×

Introducing the Orbi 970 Series Mesh System with WiFi 7(BE) technology. For more information visit the NETGEAR Press Room.

Orbi WiFi 7 RBE973
Reply

Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)

Joelovinlife
Aspirant

AC2200 Orbi Router(Dos Attacks - Loss of Service)

So I'm having the popular issue of DOS attacks. I've done some research and see most Netgear Routers report these in their logs. However, I lose internet connection randomly through out the day and all troubleshooting and support calls have led me here. I understand most DOS attacks logged are common by google and Facebook but my logs don't show hundreds or thousands of attacks per second which is usually what stops service. I typically lose connection on all my devices until the router stabilizes and comes back online. Wifi connection more specifically. I have read that these can cause Netgear routers to restart . I have a verizon fios hard wired ethernet connection at home plugged into my Orbi Router and 2 Satellites. No Modem.

I've done some troubleshooting and I am testing certain devices 1 by 1 to see if my connection drops due to any particular device connecting. I've read posts and articles related to this issue and I am not sure if the attacks are enough to drop service intermittently like it's doing. I've gotten my ISP to change my ip a couple times already. Any help would be appreciated!

Here are the questionable DOS attacks from my log:

34.98.102.181 (google)
Ports:
5222
31.13.66.51 (facebook)
Ports:
5222
433
203.205.239.248 (China)
Ports:
8080
217.182.137.219 (France)
Ports:
80
147.135.252.44 (France)
Ports:
80
103.109.57.62 (Bangledesh)
Ports:
80

Most logged are from Facebook and google... like 95%! The others maybe 2 logged entries. But if there are not hundreds of these logged at a time, why would this cause my connection to fail?
Model: EX7500|AC2200 Nighthawk X4S Tri Band WiFi Mesh Extender
Message 1 of 13
tomschmidt
Virtuoso

Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)

If you suspect your router is rebooting due to DDOS attacks, then login to the http://orbilogin.net/debug.htm web interface and check the uptime reported.

Message 2 of 13
Joelovinlife
Aspirant

Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)

Yes I did that and I believe it's definitely related time wise but will 1 to 3 dos attacks make the connection drop??
Message 3 of 13
CrimpOn
Guru

Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)

I monitor two Orbi systems that regularly log over 100 "DoS Attacks" every day.  One of them just recently filled the log file every 3 minutes for 8 hours with DoS Attacks, and never went down.  This was a sustained rate of 2-3 attacks logged per second for 8 hours.

 

I do not doubt that something is causing the Orbi to malfunction frequently, but I have serious doubts that a small number of "DoS Attacks" is the cause.

 

 

Message 4 of 13
Joelovinlife
Aspirant

Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)

I am thinking the same...thx for the info.
Not sure if its a Netgear thing or maybe a malfunction in the Router.
Message 5 of 13
FURRYe38
Guru

Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)

What Firmware version is currently loaded?
What is the Mfr and model# of the Internet Service Providers modem/ONT the NG router is connected too?

Have your ISP change your WAN IP address on the modem. 

 

 

Message 6 of 13
OrbiPhilip
Luminary

Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)

Did you ever find a solution?  I've been experiencing intermittent LOS for a week now. Assumed it was xfinity, but tonight I noticed a correlation between Orbi reporting a DOS attack and Nagios reporting loss of connectivity to CNN, Google, Etc.
Example:

Nagios Log excerpt:

August 08, 2020 12:00	

Host Up[2020-08-08 12:10:44] HOST ALERT: one_dns;UP;SOFT;1;PING OK - Packet loss = 0%, RTA = 11.43 ms
Host Up[2020-08-08 12:10:16] HOST ALERT: google_dns;UP;SOFT;1;PING OK - Packet loss = 0%, RTA = 11.92 ms
Host Up[2020-08-08 12:10:15] HOST ALERT: CNN_http;UP;SOFT;1;HTTP OK: HTTP/1.1 301 Moved Permanently - 499 bytes in 0.048 second response time
Host Up[2020-08-08 12:10:12] HOST ALERT: google_http;UP;SOFT;1;HTTP OK: HTTP/1.1 301 Moved Permanently - 547 bytes in 0.052 second response time
Host Down[2020-08-08 12:10:09] HOST ALERT: CNN_http;DOWN;SOFT;4;CRITICAL - Socket timeout after 10 seconds
Host Down[2020-08-08 12:10:06] HOST ALERT: google_http;DOWN;SOFT;3;CRITICAL - Socket timeout after 10 seconds
Host Down[2020-08-08 12:09:57] HOST ALERT: google_dns;DOWN;SOFT;1;(Host check timed out after 30.01 seconds)
Host Down[2020-08-08 12:09:53] HOST ALERT: CNN_http;DOWN;SOFT;3;CRITICAL - Socket timeout after 10 seconds
Host Down[2020-08-08 12:09:50] HOST ALERT: google_http;DOWN;SOFT;2;CRITICAL - Socket timeout after 10 seconds
Host Down[2020-08-08 12:09:40] HOST ALERT: one_dns;DOWN;SOFT;1;(Host check timed out after 30.01 seconds)
Host Down[2020-08-08 12:09:37] HOST ALERT: CNN_http;DOWN;SOFT;2;CRITICAL - Socket timeout after 10 seconds
Host Down[2020-08-08 12:09:34] HOST ALERT: google_http;DOWN;SOFT;1;CRITICAL - Socket timeout after 10 seconds
Host Down[2020-08-08 12:09:20] HOST ALERT: CNN_http;DOWN;SOFT;1;CRITICAL - Socket timeout after 10 seconds

August 08, 2020 08:00	

Service Ok[2020-08-08 08:51:52] SERVICE ALERT: CNN_http;HTTP;OK;SOFT;1;HTTP OK: HTTP/1.1 301 Moved Permanently - 499 bytes in 0.046 second response time
Host Up[2020-08-08 08:47:08] HOST ALERT: CNN_http;UP;SOFT;1;HTTP OK: HTTP/1.1 301 Moved Permanently - 499 bytes in 0.046 second response time
Host Up[2020-08-08 08:47:05] HOST ALERT: google_http;UP;SOFT;1;HTTP OK: HTTP/1.1 301 Moved Permanently - 547 bytes in 0.038 second response time
Host Down[2020-08-08 08:47:02] HOST ALERT: CNN_http;DOWN;SOFT;4;CRITICAL - Socket timeout after 10 seconds
Host Up[2020-08-08 08:47:02] HOST ALERT: google_dns;UP;SOFT;1;PING OK - Packet loss = 16%, RTA = 13.37 ms
Service Critical[2020-08-08 08:47:01] SERVICE ALERT: CNN_http;HTTP;CRITICAL;HARD;1;CRITICAL - Socket timeout after 10 seconds
Host Down[2020-08-08 08:46:59] HOST ALERT: google_http;DOWN;SOFT;4;CRITICAL - Socket timeout after 10 seconds
Host Down[2020-08-08 08:46:46] HOST ALERT: CNN_http;DOWN;SOFT;3;CRITICAL - Socket timeout after 10 seconds
Host Down[2020-08-08 08:46:43] HOST ALERT: google_http;DOWN;SOFT;3;CRITICAL - Socket timeout after 10 seconds
Host Down[2020-08-08 08:46:42] HOST ALERT: google_dns;DOWN;SOFT;1;(Host check timed out after 31.01 seconds)
Host Down[2020-08-08 08:46:30] HOST ALERT: CNN_http;DOWN;SOFT;2;CRITICAL - Socket timeout after 10 seconds
Host Down[2020-08-08 08:46:27] HOST ALERT: google_http;DOWN;SOFT;2;CRITICAL - Socket timeout after 10 seconds
Host Down[2020-08-08 08:46:14] HOST ALERT: CNN_http;DOWN;SOFT;1;CRITICAL - Socket timeout after 10 seconds
Host Down[2020-08-08 08:46:11] HOST ALERT: google_http;DOWN;SOFT;1;CRITICAL - Socket timeout after 10 seconds

Orbi Log excerpt:

[DoS Attack: SYN/ACK Scan] from source: 94.130.44.37, port 30120, Saturday, August 08, 2020 12:38:34
[DoS Attack: ACK Scan] from source: 208.73.181.96, port 443, Saturday, August 08, 2020 12:33:07
[DoS Attack: ACK Scan] from source: 208.73.181.200, port 443, Saturday, August 08, 2020 12:33:03
[DoS Attack: ACK Scan] from source: 208.73.181.96, port 443, Saturday, August 08, 2020 12:28:07
[DoS Attack: ACK Scan] from source: 208.73.181.200, port 443, Saturday, August 08, 2020 12:28:03
[DoS Attack: ACK Scan] from source: 208.73.181.96, port 443, Saturday, August 08, 2020 12:23:07
[DoS Attack: ACK Scan] from source: 208.73.181.200, port 443, Saturday, August 08, 2020 12:23:03
[DoS Attack: ACK Scan] from source: 208.73.181.96, port 443, Saturday, August 08, 2020 12:23:03
[DoS Attack: ACK Scan] from source: 162.250.6.136, port 5938, Saturday, August 08, 2020 12:10:13
[DoS Attack: TCP/UDP Chargen] from source: 83.97.20.35, port 35004, Saturday, August 08, 2020 11:31:07
[DoS Attack: SYN/ACK Scan] from source: 94.130.44.37, port 30120, Saturday, August 08, 2020 10:35:01
[DoS Attack: TCP/UDP Echo] from source: 141.212.123.205, port 36044, Saturday, August 08, 2020 10:12:53
[DoS Attack: ACK Scan] from source: 45.61.142.175, port 10668, Saturday, August 08, 2020 09:31:16
[DoS Attack: ACK Scan] from source: 208.73.181.200, port 443, Saturday, August 08, 2020 09:09:57
[DoS Attack: ACK Scan] from source: 208.73.181.96, port 443, Saturday, August 08, 2020 09:09:52
[DoS Attack: ARP Attack] from source: 192.168.1.55, Saturday, August 08, 2020 09:05:59
[DoS Attack: ACK Scan] from source: 208.73.181.200, port 443, Saturday, August 08, 2020 09:04:57
[DoS Attack: ACK Scan] from source: 208.73.181.96, port 443, Saturday, August 08, 2020 09:04:52
[DoS Attack: ACK Scan] from source: 208.73.181.200, port 443, Saturday, August 08, 2020 08:59:57
[DoS Attack: ACK Scan] from source: 208.73.181.96, port 443, Saturday, August 08, 2020 08:59:52
[DoS Attack: RST Scan] from source: 18.218.187.50, port 6500, Saturday, August 08, 2020 08:47:11
[DoS Attack: SYN/ACK Scan] from source: 87.236.16.53, port 80, Saturday, August 08, 2020 08:34:23
[DoS Attack: RST Scan] from source: 13.224.85.92, port 443, Saturday, August 08, 2020 08:16:22







Model: RBR50|Orbi AC3000 Tri-band WiFi Router
Message 7 of 13
Mstrbig
Master

Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)

The Orbi has a habit of finding an overwhelming amout of DDOS attacks. Even though you may want to see these reports, there may be many coming from Google, Amazon, Microsoft, Apple, etc., adding overheads to the processing of the Orbi.  You can turn off DDOS attack logging, or put up with it. Turning off logging may help with stability issues. Since there are so many entries to the log, the processor gets taxed and slows down because of the extra work.

Message 8 of 13
schumaku
Guru

Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)


@Mstrbig wrote:

The Orbi has a habit of finding an overwhelming amout of DDOS attacks.

Correct. The Orbi Netgear router have a habit of finding an overwhelming amount of DDOS attacks.

 

Most occurrences are false positives, caused by _real_ connection loss on the WAN/Internet side, or caused from clients going to sleep or roaming awy with open TCP sessions.

Message 9 of 13
OrbiPhilip
Luminary

Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)

How would an LOS create the illusion of a DDOS?
Message 10 of 13
Mstrbig
Master

Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)


@OrbiPhilip wrote:
How would an LOS create the illusion of a DDOS?

It would be the other way arround overwhelming DDOS attacks causing LOS.

Message 11 of 13
Mstrbig
Master

Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)

Have you tried checking "Disable Port Scan and Dos Protection", under advanced, setup, WAN setup? 

 

my page is set this way and I get no DDOS reports in log or LOS: 

Disable Port Scan and DoS Protection

 Default DMZ Server. . . 

 Respond to Ping on Internet Port

X Disable IGMP Proxying Auto 

MTU Size(in bytes) 1500

NAT FilteringSecured  Open
 X Disable SIP ALG
Message 12 of 13
OrbiPhilip
Luminary

Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)


@Mstrbig wrote:

It would be the other way arround overwhelming DDOS attacks causing LOS.


That would be my expectation as well. I was referring to Schumaku's comment, "Most occurrences are false positives, caused by _real_ connection loss on the WAN/Internet side..."

@Mstrbig wrote:

Have you tried checking "Disable Port Scan and Dos Protection", under advanced, setup, WAN setup? 

 

my page is set this way and I get no DDOS reports in log or LOS: 

So actual DDOS attacks don't take it down, but the router's attempts to prevent them do?   Interesting. 

Message 13 of 13
Top Contributors
Discussion stats
  • 12 replies
  • 3158 views
  • 0 kudos
  • 7 in conversation
Announcements

Orbi WiFi 7