these messages Sunday mornings ...

[DoS Attack: SYN/ACK Scan] from source: 89.184.85.86, port 443, Saturday, July 09, 2022 09:15:56
Internet Invest Ltd., Kiev Ukraine, abuse noc@mirohost.net

[DoS Attack: SYN/ACK Scan] from source: 45.148.10.59, port 3875, Saturday, July 09, 2022 09:12:41
PPTECHNOLOGY LIMITED, London England, abuse@pptechnology.cc

[DoS Attack: RST Scan] from source: 156.146.45.187, port 65372, Saturday, July 09, 2022 08:49:01
RIPE Network Coordination Centre, Amsterdam, NL, abuse@ripe.net

[DoS Attack: SYN/ACK Scan] from source: 51.116.127.185, port 80, Saturday, July 09, 2022 08:47:30
Microsoft Limited, Great Britain abuse@microsoft.com

[DoS Attack: SYN/ACK Scan] from source: 94.130.137.174, port 443, Saturday, July 09, 2022 08:46:28
Hetzner Online GmbH, D-91710 Gunzenhausen Germany, abuse@hetzner.com

[DoS Attack: SYN/ACK Scan] from source: 60.30.162.22, port 47060, Saturday, July 09, 2022 08:42:06
China Unicom Beijing, abuse hqs-ipabuse@chinaunicom.cn

schumaku · ‎2022-07-09

@texasTrio wrote:

I looked up the IP address, organization and abuse email from the log messages. These look like bad players and not smart phone related.

Of course you know where the many smart phone apps are connecting to, the router keeping the connection open even if mobile phones going to sleep, are roaming off, change to the mobile network, ... Of course, Ukraine, Germany, and China must be "bad players", RIPE and Microsoft anyway as you state? Get real ... I'd wish Netgear would disable these log entries, and keeping the activity silent.

quagmire1 · ‎2022-07-09

Probes from bad actors are hitting everybody all the time - and have been for years. Here's how I fixed it in my log file options:

DH_1 · ‎2022-08-05

And I did this to fix all my problems.

Cheers

8>)

schumaku · ‎2022-08-06

Out of sight, out of mind 😉