NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
DOS attack from Germany now?
This has been showing in my logs recently. [DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, November 25, 2019 09:42:27 https://www.ipinfolookup.com/148.251.48.231 ...
I have asked in the RAX120 latest firmware to see if anyone has seen this and passed the info on to Netgear.
The Netgear router DoS Protection function provides DoS (Denial of Service) protection from the Internet for the hosts on the connected LAN. The protection is needed when the Port Forwarding or DMZ function is turned on or there is a LAN host accessing the Internet (and hence there is a NAT mapping for an Internet host to reach the LAN host), so a host on the LAN is exposed to the Internet and may get attacked.
If you are seeing DoS entries in your router log its a good thing it means that router was able to ID a possible DoS attack and prevent it. So I am not sure where all the concern is coming from. The DoS entries showing up in router log simply means that DoS protection is doing its job and protecting and the router log is simply advising you of that.
Also, I see some entries for ports 50002, 50003, 50535 while these ports can be used as private ports they are also utilized by Apple for Xsan. Xsan Filesystem Access services. It would be interesting to see if anyone getting these entries has any Apple devices and if they are disconnected if the DoS entries still show up in the router logs for these ports.
Thank you for this information. Kind of confirms what I was seeing with my cell phone microcell placed in the DMZ a while back. I was seeing some logged DDOS attempted attacks against the microcell. After disabling the DMZ, the attacks stopped. I'll be sure to keep this in mind.
Thank you.
ErnestTheGreat wrote:The Netgear router DoS Protection function provides DoS (Denial of Service) protection from the Internet for the hosts on the connected LAN. The protection is needed when the Port Forwarding or DMZ function is turned on or there is a LAN host accessing the Internet (and hence there is a NAT mapping for an Internet host to reach the LAN host), so a host on the LAN is exposed to the Internet and may get attacked.
If you are seeing DoS entries in your router log its a good thing it means that router was able to ID a possible DoS attack and prevent it. So I am not sure where all the concern is coming from. The DoS entries showing up in router log simply means that DoS protection is doing its job and protecting and the router log is simply advising you of that.
Also, I see some entries for ports 50002, 50003, 50535 while these ports can be used as private ports they are also utilized by Apple for Xsan. Xsan Filesystem Access services. It would be interesting to see if anyone getting these entries has any Apple devices and if they are disconnected if the DoS entries still show up in the router logs for these ports.
The attacks are coming from Germany, a comany called Hetzner. I have been in contact though thier abuse portal. Here are the replies in order, the last being a bit odd tbh.
We have received your information regarding spam and/or abuse and we shall follow up on this matter.
The person responsible has been sent the following instructions:
- Solve the issue
- Send us a responseImportant note:
When replying to us, please leave the abuse ID [AbuseID:*****] unchanged in the subject line.Kind regards
Dominik Prüßner
Hetzner Online GmbH
Dear Sir or Madam,
thanks for your reply.
Our customer have time to solve the abuse-complaint within 24 - 48 hours.
If the issue isn't solved after this time or we didn't received any statement it may to lock the ip.
Important note:
When replying to us, please leave the abuse ID [AbuseID:*****] unchanged in the subject line.Kind regards
Marianne Heumann
Hetzner Online GmbH
Dear Sir or Madam,
This is the reply of our customer:
"There is a DDoS ongoing on my Server. The Server will get a possibly
spoofed TCP SYN packet and will answer with a TCP SYN+ACK.
That is what you are seeing
I can block your network if you wish so."
Important note:
When replying to us, please leave the abuse ID [AbuseID:*****]
unchanged in the subject line.
Kind regards
Dominik Prüßner
Hetzner Online GmbHIm not sure how they can block a network if they ase under a DDoS or why it would send out Port Syn and ACK scans.
From the looks of this link the attcks are still happening.
https://www.abuseipdb.com/check/148.251.48.231
Are they attacking your WAN IP address or something in the routers DMZ?
Killhippie wrote:The attacks are coming from Germany, a comany called Hetzner. I have been in contact though thier abuse portal. Here are the replies in order, the last being a bit odd tbh.
We have received your information regarding spam and/or abuse and we shall follow up on this matter.
The person responsible has been sent the following instructions:
- Solve the issue
- Send us a responseImportant note:
When replying to us, please leave the abuse ID [AbuseID:*****] unchanged in the subject line.Kind regards
Dominik Prüßner
Hetzner Online GmbH
Dear Sir or Madam,
thanks for your reply.
Our customer have time to solve the abuse-complaint within 24 - 48 hours.
If the issue isn't solved after this time or we didn't received any statement it may to lock the ip.
Important note:
When replying to us, please leave the abuse ID [AbuseID:*****] unchanged in the subject line.Kind regards
Marianne Heumann
Hetzner Online GmbH
Dear Sir or Madam,
This is the reply of our customer:
"There is a DDoS ongoing on my Server. The Server will get a possibly
spoofed TCP SYN packet and will answer with a TCP SYN+ACK.
That is what you are seeing
I can block your network if you wish so."
Important note:
When replying to us, please leave the abuse ID [AbuseID:*****]
unchanged in the subject line.
Kind regards
Dominik Prüßner
Hetzner Online GmbHIm not sure how they can block a network if they ase under a DDoS or why it would send out Port Syn and ACK scans.
From the looks of this link the attcks are still happening.
https://www.abuseipdb.com/check/148.251.48.231
MY ISP said contact them via the abuse contact as indiviual ISP's cant block attacking IP's you would need to block the offending IP at your Firewall. It seems the person using this server is struggling or possibly causing (not Hetzner) a pretty large attack on many countries, there is info on Hertzner. at the end of this. I declined the offer of stopping an attack on my network for reasons of not being sure if Hetzner have a bad actor on one of thier servers or the person talking to me was in fact the cause and this is tbh this beyond my scope anyway. Its not the routers, its just a bad acrtor and the comany seem to have a record of this occuring on that IP. https://en.wikipedia.org/wiki/Hetzner
Seems liek were seeing others.
Well at least the firewalll in the routers are for the most part blocking them. Just seem to be logging lots of attempts. Hopefully they will stop.
Netgear routers seem to go though binges of attacks, this port 50002 can be used for PCoiP whatever that is. Yes lets hope they stop, I'm guessing someone knows of a vulnerability thats been patched and are on the hunt. Sorry about the Typos and double post (no idea how that happened) I'm disabled and on high doses of morphine (110mg daily) so I make errors, more so on this site than any other for some reason. FURRYe38
Thats ok. Undstandable.
Ya seems like theres always something out there trying to fo something nefarious. I saw simiar logs when I had my ATT Microcell in the DMZ. After I disabled this, no more attacks.
Keep us posted on how it goes with that company. In mean time, don't use DMZ. Hopefully this will stop soon.
