Re: Disable Port Scan and DoS Protection Misleading

Lets see if a factory reset and setup from scratch with out loading a config file resolves this.

https://community.netgear.com/t5/Orbi/ORBI-RBR50-Rebooting-and-Unresponsive/m-p/1748893#M61425

Then we can do more investigation here...

---

@fdanna wrote:

Having noticed a slowdown in my internet and frequent lag, I checked my logs only to discover I'm getting DDoS attacks nearly every 15 minutes! They IPs are from all over the world. My first instinct was to make sure I had disabled ping response on the WAN port, which I had, but it was still pinging!

This seems all very counter-intuitive but if you don't want your WAN port to respond to pings and thus be vulnerable to attacks, it seems you need to disable the DoS and port scan detection. 

---

My experience is different from yours.  I disconnected my mobile phone from WiFi and performed a ping test on my Orbi's public (WAN) IP address using the LTE connection. As you report, even though my Orbi is set NOT to respond to ping on internet, I got ping responses.  I then set it TO respond, and still got ping responses.  I then clicked Disable Port Scan and DoS Protection.  Still got ping responses.  I did not mess with VPN or try every possible combination of settings.

So, either (1) Orbi firmware is "broken" in the sense that options selected do not work as described, or (2) the ping response did not come from my Orbi, but perhaps from the cable modem.  My responses read: "cpe-172-249-115-xxx socal.res.rr.com   67.1ms".   Testing that hypothesis involves more effort than just disconnecting from WiFi.  (Like, stick a tap between Orbi and modem, or....)

On the other hand, detecting a DoS attempt every 15 minutes from "all over the world" seems (to me) pretty much "normal" and I would not assume it to be the sole cause of networking issues.

You might contact NG on this if you think these features are broke. IF they are then NG needs to be aware and address them...

@Christian_R 

@Blanca_O 

---

@CrimpOn wrote:

---

@fdanna wrote:

Having noticed a slowdown in my internet and frequent lag, I checked my logs only to discover I'm getting DDoS attacks nearly every 15 minutes! They IPs are from all over the world. My first instinct was to make sure I had disabled ping response on the WAN port, which I had, but it was still pinging!

This seems all very counter-intuitive but if you don't want your WAN port to respond to pings and thus be vulnerable to attacks, it seems you need to disable the DoS and port scan detection. 

---

My experience is different from yours.  I disconnected my mobile phone from WiFi and performed a ping test on my Orbi's public (WAN) IP address using the LTE connection. As you report, even though my Orbi is set NOT to respond to ping on internet, I got ping responses.  I then set it TO respond, and still got ping responses.  I then clicked Disable Port Scan and DoS Protection.  Still got ping responses.  I did not mess with VPN or try every possible combination of settings.

 

So, either (1) Orbi firmware is "broken" in the sense that options selected do not work as described, or (2) the ping response did not come from my Orbi, but perhaps from the cable modem.  My responses read: "cpe-172-249-115-xxx socal.res.rr.com   67.1ms".   Testing that hypothesis involves more effort than just disconnecting from WiFi.  (Like, stick a tap between Orbi and modem, or....)

 

On the other hand, detecting a DoS attempt every 15 minutes from "all over the world" seems (to me) pretty much "normal" and I would not assume it to be the sole cause of networking issues.

---

---

@CrimpOn wrote:

---

@fdanna wrote:

Having noticed a slowdown in my internet and frequent lag, I checked my logs only to discover I'm getting DDoS attacks nearly every 15 minutes! They IPs are from all over the world. My first instinct was to make sure I had disabled ping response on the WAN port, which I had, but it was still pinging!

This seems all very counter-intuitive but if you don't want your WAN port to respond to pings and thus be vulnerable to attacks, it seems you need to disable the DoS and port scan detection. 

---

My experience is different from yours.  I disconnected my mobile phone from WiFi and performed a ping test on my Orbi's public (WAN) IP address using the LTE connection. As you report, even though my Orbi is set NOT to respond to ping on internet, I got ping responses.  I then set it TO respond, and still got ping responses.  I then clicked Disable Port Scan and DoS Protection.  Still got ping responses.  I did not mess with VPN or try every possible combination of settings.

 

So, either (1) Orbi firmware is "broken" in the sense that options selected do not work as described, or (2) the ping response did not come from my Orbi, but perhaps from the cable modem.  My responses read: "cpe-172-249-115-xxx socal.res.rr.com   67.1ms".   Testing that hypothesis involves more effort than just disconnecting from WiFi.  (Like, stick a tap between Orbi and modem, or....)

 

On the other hand, detecting a DoS attempt every 15 minutes from "all over the world" seems (to me) pretty much "normal" and I would not assume it to be the sole cause of networking issues.

---

It’s really not ideal to have your IP responding to pings. The DoS attempts were bringing down my network and the slowdowns coincided with the logging of the attacks so I think the data says this is more than coincidence. 

Your cable modem shouldn’t respond to outside pings if the IP is being assigned to the WAN port of your router. Scanning is happening all they time on the internet, as you know, and any response from an IP is interpreted as, “oh look, something is here, let’s attack it!” Hence, better to NOT respond to pings. 

I did another test.  Turned on the "debug log", did some pings from my mobile phone over LTE, then looked at the WAN capture using Wireshark. Even though my mobile phone app showed ping responses, I did NOT see any ping requests to my Orbi in the WAN log (or any ping responses).  I did see my Orbi making some ping requests and getting responses but not involving my mobile phone. 

So now I am more confused than ever.  The Orbi log contains zillions of ARP requests and some ICMPv6 traffic, but not those ping requests.  Does the Orbi not log any packets that have been discarded?  Hmmm.  Guess I could repeat the experiment and capture a WAN log when the Orbi is told to respond to ping requests.  (Maybe later today.)

For now, however, I regard this as a mystery.

---

@CrimpOn wrote:

I did another test.  Turned on the "debug log", did some pings from my mobile phone over LTE, then looked at the WAN capture using Wireshark. Even though my mobile phone app showed ping responses, I did NOT see any ping requests to my Orbi in the WAN log (or any ping responses).  I did see my Orbi making some ping requests and getting responses but not involving my mobile phone. 

 

So now I am more confused than ever.  The Orbi log contains zillions of ARP requests and some ICMPv6 traffic, but not those ping requests.  Does the Orbi not log any packets that have been discarded?  Hmmm.  Guess I could repeat the experiment and capture a WAN log when the Orbi is told to respond to ping requests.  (Maybe later today.)

 

For now, however, I regard this as a mystery.

---

It sounds like your cable modem is doing the routing. You might have a double NAT situation.

Maybe a forum moderator can comment and let us know what we should be expecting to see and not see with these features enabled and disabled...

Did another test.  Set Orbi to Respond to Ping on Internet, turned on WAN capture, and did 11 pings from my mobile phone over LTE connection.  Sure enough, opened the Orbi WAN log with Wireshark and there are 11 ping request/ping reply that are one second apart.  When the "Respond" option is checked, the log shows pings.  When the "Respond" option is unchecked, the log does not show pings.

So, my conclusion is that when Orbi is set NOT to respond to ping requests on internet, it indeed does not.  I believe the ping requests are dropped by the Orbi and ignored.  Spectrum is definitely sending a ping response, but I do not know how or why.

---

@fdanna wrote:

........... My first instinct was to make sure I had disabled ping response on the WAN port, which I had, but it was still pinging! ..........

---

If you ping from a computer attached to your wifi and ping the WAN port you will get a response. Please test from a computer not attached to Orbi to get correct results.

---

@fdanna wrote:

.........Then come to find out, on Orbi, when you turn on VPN it re-enables ping responses. .......

---

You can overcome this by doing the following telnet command (it will not impact VPN):

root@RBR50:/# config get wan_endis_rspToPing

You will get the default which is 1 (means Orbi should respond to WAN ping requests)

root@RBR50:/# config set wan_endis_rspToPing=0

root@RBR50:/# config commit

Hi @fdanna @CrimpOn

Thank you for sharing this observation and test result. Please allow me to check this further and will get back to you the soonest. 

Regards, 
Blanca 
Community Team

 Two months and no solution??  I am just confused by one issue here.  Why is the 'Default' a checked box/enabled "disabled port scan and dos protection? Even the help pop-up on the same router page states it should only be disabled on 'special circumstance'. Thus I have to uncheck the box in order to enable the protection.  But, and it's a big but, I do get the same dos attacks on an apple ipad every few minutes. My PC gets them also but it is the Router's DNS (75.75.75.75) attacking the IP/Mask. (??) This does seem to stop when I leave the box checked, disabling scans and protection. Doesn't make sense.

Also, neither Comcast nor Net Gear say they can adjust my modem/router clock and thus one hour behind. I don't see any clock settings incl. DLSavings time.
A little help pls..

---

@go4par wrote:

Also, neither Comcast nor Net Gear say they can adjust my modem/router clock and thus one hour behind. I don't see any clock settings incl. DLSavings time.

---

On the Orbi web interface, Advanced Tab->Administration->NTP Settings is where the users has a choice of which NTP server to use and whether to follow Daylight Saving Time.

---

@go4par wrote:

My PC gets them also but it is the Router's DNS (75.75.75.75) attacking the IP/Mask.

---

When I do a "nslookup" on 75.75.75.75 it comes up as Comcast's DNS server.  If Comcast is the ISP, then I would expect to get packets from 75.75.75.75   There is a way to check, on the Advanced Tab->Internet Setup, what does it show for DNS servers?

It has been a long time since I did a "factory reset" on  my Orbi, but my memory is that the only box checked on the WAN Setup was the Disable IGMP Proxy.

Thanks for taking the time to reply.  I do not have an ORBI.  (when I hit reply here it asks which device I have (c6250/AC1600 C/M/R).  It seems that does not show up. (?). I also looked on the MYNetGear page and Comcast page.  I'll call comcast again (NG always wants more $$ to get support). Regards

Thanks much!  "Get Automatically from ISP" is checked by default.  Apparently this is interpreted by NG as a DOS.? I do not have an ORBI. Thanks!

One of the "Top Answers" on the C6250 page is about Daylight Saving Time:

https://kb.netgear.com/000061048/Schedule-feature-is-off-by-an-hour-on-Cable-Gateways-during-Dayligh...

This appears to indicate that the C6250 does not have an option for DST.

The user manual is over 150 pages.  I did not see any mention of Daylight Saving Time (or even NTP servers!)

http://www.downloads.netgear.com/files/GDC/C6250/C6250_UM_EN.pdf

The Netgear forum on "Cable Modems and Routers" has topics that mention the 6250. Maybe someone on there can offer suggestions.

https://community.netgear.com/t5/Cable-Modems-Routers/bd-p/home-cable-modems-routers

Good Luck!