Orbi WiFi 7 RBE973
Reply

Router mvpn purge and suspicious insight xcloud communication with orbi pro sxr80; and ddos attacks

Orbipro1
Aspirant

Router mvpn purge and suspicious insight xcloud communication with orbi pro sxr80; and ddos attacks

I have not initiated or setup insight app or xcloud. Router log shows insight and xcloud login to orbi pro router and mention of mvpn in router logs. Is this unauthorized access?  Unusual amount of ddos attacks - how do I protect or stop ddos attacks of these type mentioned in logs.

 

DoS Attack: SYN/ACK Scan] from source: 194.26.228.174, port 19135, Monday, October 24, 2022 13:49:48
[DoS Attack: ACK Scan] from source: 194.26.228.174, port 5359, Monday, October 24, 2022 13:25:04
[DoS Attack: SYN/ACK Scan] from source: 85.232.251.78, port 80, Monday, October 24, 2022 12:39:58
[DoS Attack: SYN/ACK Scan] from source: 198.7.29.5, port 53, Monday, October 24, 2022 12:36:25
[Insight] Purge mvpn service successfully., Monday, October 24, 2022 12:18:35
[Insight] Disable concentrator mvpn., Monday, October 24, 2022 12:18:35
[Insight] Disable content filtering successfully., Monday, October 24, 2022 12:18:35
[Insight] Set auto_upgrade to 1., Monday, October 24, 2022 12:18:35
[Insight] Set upgrade http url to ., Monday, October 24, 2022 12:18:35
[Insight] Device is not claimed on Insight cloud (1003)., Monday, October 24, 2022 12:18:35
[Insight] Boot API request: data = {"serialNo":"6KW10B5XA4EAF","macAddress":"9c:c9:eb:dd:1d:f3","model":"SXR80","xDeviceId":"GEDNAGV7-3220-336-184411967","deviceType":"ORBI","fwVersion":"4.2.3.102","sendPendingC, Monday, October 24, 2022 12:18:35
[Insight] Register the device and send request to get device token., Monday, October 24, 2022 12:18:35
[DoS Attack: ACK Scan] from source: 155.133.253.34, port 27032, Monday, October 24, 2022 12:18:33
[DoS Attack: ACK Scan] from source: 155.133.253.34, port 27032, Monday, October 24, 2022 12:18:32
[Insight] Connection to XCloud was established., Monday, October 24, 2022 12:18:27
[DoS Attack: SYN/ACK Scan] from source: 85.232.251.78, port 80, Monday, October 24, 2022 12:17:59
[DoS Attack: ACK Scan] from source: 162.254.195.71, port 27021, Monday, October 24, 2022 12:17:38
[DoS Attack: ACK Scan] from source: 162.254.195.71, port 27021, Monday, October 24, 2022 12:17:37
[Insight] Connection to XCloud was disconnected., Monday, October 24, 2022 12:17:26
[DoS Attack: ACK Scan] from source: 162.247.241.1

 

 

Message 1 of 10

Accepted Solutions
schumaku
Guru

Re: Router mvpn purge and suspicious insight xcloud communication with orbi pro sxr80; and ddos atta

Interesting mix of wild combinations of individual log entries and speculations... Simple stack protection under the DoS label does become DDoS in your wild ideas, even more widely added secured BGP (considering consumer and end-user routers rarely use BGP). Combine a DoS log entry with a remote access by Insight (what it clearly isn't) and much more. Yes, Insight does make use of a certain VPN to enable the management of multiple or many Insight managed devices on the same network and location, for this purpose it also maintains a look-up service for device information on the same local subnet and beyond, allowing to locate multiple Insight devices easily for adding more insight managed devices like switches, wireless access points, mesh satellites, ... (this is what for the registration you see in the log is for), and much more. 

 

Neither is the mvpn nor the xcloud communication suspicious - both are part of the proprietary Netgear Insight implementation - nor has the update control for the Insight devices update mechanism much in common of what Netgear support has told you based on consumer product firmware update mechanism information.

 

it's a good behavior to set an environment on a managed to known and defined defaults before it might be used any further, or just before it's set to certain idle or stop state if not required in the current basic set-up. matter of fact, there are different management entities and functionalities involved on these Insight or Netgear cloud manageable devices, depending on how the user does configure and operate these. From standalone, local managed, to a single location cloud managed, to a multi-site location there can be big differences. And I have not talked about about the easy expansion or migration of a standalone local managed device to a single location cloud environment, to a multi-location environment.

 

No idea why users are so keen to manage one or even more multiple Insight manageable devices locally, massively crippling the oversight and limiting the service quality. The Insight App is yet another alternate UI to using the Insight web portal, so allowing the user the get the best of the Insight environment. But hey if you prefer to do everything manually by device, feel free. 

 

it's not the job for the Netgear support organization for providing design internals or to item by item explanation of each and every log entry you might ever see in the logs. it's ok trying to understand what is going on under the hood, but don't bring in unrelated features like your (non-existing) ip phones or no longer available telephony. Undoubted, everything is IP based here in Insight). and during normal operations of devices (like mobiles, computers, ...) things can change very quickly. like a mobile device roaming to another wireless, to the WWAN (4G/5G carrier network), by a device going to sleep for power saving, so the ip stack on the router does have to deal with what is appearing as "DoS" - even if the reasons triggering can be very different during such state changes. 

 

Beyond, there is no word (anwhere!) that these DoS protections mentioned are blocking any IP addresses just to add one more example of false or freely interpreted ideas. Correct is that if you should become a target of a DDoS attack that no CPE-side router can do anything against it. Even if you invest a lot into your router, security appliance, ...  At the end of the day, you have to depend on what the ISP can do.

View solution in original post

Message 6 of 10

All Replies
CrimpOn
Guru

Re: Router mvpn purge and suspicious insight xcloud communication with orbi pro sxr80; and ddos atta

No experience with Insight, sorry. The SXR80 Product Data Sheet says that a 5-Year subscription to Insight is bundled with the purchase.  Looks like you paid for it.  Did you register the product?  Maybe registration links Insight to the product?  Might want to give them a call (since it appears you paid for it).

https://www.downloads.netgear.com/files/GDC/SXK80/SXK80_DS.pdf 

 

With regard to the entries Netgear places in the log file labeled Denial of Service (DoS) Attacks, there is nothing anyone can do to prevent these except turn off the feature that reports them.

 

  • If you have a telephone number, what can you do to prevent Robocalls? -- Nothing.  Anyone, anywhere, can dial any number they damn well please.  All you can do is choose not to answer, but you cannot stop them from calling.
  • If you have a mailbox, what can you do to prevent Junk Mail? -- Nothing.  You can bring in the mail, stand over a trash can, and throw things away without opening, but you cannot stop people from sending mail to your address.
  • Each internet subscriber has a public IP address.  There is nothing that can be done to prevent people from attempting to connect. -- Nothing.  The router firewall refuses to accept any connections, unless the user has deliberately forwarded ports to specific local devices or has placed a device in the DMZ.

Netgear has written software, which is not documented anywhere, that monitors connection attempts and looks for familiar patterns. When it detects a pattern, an entry is made in the log file.  This has absolutely zero to do with accepting any of these connection requests.  My phone keeps a log of every call that I (deliberately) failed to answer.

 

Sorry for the rant. It is just frustrating how much angst engineers create when they try to show off how cool they are.

Message 2 of 10
Orbipro1
Aspirant

Re: Router mvpn purge and suspicious insight xcloud communication with orbi pro sxr80; and ddos atta

Thank you for feedback.

i have no ip phone - not needed yet. Will have to learn also.

i did contact tech support who said may have to do with automatic update but my automatic update is off.  The logs aside from some ddos attacks showed an insight login, token request, issuance of token, established connection a mention of mvpn, a purge, and an and end of session. Maybe part of Netgear device environment and its relation with corporate resources. Periodic contact and review of devices on its network. Not sure. 

 

I do not use the app and have not signed up - has no advantage of additional features only multi site administration of orbi pro. I have one site and prefer to access by lan onsite.

 

timely to evaluate address of ddos attackers and block address and probably not effective by this approach. 

 

It seems isp would seek to identify ad remove ddos from their network - also difficult until encrypted bgp is implemented . 

Message 3 of 10
CrimpOn
Guru

Re: Router mvpn purge and suspicious insight xcloud communication with orbi pro sxr80; and ddos atta


@Orbipro1 wrote:

i have no ip phone - not needed yet. Will have to learn also.


We get robocalls on our house phone and both cell phones. Nothing to do with internet.

 

(Another rant) House phone is through Spectrum.  They are able to describe many calls as "SPAM RISK" or "Unknown", yet they do not offer to simply block those calls. Grrrr.

 

The cool part about having five years of Insight is the ability to call Netgear support.  We who purchased the residential products get 90 days of 'complimentary support', after which our choices are (a) pay Gearhead, or (b) hope that some volunteer on the community forum can help.  That's how I came to the forum five years ago.  (Too cheap to pay Gearhead and not convinced that Level 1 support would be much more capable than I was to begin with.)

Message 4 of 10
Orbipro1
Aspirant

Re: Router mvpn purge and suspicious insight xcloud communication with orbi pro sxr80; and ddos atta

I bought and additional 90 days just for this issue.

 

No landline or cable phone at my location. Discontinued phone service. This is from internet activity.

 

support says maybe a rotating or automated communication from the central insight server, maybe surveying the network o devices using its cloud. 

 

I have not subscribed to the cloud. Wanted to manage onsite or direct connection. 

 

Minimal built in firewall and ddos protection performed on router. Would like robust firewall, cookie and application filtering with easy automated rule making. More than just port blocking.

 

Could be blocking ddos with ddos protection built into orbi pro according to support. 

 

Remote Login and mvpn not explained. Chose to use web interface rather than cloud application in order to have direct access with no remotes.

Message 5 of 10
schumaku
Guru

Re: Router mvpn purge and suspicious insight xcloud communication with orbi pro sxr80; and ddos atta

Interesting mix of wild combinations of individual log entries and speculations... Simple stack protection under the DoS label does become DDoS in your wild ideas, even more widely added secured BGP (considering consumer and end-user routers rarely use BGP). Combine a DoS log entry with a remote access by Insight (what it clearly isn't) and much more. Yes, Insight does make use of a certain VPN to enable the management of multiple or many Insight managed devices on the same network and location, for this purpose it also maintains a look-up service for device information on the same local subnet and beyond, allowing to locate multiple Insight devices easily for adding more insight managed devices like switches, wireless access points, mesh satellites, ... (this is what for the registration you see in the log is for), and much more. 

 

Neither is the mvpn nor the xcloud communication suspicious - both are part of the proprietary Netgear Insight implementation - nor has the update control for the Insight devices update mechanism much in common of what Netgear support has told you based on consumer product firmware update mechanism information.

 

it's a good behavior to set an environment on a managed to known and defined defaults before it might be used any further, or just before it's set to certain idle or stop state if not required in the current basic set-up. matter of fact, there are different management entities and functionalities involved on these Insight or Netgear cloud manageable devices, depending on how the user does configure and operate these. From standalone, local managed, to a single location cloud managed, to a multi-site location there can be big differences. And I have not talked about about the easy expansion or migration of a standalone local managed device to a single location cloud environment, to a multi-location environment.

 

No idea why users are so keen to manage one or even more multiple Insight manageable devices locally, massively crippling the oversight and limiting the service quality. The Insight App is yet another alternate UI to using the Insight web portal, so allowing the user the get the best of the Insight environment. But hey if you prefer to do everything manually by device, feel free. 

 

it's not the job for the Netgear support organization for providing design internals or to item by item explanation of each and every log entry you might ever see in the logs. it's ok trying to understand what is going on under the hood, but don't bring in unrelated features like your (non-existing) ip phones or no longer available telephony. Undoubted, everything is IP based here in Insight). and during normal operations of devices (like mobiles, computers, ...) things can change very quickly. like a mobile device roaming to another wireless, to the WWAN (4G/5G carrier network), by a device going to sleep for power saving, so the ip stack on the router does have to deal with what is appearing as "DoS" - even if the reasons triggering can be very different during such state changes. 

 

Beyond, there is no word (anwhere!) that these DoS protections mentioned are blocking any IP addresses just to add one more example of false or freely interpreted ideas. Correct is that if you should become a target of a DDoS attack that no CPE-side router can do anything against it. Even if you invest a lot into your router, security appliance, ...  At the end of the day, you have to depend on what the ISP can do.

Message 6 of 10
CrimpOn
Guru

Re: Router mvpn purge and suspicious insight xcloud communication with orbi pro sxr80; and ddos atta

As the SXR80  product is bundled with 5 year subscription to Insight, would it be correct to assume that:

  • Connecting the router to the internet is sufficient for the router to contact Netgear and set up Insight (with no customer involvement at all)? or
  • That the customer must take some action to set up Insight?
  • Perhaps the act of registering the product for warranty purposes is sufficient to link the router with the user account?

 

 

Message 7 of 10
schumaku
Guru

Re: Router mvpn purge and suspicious insight xcloud communication with orbi pro sxr80; and ddos atta


@CrimpOn wrote:

As the SXR80  product is bundled with 5 year subscription to Insight, would it be correct to assume that:

  • Connecting the router to the internet is sufficient for the router to contact Netgear and set up Insight (with no customer involvement at all)?

Correct. Not sure on how this helps is people refusing the usage Insight/cloud/App. These users can even choose if they want a normal single Insight location entity Insight or an Insight Pro entity.

Message 8 of 10
quagmire1
Luminary

Re: Router mvpn purge and suspicious insight xcloud communication with orbi pro sxr80; and ddos atta

I bought my SXK80 directly from Netgear. It came with the warranty already registered with Netgear, and my Insight subscription activated.

 

Silly me, I thought this was a nice convenience!

Message 9 of 10
Orbipro1
Aspirant

Re: Router mvpn purge and suspicious insight xcloud communication with orbi pro sxr80; and ddos atta

Bought a business class router for the quality, safety, service, and speed.

 

Lean operation one site not much for additional offices and equipment, expertises, digital conversion, app management, authentications, cloud, or storage, or retrieval. Not relying on device for remote access.

 

Owned a Netgear pro safe firewall that had good features, seemed to speed up my traffic. Had cookie and application filters that were useful.

 

Your answer makes sense. And i know this type of universal product knowledge base and skilled support are rare. Did not thinks id see a better answer on forum.

 

Would be useful if discovery feature could be turned off. Turned off the WPS on the satellite. I read that some automatic discovery and enrollment are vulnerable. Disturbing unexplained intrusions. 

 

I see dos protection as default on orbipro. Active by default. Not sure if it distinguishes ddos from dos. Good to have. Support said log may be of a dos that was recognized and blocked by Orbi Pro - the reason i purchased. From where, whom, and what is for me to determine level of threat and time devoted.

 

It seems most isps, wireless, and switched networks are vulnerable within, around, and across networks. Some say encrypted bgp will be a security feature offered by isp in future internet implementations. So hardware will cost to adapt when available. 

 

I use no voip and ended my cable phone. Cellular only.

 

I use iOS private relay for browser on my mobile devices and cloudfare warp app that wraps all traffic in https and malware blocking feature. Maybe this is generating some dos log.

 

May be useless. As you say. We are vulnerable.

 

I have not experienced or implemented wide area or local area networks and thankful for the Netgear support. Unfortunately i paid $90 to get an answer. Like always depends on how, what, and whom i ask.

 

thank you again.

 

Message 10 of 10
Top Contributors
Discussion stats
  • 9 replies
  • 2924 views
  • 4 kudos
  • 4 in conversation
Announcements