× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
× Introducing the new Orbi 770 Series Mesh System. To learn more click here.
Orbi WiFi 7 RBE973
Reply

Re: DoS Attacks - from varying sources and ports.

itsthelag
Aspirant

DoS Attacks - from varying sources and ports.

Hi There,

Since all the working from home started - I've noticed sporadic interruptions while using Video conferencing and while gaming. I will get ping spikes for about 3-5 mins and then it's pretty much back to normal. I researched a bit and found that some of this is just scans that happen normally, but some of the ports I'm seeing are not what people reference as "common ports", 443 and 80 being the most common. I attached the logs in a spreadsheet. Wondering if someone could let me know if I should be concerned or what I should do about it? I really don't want to deal with the interruptions in service and I don't know what else could be causing the interruptions. Any help would be greatly appreciated!

PS - I have so many lines I cannot post the log.

Model: RBR50|Orbi AC3000 Tri-band WiFi Router
Message 1 of 11
FURRYe38
Guru

Re: DoS Attacks - from varying sources and ports.

What Firmware version is currently loaded?
What is the Mfr and model# of the Internet Service Providers modem/ONT the NG router is connected too?

 

What IP addresses are shown in the logs with these attacks? Any of them 192.168.1.somehing or for external IP addresses? 

Message 2 of 11
itsthelag
Aspirant

Re: DoS Attacks - from varying sources and ports.

Firmware is 2.5.1.8, says it's up to date.

Modem is a NG CM 1000.

 

as for the IPs they are all varying and I'm not positive how to determine if they're from an external address - of the 256 lines I pulled from the log, 125 of them are DoS related. An actual attack doesn't make sense to me, but if not this, what would be causing my newly minted spikes and disconnects while gaming?

 

[DoS Attack: SYN/ACK Scan] from source: 45.220.82.227, port 80, Tuesday, April 21, 2020 10:36:00
[DoS Attack: ACK Scan] from source: 35.168.41.214, port 443, Tuesday, April 21, 2020 10:33:37
[DHCP IP: 10.0.0.19] to MAC address f0:6e:0b:e2:ed:a8, Tuesday, April 21, 2020 10:14:32
[DHCP IP: 10.0.0.6] to MAC address f2:54:33:9f:8c:65, Tuesday, April 21, 2020 10:04:19
[DHCP IP: 10.0.0.19] to MAC address f0:6e:0b:e2:ed:a8, Tuesday, April 21, 2020 09:46:07
[admin login] from source 10.0.0.19, Tuesday, April 21, 2020 09:36:16
[DoS Attack: ACK Scan] from source: 52.34.36.246, port 443, Tuesday, April 21, 2020 09:25:53
[admin login] from source 10.0.0.19, Tuesday, April 21, 2020 09:15:02
[DoS Attack: ACK Scan] from source: 3.126.192.149, port 443, Tuesday, April 21, 2020 09:10:50
[UPnP set event: del_nat_rule] from source 10.0.0.14, Tuesday, April 21, 2020 08:58:49
[DoS Attack: SYN/ACK Scan] from source: 213.238.167.92, port 22, Tuesday, April 21, 2020 08:56:44
[DHCP IP: 10.0.0.16] to MAC address d0:c6:37:63:3d:82, Tuesday, April 21, 2020 08:05:11
[DoS Attack: ACK Scan] from source: 52.96.32.2, port 443, Tuesday, April 21, 2020 07:46:39
[DoS Attack: ACK Scan] from source: 216.82.178.25, port 443, Tuesday, April 21, 2020 07:24:45
[DoS Attack: SYN/ACK Scan] from source: 149.202.87.54, port 25565, Tuesday, April 21, 2020 07:07:35
[DHCP IP: 10.0.0.6] to MAC address f2:54:33:9f:8c:65, Tuesday, April 21, 2020 06:57:01
[DoS Attack: RST Scan] from source: 213.29.6.196, port 43589, Tuesday, April 21, 2020 06:10:26
[DHCP IP: 10.0.0.2] to MAC address 3c:37:86:45:88:73, Tuesday, April 21, 2020 05:53:55
[DHCP IP: 10.0.0.3] to MAC address 28:6d:97:a4:66:d8, Tuesday, April 21, 2020 05:53:00
[DoS Attack: SYN/ACK Scan] from source: 43.250.107.198, port 80, Tuesday, April 21, 2020 05:32:16
[DoS Attack: SYN/ACK Scan] from source: 88.198.146.70, port 80, Tuesday, April 21, 2020 05:30:20
[DoS Attack: TCP/UDP Chargen] from source: 71.6.232.5, port 53443, Tuesday, April 21, 2020 05:04:08
[DoS Attack: SYN/ACK Scan] from source: 149.202.139.215, port 25565, Tuesday, April 21, 2020 03:55:52
[DoS Attack: SYN/ACK Scan] from source: 88.198.146.70, port 80, Tuesday, April 21, 2020 03:10:38
[DoS Attack: RST Scan] from source: 185.195.16.201, port 80, Tuesday, April 21, 2020 02:02:49
[admin login] from source 10.0.0.19, Tuesday, April 21, 2020 01:48:01
[DoS Attack: ACK Scan] from source: 52.34.36.246, port 443, Tuesday, April 21, 2020 01:40:51
[admin login] from source 10.0.0.19, Tuesday, April 21, 2020 01:36:39
[DHCP IP: 10.0.0.6] to MAC address f2:54:33:9f:8c:65, Tuesday, April 21, 2020 01:33:58
[DoS Attack: ACK Scan] from source: 52.96.9.5, port 8779, Tuesday, April 21, 2020 01:30:40
[DHCP IP: 10.0.0.5] to MAC address 4c:55:cc:19:29:8f, Tuesday, April 21, 2020 01:26:47
[DHCP IP: 10.0.0.20] to MAC address 08:12:a5:6a:32:76, Tuesday, April 21, 2020 01:26:43
[DHCP IP: 10.0.0.5] to MAC address 4c:55:cc:19:29:8f, Tuesday, April 21, 2020 01:26:02
[DHCP IP: 10.0.0.13] to MAC address 38:53:9c:a3:32:82, Tuesday, April 21, 2020 01:25:52
[DHCP IP: 10.0.0.8] to MAC address dc:f5:05:92:cc:3a, Tuesday, April 21, 2020 01:25:50
[DoS Attack: ACK Scan] from source: 52.96.9.5, port 10937, Tuesday, April 21, 2020 01:25:40
[DHCP IP: 10.0.0.20] to MAC address 08:12:a5:6a:32:76, Tuesday, April 21, 2020 01:25:37
[DHCP IP: 10.0.0.5] to MAC address 4c:55:cc:19:29:8f, Tuesday, April 21, 2020 01:25:31
[DHCP IP: 10.0.0.7] to MAC address fc:a1:83:22:79:30, Tuesday, April 21, 2020 01:25:26
[DHCP IP: 10.0.0.15] to MAC address 64:16:66:af:07:3b, Tuesday, April 21, 2020 01:25:23
[DHCP IP: 10.0.0.9] to MAC address 64:16:66:af:2b:6f, Tuesday, April 21, 2020 01:25:22
[DHCP IP: 10.0.0.12] to MAC address 78:d2:94:2d:a0:b3, Tuesday, April 21, 2020 01:25:20
[DHCP IP: 10.0.0.10] to MAC address 38:f7:3d:01:4f:f0, Tuesday, April 21, 2020 01:25:14
[DHCP IP: 10.0.0.14] to MAC address b4:ae:2b:1a:e0:ec, Tuesday, April 21, 2020 01:25:14
[DHCP IP: 10.0.0.19] to MAC address f0:6e:0b:e2:ed:a8, Tuesday, April 21, 2020 01:25:12
[DHCP IP: 10.0.0.10] to MAC address 38:f7:3d:01:4f:f0, Tuesday, April 21, 2020 01:25:11
[DHCP IP: 10.0.0.4] to MAC address 28:6d:97:b4:de:d3, Tuesday, April 21, 2020 01:24:59
[DHCP IP: 10.0.0.11] to MAC address 00:71:47:47:d3:29, Tuesday, April 21, 2020 01:24:56
[admin login] from source 10.0.0.19, Tuesday, April 21, 2020 01:18:04
[DHCP IP: 10.0.0.5] to MAC address 4c:55:cc:19:29:8f, Tuesday, April 21, 2020 01:06:22
[Time synchronized with NTP server] Tuesday, April 21, 2020 01:06:09
[DHCP IP: 10.0.0.5] to MAC address 4c:55:cc:19:29:8f, Tuesday, April 21, 2020 01:05:01
[admin login failure] from source 10.0.0.19, Tuesday, April 21, 2020 01:04:25
[DHCP IP: 10.0.0.5] to MAC address 4c:55:cc:19:29:8f, Tuesday, April 21, 2020 01:04:08
[DHCP IP: 10.0.0.14] to MAC address b4:ae:2b:1a:e0:ec, Tuesday, April 21, 2020 01:04:00
[DHCP IP: 10.0.0.5] to MAC address 4c:55:cc:19:29:8f, Tuesday, April 21, 2020 01:03:58
[DHCP IP: 10.0.0.12] to MAC address 78:d2:94:2d:a0:b3, Tuesday, April 21, 2020 01:03:57
[WLAN access rejected: incorrect security] from MAC address 8a:d2:94:2d:a0:b3, Tuesday, April 21, 2020 01:03:30
[DHCP IP: 10.0.0.13] to MAC address 38:53:9c:a3:32:82, Tuesday, April 21, 2020 01:03:02
[DHCP IP: 10.0.0.15] to MAC address 64:16:66:af:07:3b, Tuesday, April 21, 2020 01:02:57
[DHCP IP: 10.0.0.9] to MAC address 64:16:66:af:2b:6f, Tuesday, April 21, 2020 01:02:53
[DHCP IP: 10.0.0.8] to MAC address dc:f5:05:92:cc:3a, Tuesday, April 21, 2020 01:02:47
[DHCP IP: 10.0.0.6] to MAC address f2:54:33:9f:8c:65, Tuesday, April 21, 2020 01:02:43
[DHCP IP: 10.0.0.20] to MAC address 08:12:a5:6a:32:76, Tuesday, April 21, 2020 01:02:41
[DHCP IP: 10.0.0.7] to MAC address fc:a1:83:22:79:30, Tuesday, April 21, 2020 01:02:40
[DHCP IP: 10.0.0.10] to MAC address 38:f7:3d:01:4f:f0, Tuesday, April 21, 2020 01:02:39
[DHCP IP: 10.0.0.19] to MAC address f0:6e:0b:e2:ed:a8, Tuesday, April 21, 2020 01:02:39
[DHCP IP: 10.0.0.5] to MAC address 4c:55:cc:19:29:8f, Tuesday, April 21, 2020 01:02:36
[DHCP IP: 10.0.0.11] to MAC address 00:71:47:47:d3:29, Tuesday, April 21, 2020 01:02:33
[DHCP IP: 10.0.0.4] to MAC address 28:6d:97:b4:de:d3, Tuesday, April 21, 2020 01:02:33
[DHCP IP: 10.0.0.10] to MAC address 38:f7:3d:01:4f:f0, Tuesday, April 21, 2020 01:01:56
[remote login failure] from source 10.0.0.19, Tuesday, April 21, 2020 01:01:56
[admin login] from source 10.0.0.19, Tuesday, April 21, 2020 00:58:46
[DoS Attack: RST Scan] from source: 115.79.5.206, port 62831, Tuesday, April 21, 2020 00:53:30
[admin login] from source 10.0.0.19, Tuesday, April 21, 2020 00:47:52
[admin login failure] from source 10.0.0.19, Tuesday, April 21, 2020 00:47:43
[admin login failure] from source 10.0.0.19, Tuesday, April 21, 2020 00:47:32
[DoS Attack: ACK Scan] from source: 52.216.164.115, port 443, Tuesday, April 21, 2020 00:46:53
[DoS Attack: ACK Scan] from source: 3.126.192.149, port 443, Tuesday, April 21, 2020 00:40:46
[DoS Attack: SYN/ACK Scan] from source: 54.39.209.226, port 22, Tuesday, April 21, 2020 00:23:18
[DoS Attack: SYN/ACK Scan] from source: 64.68.121.205, port 80, Tuesday, April 21, 2020 00:13:31
[DoS Attack: ACK Scan] from source: 52.34.36.246, port 443, Tuesday, April 21, 2020 00:10:46
[DoS Attack: ACK Scan] from source: 3.126.192.149, port 443, Monday, April 20, 2020 23:55:46
[DHCP IP: 10.0.0.5] to MAC address 4c:55:cc:19:29:8f, Monday, April 20, 2020 23:28:09
[DHCP IP: 10.0.0.13] to MAC address 38:53:9c:a3:32:82, Monday, April 20, 2020 23:15:41
[DHCP IP: 10.0.0.12] to MAC address 78:d2:94:2d:a0:b3, Monday, April 20, 2020 22:27:29
[DoS Attack: ACK Scan] from source: 3.126.192.149, port 443, Monday, April 20, 2020 22:25:50
[DoS Attack: ACK Scan] from source: 31.13.71.3, port 443, Monday, April 20, 2020 22:03:03
[DoS Attack: ACK Scan] from source: 3.126.192.149, port 443, Monday, April 20, 2020 21:39:48
Message 3 of 11
FURRYe38
Guru

Re: DoS Attacks - from varying sources and ports.

You can use a whois lookup service online to see what those IP addresses are coming from. 

You should have your ISP change the IP address that is coming in from the modem as well to see if anything changes. 

Some IPs maybe from services to devcies on your network. You may want to turn OFF all devices accept for 1 wired PC to see if the entries disapate any. 

 

Have the ISP check the signal and line quality UP to the modem. 
Be sure there are not coax cable line splitters in the between the modem and ISP service box. 
Be sure your using good quality RG6 coax cable up to the modem.

 

Message 4 of 11
CrimpOn
Guru

Re: DoS Attacks - from varying sources and ports.

I have been collecting the logs from two Orbi's (one for over a year, one for 8 months).  These logs record these "DoS Attacks" every day, and this is entirely normal.  Orbi contains a firewall for a purpose. It rejects attempts to connect and has an option to record "interesting things" in the Orbi log.  People have posted comments indicating that Orbi is to "liberal" at classifying random connection attempts as "attacks".

The user can "Disable Port Scan and DoS Protection" on the Orbi web interface, Setup, WAN Setup page.  I believe this will stop the system from spending processing time recording and classifying things and writing them to the log.  I am not confident that there will be a noticable improvement in performance.

 

Orbi's have a "public IP address", just as we have "public" street addresses and phone numbers. It is almost trivial to create a program which will "scan" IP addresses looking for systems that respond.  This has been happening since the internet was created.  It's like RoboCalls that just dial every possible phone number hoping that some of them will answer.  I can set my phone to ignore certain calls and not ring, but that doesn't make the calls go away.

 

Since the service problems are serious, I would certainly try checking that box first.

Message 5 of 11
itsthelag
Aspirant

Re: DoS Attacks - from varying sources and ports.

Thank you for the advice - checking that won't leave me open to other security issues?

 

I downloaded a tool called ping plotter, and I really just don't know what i'm looking at - are these ping/latency spikes unusual?

Message 6 of 11
FURRYe38
Guru

Re: DoS Attacks - from varying sources and ports.

No, those are not good 

Did you test pings with a wired PC connected directly connected to the modem? Not with the RBR connected. 

 

Have the ISP check the signal and line quality UP to the modem. 
Be sure there are not coax cable line splitters in the between the modem and ISP service box. 
Be sure your using good quality RG6 coax cable up to the modem. 

Message 7 of 11
itsthelag
Aspirant

Re: DoS Attacks - from varying sources and ports.

Unfortunately, I don't have a way to connect a PC to the modem directly, I use a Surface book pro, which doesn't have an ethernet port. Does it look like the ISP is causing the issue?

 

I had XFINITY refresh the gateway signal - I will try to get them to look at this more in depth. No coax splitters - direct from the wall into the modem. Everything was working fine until last week when this started happening. I've never had these issues before.

Message 8 of 11
FURRYe38
Guru

Re: DoS Attacks - from varying sources and ports.

Does your Surface have a USB port? If so, you might check into getting a USB to LAN adapter. Then you can connect it to the ISP Modem and test again. Need to rule out the RBR or modem. 

If this was not a problem up to that point, then possible something on the ISP side. 

 

Message 9 of 11
itsthelag
Aspirant

Re: DoS Attacks - from varying sources and ports.

I connected my dock to the Orbi satellite and pinged 8.8.8.8, got flawless results - removed that and right back to ping spikes - could that be an indicator of issues? still would not explain the ping spikes i'm seeing on console because it's connected to the satellite as well. I also pinged my WAN IP and got similar results.

 

ping -n 36 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data
Reply from 8.8.8.8: bytes=32 time=21ms TTL=53
Reply from 8.8.8.8: bytes=32 time=19ms TTL=53
Reply from 8.8.8.8: bytes=32 time=21ms TTL=53
Reply from 8.8.8.8: bytes=32 time=21ms TTL=53
Reply from 8.8.8.8: bytes=32 time=18ms TTL=53
Reply from 8.8.8.8: bytes=32 time=19ms TTL=53
Reply from 8.8.8.8: bytes=32 time=19ms TTL=53
Reply from 8.8.8.8: bytes=32 time=19ms TTL=53
Reply from 8.8.8.8: bytes=32 time=18ms TTL=53
Reply from 8.8.8.8: bytes=32 time=19ms TTL=53
Reply from 8.8.8.8: bytes=32 time=18ms TTL=53
Reply from 8.8.8.8: bytes=32 time=23ms TTL=53
Reply from 8.8.8.8: bytes=32 time=21ms TTL=53
Reply from 8.8.8.8: bytes=32 time=17ms TTL=53
Reply from 8.8.8.8: bytes=32 time=18ms TTL=53
Reply from 8.8.8.8: bytes=32 time=18ms TTL=53
Reply from 8.8.8.8: bytes=32 time=23ms TTL=53
Reply from 8.8.8.8: bytes=32 time=18ms TTL=53
Reply from 8.8.8.8: bytes=32 time=18ms TTL=53
Reply from 8.8.8.8: bytes=32 time=24ms TTL=53
Reply from 8.8.8.8: bytes=32 time=19ms TTL=53
Reply from 8.8.8.8: bytes=32 time=17ms TTL=53
Reply from 8.8.8.8: bytes=32 time=17ms TTL=53
Reply from 8.8.8.8: bytes=32 time=23ms TTL=53
Reply from 8.8.8.8: bytes=32 time=20ms TTL=53
Reply from 8.8.8.8: bytes=32 time=19ms TTL=53
Reply from 8.8.8.8: bytes=32 time=18ms TTL=53
Reply from 8.8.8.8: bytes=32 time=21ms TTL=53
Reply from 8.8.8.8: bytes=32 time=19ms TTL=53
Reply from 8.8.8.8: bytes=32 time=18ms TTL=53
Reply from 8.8.8.8: bytes=32 time=23ms TTL=53
Reply from 8.8.8.8: bytes=32 time=20ms TTL=53
Reply from 8.8.8.8: bytes=32 time=19ms TTL=53
Reply from 8.8.8.8: bytes=32 time=18ms TTL=53
Reply from 8.8.8.8: bytes=32 time=21ms TTL=53
Reply from 8.8.8.8: bytes=32 time=19ms TTL=53

Ping statistics for 8.8.8.8:
Packets: Sent = 36, Received = 36, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 17ms, Maximum = 24ms, Average = 19ms

 

Disconnected results:

ping -n 36 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data
Reply from 8.8.8.8: bytes=32 time=24ms TTL=53
Reply from 8.8.8.8: bytes=32 time=22ms TTL=53
Reply from 8.8.8.8: bytes=32 time=19ms TTL=53
Reply from 8.8.8.8: bytes=32 time=20ms TTL=53
Reply from 8.8.8.8: bytes=32 time=24ms TTL=53
Reply from 8.8.8.8: bytes=32 time=19ms TTL=53
Reply from 8.8.8.8: bytes=32 time=20ms TTL=53
Reply from 8.8.8.8: bytes=32 time=24ms TTL=53
Reply from 8.8.8.8: bytes=32 time=22ms TTL=53
Reply from 8.8.8.8: bytes=32 time=230ms TTL=53
Reply from 8.8.8.8: bytes=32 time=195ms TTL=53
Reply from 8.8.8.8: bytes=32 time=367ms TTL=53
Reply from 8.8.8.8: bytes=32 time=20ms TTL=53
Reply from 8.8.8.8: bytes=32 time=88ms TTL=53
Reply from 8.8.8.8: bytes=32 time=19ms TTL=53
Reply from 8.8.8.8: bytes=32 time=19ms TTL=53
Reply from 8.8.8.8: bytes=32 time=21ms TTL=53
Reply from 8.8.8.8: bytes=32 time=21ms TTL=53
Reply from 8.8.8.8: bytes=32 time=19ms TTL=53
Reply from 8.8.8.8: bytes=32 time=19ms TTL=53
Reply from 8.8.8.8: bytes=32 time=18ms TTL=53
Reply from 8.8.8.8: bytes=32 time=25ms TTL=53
Reply from 8.8.8.8: bytes=32 time=21ms TTL=53
Reply from 8.8.8.8: bytes=32 time=22ms TTL=53
Reply from 8.8.8.8: bytes=32 time=167ms TTL=53
Reply from 8.8.8.8: bytes=32 time=125ms TTL=53
Reply from 8.8.8.8: bytes=32 time=295ms TTL=53
Reply from 8.8.8.8: bytes=32 time=20ms TTL=53
Reply from 8.8.8.8: bytes=32 time=21ms TTL=53
Reply from 8.8.8.8: bytes=32 time=21ms TTL=53
Reply from 8.8.8.8: bytes=32 time=22ms TTL=53
Reply from 8.8.8.8: bytes=32 time=19ms TTL=53
Reply from 8.8.8.8: bytes=32 time=19ms TTL=53
Reply from 8.8.8.8: bytes=32 time=21ms TTL=53
Reply from 8.8.8.8: bytes=32 time=19ms TTL=53
Reply from 8.8.8.8: bytes=32 time=22ms TTL=53

Ping statistics for 8.8.8.8:
Packets: Sent = 36, Received = 36, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 18ms, Maximum = 367ms, Average = 57ms

Message 10 of 11
FURRYe38
Guru

Re: DoS Attacks - from varying sources and ports.

So you pinged the RBS or pinged thru the RBS? 

Still need to ping directly to the modem then directly thru the RBR with the modem. 

Message 11 of 11
Top Contributors
Discussion stats
  • 10 replies
  • 5299 views
  • 3 kudos
  • 3 in conversation
Announcements

Orbi 770 Series