- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AC2200 Orbi Router(Dos Attacks - Loss of Service)
I've done some troubleshooting and I am testing certain devices 1 by 1 to see if my connection drops due to any particular device connecting. I've read posts and articles related to this issue and I am not sure if the attacks are enough to drop service intermittently like it's doing. I've gotten my ISP to change my ip a couple times already. Any help would be appreciated!
Here are the questionable DOS attacks from my log:
34.98.102.181 (google)
Ports:
5222
31.13.66.51 (facebook)
Ports:
5222
433
203.205.239.248 (China)
Ports:
8080
217.182.137.219 (France)
Ports:
80
147.135.252.44 (France)
Ports:
80
103.109.57.62 (Bangledesh)
Ports:
80
Most logged are from Facebook and google... like 95%! The others maybe 2 logged entries. But if there are not hundreds of these logged at a time, why would this cause my connection to fail?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)
If you suspect your router is rebooting due to DDOS attacks, then login to the http://orbilogin.net/debug.htm web interface and check the uptime reported.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)
I monitor two Orbi systems that regularly log over 100 "DoS Attacks" every day. One of them just recently filled the log file every 3 minutes for 8 hours with DoS Attacks, and never went down. This was a sustained rate of 2-3 attacks logged per second for 8 hours.
I do not doubt that something is causing the Orbi to malfunction frequently, but I have serious doubts that a small number of "DoS Attacks" is the cause.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)
Not sure if its a Netgear thing or maybe a malfunction in the Router.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)
What Firmware version is currently loaded?
What is the Mfr and model# of the Internet Service Providers modem/ONT the NG router is connected too?
Have your ISP change your WAN IP address on the modem.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)
Did you ever find a solution? I've been experiencing intermittent LOS for a week now. Assumed it was xfinity, but tonight I noticed a correlation between Orbi reporting a DOS attack and Nagios reporting loss of connectivity to CNN, Google, Etc.
Example:
Nagios Log excerpt:
August 08, 2020 12:00 Host Up[2020-08-08 12:10:44] HOST ALERT: one_dns;UP;SOFT;1;PING OK - Packet loss = 0%, RTA = 11.43 ms Host Up[2020-08-08 12:10:16] HOST ALERT: google_dns;UP;SOFT;1;PING OK - Packet loss = 0%, RTA = 11.92 ms Host Up[2020-08-08 12:10:15] HOST ALERT: CNN_http;UP;SOFT;1;HTTP OK: HTTP/1.1 301 Moved Permanently - 499 bytes in 0.048 second response time Host Up[2020-08-08 12:10:12] HOST ALERT: google_http;UP;SOFT;1;HTTP OK: HTTP/1.1 301 Moved Permanently - 547 bytes in 0.052 second response time Host Down[2020-08-08 12:10:09] HOST ALERT: CNN_http;DOWN;SOFT;4;CRITICAL - Socket timeout after 10 seconds Host Down[2020-08-08 12:10:06] HOST ALERT: google_http;DOWN;SOFT;3;CRITICAL - Socket timeout after 10 seconds Host Down[2020-08-08 12:09:57] HOST ALERT: google_dns;DOWN;SOFT;1;(Host check timed out after 30.01 seconds) Host Down[2020-08-08 12:09:53] HOST ALERT: CNN_http;DOWN;SOFT;3;CRITICAL - Socket timeout after 10 seconds Host Down[2020-08-08 12:09:50] HOST ALERT: google_http;DOWN;SOFT;2;CRITICAL - Socket timeout after 10 seconds Host Down[2020-08-08 12:09:40] HOST ALERT: one_dns;DOWN;SOFT;1;(Host check timed out after 30.01 seconds) Host Down[2020-08-08 12:09:37] HOST ALERT: CNN_http;DOWN;SOFT;2;CRITICAL - Socket timeout after 10 seconds Host Down[2020-08-08 12:09:34] HOST ALERT: google_http;DOWN;SOFT;1;CRITICAL - Socket timeout after 10 seconds Host Down[2020-08-08 12:09:20] HOST ALERT: CNN_http;DOWN;SOFT;1;CRITICAL - Socket timeout after 10 seconds August 08, 2020 08:00 Service Ok[2020-08-08 08:51:52] SERVICE ALERT: CNN_http;HTTP;OK;SOFT;1;HTTP OK: HTTP/1.1 301 Moved Permanently - 499 bytes in 0.046 second response time Host Up[2020-08-08 08:47:08] HOST ALERT: CNN_http;UP;SOFT;1;HTTP OK: HTTP/1.1 301 Moved Permanently - 499 bytes in 0.046 second response time Host Up[2020-08-08 08:47:05] HOST ALERT: google_http;UP;SOFT;1;HTTP OK: HTTP/1.1 301 Moved Permanently - 547 bytes in 0.038 second response time Host Down[2020-08-08 08:47:02] HOST ALERT: CNN_http;DOWN;SOFT;4;CRITICAL - Socket timeout after 10 seconds Host Up[2020-08-08 08:47:02] HOST ALERT: google_dns;UP;SOFT;1;PING OK - Packet loss = 16%, RTA = 13.37 ms Service Critical[2020-08-08 08:47:01] SERVICE ALERT: CNN_http;HTTP;CRITICAL;HARD;1;CRITICAL - Socket timeout after 10 seconds Host Down[2020-08-08 08:46:59] HOST ALERT: google_http;DOWN;SOFT;4;CRITICAL - Socket timeout after 10 seconds Host Down[2020-08-08 08:46:46] HOST ALERT: CNN_http;DOWN;SOFT;3;CRITICAL - Socket timeout after 10 seconds Host Down[2020-08-08 08:46:43] HOST ALERT: google_http;DOWN;SOFT;3;CRITICAL - Socket timeout after 10 seconds Host Down[2020-08-08 08:46:42] HOST ALERT: google_dns;DOWN;SOFT;1;(Host check timed out after 31.01 seconds) Host Down[2020-08-08 08:46:30] HOST ALERT: CNN_http;DOWN;SOFT;2;CRITICAL - Socket timeout after 10 seconds Host Down[2020-08-08 08:46:27] HOST ALERT: google_http;DOWN;SOFT;2;CRITICAL - Socket timeout after 10 seconds Host Down[2020-08-08 08:46:14] HOST ALERT: CNN_http;DOWN;SOFT;1;CRITICAL - Socket timeout after 10 seconds Host Down[2020-08-08 08:46:11] HOST ALERT: google_http;DOWN;SOFT;1;CRITICAL - Socket timeout after 10 seconds
Orbi Log excerpt:
[DoS Attack: SYN/ACK Scan] from source: 94.130.44.37, port 30120, Saturday, August 08, 2020 12:38:34 [DoS Attack: ACK Scan] from source: 208.73.181.96, port 443, Saturday, August 08, 2020 12:33:07 [DoS Attack: ACK Scan] from source: 208.73.181.200, port 443, Saturday, August 08, 2020 12:33:03 [DoS Attack: ACK Scan] from source: 208.73.181.96, port 443, Saturday, August 08, 2020 12:28:07 [DoS Attack: ACK Scan] from source: 208.73.181.200, port 443, Saturday, August 08, 2020 12:28:03 [DoS Attack: ACK Scan] from source: 208.73.181.96, port 443, Saturday, August 08, 2020 12:23:07 [DoS Attack: ACK Scan] from source: 208.73.181.200, port 443, Saturday, August 08, 2020 12:23:03 [DoS Attack: ACK Scan] from source: 208.73.181.96, port 443, Saturday, August 08, 2020 12:23:03 [DoS Attack: ACK Scan] from source: 162.250.6.136, port 5938, Saturday, August 08, 2020 12:10:13
[DoS Attack: TCP/UDP Chargen] from source: 83.97.20.35, port 35004, Saturday, August 08, 2020 11:31:07 [DoS Attack: SYN/ACK Scan] from source: 94.130.44.37, port 30120, Saturday, August 08, 2020 10:35:01 [DoS Attack: TCP/UDP Echo] from source: 141.212.123.205, port 36044, Saturday, August 08, 2020 10:12:53 [DoS Attack: ACK Scan] from source: 45.61.142.175, port 10668, Saturday, August 08, 2020 09:31:16 [DoS Attack: ACK Scan] from source: 208.73.181.200, port 443, Saturday, August 08, 2020 09:09:57 [DoS Attack: ACK Scan] from source: 208.73.181.96, port 443, Saturday, August 08, 2020 09:09:52 [DoS Attack: ARP Attack] from source: 192.168.1.55, Saturday, August 08, 2020 09:05:59 [DoS Attack: ACK Scan] from source: 208.73.181.200, port 443, Saturday, August 08, 2020 09:04:57 [DoS Attack: ACK Scan] from source: 208.73.181.96, port 443, Saturday, August 08, 2020 09:04:52 [DoS Attack: ACK Scan] from source: 208.73.181.200, port 443, Saturday, August 08, 2020 08:59:57 [DoS Attack: ACK Scan] from source: 208.73.181.96, port 443, Saturday, August 08, 2020 08:59:52 [DoS Attack: RST Scan] from source: 18.218.187.50, port 6500, Saturday, August 08, 2020 08:47:11 [DoS Attack: SYN/ACK Scan] from source: 87.236.16.53, port 80, Saturday, August 08, 2020 08:34:23 [DoS Attack: RST Scan] from source: 13.224.85.92, port 443, Saturday, August 08, 2020 08:16:22
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)
The Orbi has a habit of finding an overwhelming amout of DDOS attacks. Even though you may want to see these reports, there may be many coming from Google, Amazon, Microsoft, Apple, etc., adding overheads to the processing of the Orbi. You can turn off DDOS attack logging, or put up with it. Turning off logging may help with stability issues. Since there are so many entries to the log, the processor gets taxed and slows down because of the extra work.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)
@Mstrbig wrote:The Orbi has a habit of finding an overwhelming amout of DDOS attacks.
Correct. The Orbi Netgear router have a habit of finding an overwhelming amount of DDOS attacks.
Most occurrences are false positives, caused by _real_ connection loss on the WAN/Internet side, or caused from clients going to sleep or roaming awy with open TCP sessions.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)
@OrbiPhilip wrote:
How would an LOS create the illusion of a DDOS?
It would be the other way arround overwhelming DDOS attacks causing LOS.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)
Have you tried checking "Disable Port Scan and Dos Protection", under advanced, setup, WAN setup?
my page is set this way and I get no DDOS reports in log or LOS:
X Disable Port Scan and DoS Protection | |
Default DMZ Server | . . . |
Respond to Ping on Internet Port | |
X Disable IGMP Proxying | Auto |
MTU Size(in bytes) 1500 | |
NAT Filtering | Secured Open |
X Disable SIP ALG |
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: AC2200 Orbi Router(Dos Attacks - Loss of Service)
@Mstrbig wrote:It would be the other way arround overwhelming DDOS attacks causing LOS.
That would be my expectation as well. I was referring to Schumaku's comment, "Most occurrences are false positives, caused by _real_ connection loss on the WAN/Internet side..."
@Mstrbig wrote:
Have you tried checking "Disable Port Scan and Dos Protection", under advanced, setup, WAN setup?
my page is set this way and I get no DDOS reports in log or LOS:
So actual DDOS attacks don't take it down, but the router's attempts to prevent them do? Interesting.
• What is the difference between WiFi 6 and WiFi 7?
• Yes! WiFi 7 is backwards compatible with other Wifi devices? Learn more