×

Introducing the Orbi 970 Series Mesh System with WiFi 7(BE) technology. For more information visit the NETGEAR Press Room.

Orbi WiFi 7 RBE973
Reply

Re: DOS attack from Germany now?

RedBatman89
Guide

DOS attack from Germany now?

This has been showing in my logs recently.

 

[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, November 25, 2019 09:42:27

 

https://www.ipinfolookup.com/148.251.48.231

 

Website confirms it's from Berlin, another orbi user posted on there too. 

Message 1 of 22
FURRYe38
Guru

Re: DOS attack from Germany now?

The router is doing it's job by blocking that and reporting it to you. If you think these are becoming more and more prominent, contact your ISP and have them change your WAN IP address. 

Message 2 of 22
RedBatman89
Guide

Re: DOS attack from Germany now?


@FURRYe38 wrote:

The router is doing it's job by blocking that and reporting it to you. If you think these are becoming more and more prominent, contact your ISP and have them change your WAN IP address. 


Wow so I come back home after work today and a buch of these dos attack logs showed up around noon today even going to almost 2pm. Same IP address from Germany too. Heck my modem apparently went done a few times today as well I checked my modem logs and loads of uncorrectables and event log had a bunch of errors as well for my SB6190. Apparnelty according to down detector a bucnh of the US today had issues with Comcast internet.

 

So yeah maybe it is time to change WAN, unless I could block offending IP's manually. Anyway I could do that? 

Message 3 of 22
FURRYe38
Guru

Re: DOS attack from Germany now?

The firewall in the RBR is already blocking. It's just reporting what it's seeing. I would make contact with your ISP and let them know whats happening and have them change your WAN IP address there giving you. Usually a power OFF of the ISP modem for 1 minute will be needed. Also something to do, power OFF The ISP modem over night then back on or leave it off if nobody is home for a extended period of time. This can trigger a new IP address from the ISP sometimes. 

Message 4 of 22
RedBatman89
Guide

Re: DOS attack from Germany now?

So wait does it change everytime I power cycle. I had to powercycle the other day due to Comcast issues. I usually leave the modem off for a minute before plugging it back in. Does that do it too? 

Message 5 of 22
FURRYe38
Guru

Re: DOS attack from Germany now?

Only if you power cycle the modem which may trigger a new IP address assignment from the ISP. Leaving it OFF or long periods of time may do this as well. 

Message 6 of 22
Killhippie
Prodigy

Re: DOS attack from Germany now?

I'm having the same, my logs get filled with attacks from this IP to the same port or port 50003. All this has happened since the firmware update for me the other day, and the router has been factory reset. I have a static IP, but the DoS logs starts as soon as the router boots up with literally everything else turned off. Really odd.

Model: RAX120|Nighthawk AX12 12-Stream WiFi Router
Message 7 of 22
Ken2122
Tutor

Re: DOS attack from Germany now?

Interesting. I rarely check my logs (guess I should).....since October 31, 2019, I am getting hammered everyday by DoS attacks. Looks like Orbi is doing its thing and blocking. My ISP is Comcast. I have an Orbi RBR50 (FW v2.3.5.30).

 

[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002

[DoS Attack: SYN/ACK Scan] from source: 194.88.104.9, port 80

DoS Attack: TCP/UDP Chargen] from source: 80.82.77.245, port 50535

[DoS Attack: SYN/ACK Scan] from source: 195.201.167.44, port 443

 

I may check-out Reddit-Comcast or DSLReports-Comcast to see if others are reporting an uptick.

 

 

 

Message 8 of 22
FURRYe38
Guru

Re: DOS attack from Germany now?

Id contact your ISP and have them help you with this as well. See if they can get you a different WAN IP.

 

whois.domaintools.com


@Ken2122 wrote:

Interesting. I rarely check my logs (guess I should).....since October 31, 2019, I am getting hammered everyday by DoS attacks. Looks like Orbi is doing its thing and blocking. My ISP is Comcast. I have an Orbi RBR50 (FW v2.3.5.30).

 

[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002

[DoS Attack: SYN/ACK Scan] from source: 194.88.104.9, port 80

DoS Attack: TCP/UDP Chargen] from source: 80.82.77.245, port 50535

[DoS Attack: SYN/ACK Scan] from source: 195.201.167.44, port 443

 

I may check-out Reddit-Comcast or DSLReports-Comcast to see if others are reporting an uptick.

 

 

 


 

Message 9 of 22
Killhippie
Prodigy

Re: DOS attack from Germany now?

MY ISP is saying its the router calling for something or a vulnerability but nothig to do with them. Also changing IP (mines static) will not help if its a router issue. <sigh> My log looks like this but with hours and hours more of them.

 

[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:52:34
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:52:25
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:52:16
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:51:37
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:51:28
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:51:23
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:50:05
[

Model: RAX120|Nighthawk AX12 12-Stream WiFi Router
Message 10 of 22
Killhippie
Prodigy

Re: DOS attack from Germany now?

Mines not an Orbi and I'm in the UK. Most strange. Did you update firmware recently?

Model: RAX120|Nighthawk AX12 12-Stream WiFi Router
Message 11 of 22
FURRYe38
Guru

Re: DOS attack from Germany now?

Please post about this over in the NH AX router forum if you haven't already:

https://community.netgear.com/t5/Nighthawk-Routers-with-WiFi-6-AX/bd-p/en-home-routers-nighthawk-wif...

 

I would make contact with NG support and let them know what your experiening and what the ISP said about this. NG needs to look in to this. Both Orbi and R series products. 

 

@DarrenM 

@Christian_R 

@Blanca_O 


@Killhippie wrote:

MY ISP is saying its the router calling for something or a vulnerability but nothig to do with them. Also changing IP (mines static) will not help if its a router issue. <sigh> My log looks like this but with hours and hours more of them.

 

[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:52:34
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:52:25
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:52:16
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:51:37
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:51:28
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:51:23
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:50:05
[


 

Message 12 of 22
FURRYe38
Guru

Re: DOS attack from Germany now?

Just curious, Have you tried updating FW to v34 or v40? Factory reset and setup from scratch and see if these still continue. 


@Ken2122 wrote:

Interesting. I rarely check my logs (guess I should).....since October 31, 2019, I am getting hammered everyday by DoS attacks. Looks like Orbi is doing its thing and blocking. My ISP is Comcast. I have an Orbi RBR50 (FW v2.3.5.30).

 

[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002

[DoS Attack: SYN/ACK Scan] from source: 194.88.104.9, port 80

DoS Attack: TCP/UDP Chargen] from source: 80.82.77.245, port 50535

[DoS Attack: SYN/ACK Scan] from source: 195.201.167.44, port 443

 

I may check-out Reddit-Comcast or DSLReports-Comcast to see if others are reporting an uptick.

 

 

 


 

Message 13 of 22
Killhippie
Prodigy

Re: DOS attack from Germany now?

I have asked in the RAX120 latest firmware to see if anyone has seen this and passed the info on to Netgear.

Model: RAX120|Nighthawk AX12 12-Stream WiFi Router
Message 14 of 22
ErnestTheGreat
NETGEAR Employee Retired

Re: DOS attack from Germany now?

The Netgear router DoS Protection function provides DoS (Denial of Service) protection from the Internet for the hosts on the connected LAN. The protection is needed when the Port Forwarding or DMZ function is turned on or there is a LAN host accessing the Internet (and hence there is a NAT mapping for an Internet host to reach the LAN host), so a host on the LAN is exposed to the Internet and may get attacked.

 

If you are seeing DoS entries in your router log its a good thing it means that router was able to ID a possible DoS attack and prevent it. So I am not sure where all the concern is coming from. The DoS entries showing up in router log simply means that DoS protection is doing its job and protecting and the router log is simply advising you of that.

 

Also, I see some entries for ports 50002, 50003, 50535 while these ports can be used as private ports they are also utilized by Apple for Xsan. Xsan Filesystem Access services. It would be interesting to see if anyone getting these entries has any Apple devices and if they are disconnected if the DoS entries still show up in the router logs for these ports.

Message 15 of 22
FURRYe38
Guru

Re: DOS attack from Germany now?

Thank you for this information. Kind of confirms what I was seeing with my cell phone microcell placed in the DMZ a while back. I was seeing some logged DDOS attempted attacks against the microcell. After disabling the DMZ, the attacks stopped. I'll be sure to keep this in mind. 

 

Thank you. 


@ErnestTheGreat wrote:

The Netgear router DoS Protection function provides DoS (Denial of Service) protection from the Internet for the hosts on the connected LAN. The protection is needed when the Port Forwarding or DMZ function is turned on or there is a LAN host accessing the Internet (and hence there is a NAT mapping for an Internet host to reach the LAN host), so a host on the LAN is exposed to the Internet and may get attacked.

 

If you are seeing DoS entries in your router log its a good thing it means that router was able to ID a possible DoS attack and prevent it. So I am not sure where all the concern is coming from. The DoS entries showing up in router log simply means that DoS protection is doing its job and protecting and the router log is simply advising you of that.

 

Also, I see some entries for ports 50002, 50003, 50535 while these ports can be used as private ports they are also utilized by Apple for Xsan. Xsan Filesystem Access services. It would be interesting to see if anyone getting these entries has any Apple devices and if they are disconnected if the DoS entries still show up in the router logs for these ports.


 

Message 16 of 22
Killhippie
Prodigy

Re: DOS attack from Germany now?

The attacks are coming from Germany, a comany called Hetzner. I have been in contact though thier abuse portal. Here are the replies in order, the last being a bit odd tbh.

We have received your information regarding spam and/or abuse and we shall follow up on this matter.

The person responsible has been sent the following instructions:
- Solve the issue
- Send us a response

Important note:
When replying to us, please leave the abuse ID [AbuseID:*****] unchanged in the subject line.

Kind regards

Dominik Prüßner

Hetzner Online GmbH

 

Dear Sir or Madam,

thanks for your reply.

Our customer have time to solve the abuse-complaint within 24 - 48 hours.

If the issue isn't solved after this time or we didn't received any statement it may to lock the ip.

Important note:
When replying to us, please leave the abuse ID [AbuseID:*****] unchanged in the subject line.

Kind regards

Marianne Heumann

Hetzner Online GmbH

 

Dear Sir or Madam,

This is the reply of our customer:

"There is a DDoS ongoing on my Server. The Server will get a possibly
spoofed TCP SYN packet and will answer with a TCP SYN+ACK.
That is what you are seeing

I can block your network if you wish so."

Important note:
When replying to us, please leave the abuse ID [AbuseID:*****]
unchanged in the subject line.

Kind regards

Dominik Prüßner

Hetzner Online GmbH

 

Im not sure how they can block a network if they ase under a DDoS or why it would send out Port Syn and ACK scans.

From the looks of this link the attcks are still happening.

 

https://www.abuseipdb.com/check/148.251.48.231

 

 

 

Model: RAX120|Nighthawk AX12 12-Stream WiFi Router
Message 17 of 22
FURRYe38
Guru

Re: DOS attack from Germany now?

Are they attacking your WAN IP address or something in the routers DMZ? 


@Killhippie wrote:

The attacks are coming from Germany, a comany called Hetzner. I have been in contact though thier abuse portal. Here are the replies in order, the last being a bit odd tbh.

We have received your information regarding spam and/or abuse and we shall follow up on this matter.

The person responsible has been sent the following instructions:
- Solve the issue
- Send us a response

Important note:
When replying to us, please leave the abuse ID [AbuseID:*****] unchanged in the subject line.

Kind regards

Dominik Prüßner

Hetzner Online GmbH

 

Dear Sir or Madam,

thanks for your reply.

Our customer have time to solve the abuse-complaint within 24 - 48 hours.

If the issue isn't solved after this time or we didn't received any statement it may to lock the ip.

Important note:
When replying to us, please leave the abuse ID [AbuseID:*****] unchanged in the subject line.

Kind regards

Marianne Heumann

Hetzner Online GmbH

 

Dear Sir or Madam,

This is the reply of our customer:

"There is a DDoS ongoing on my Server. The Server will get a possibly
spoofed TCP SYN packet and will answer with a TCP SYN+ACK.
That is what you are seeing

I can block your network if you wish so."

Important note:
When replying to us, please leave the abuse ID [AbuseID:*****]
unchanged in the subject line.

Kind regards

Dominik Prüßner

Hetzner Online GmbH

 

Im not sure how they can block a network if they ase under a DDoS or why it would send out Port Syn and ACK scans.

From the looks of this link the attcks are still happening.

 

https://www.abuseipdb.com/check/148.251.48.231

 

 

 


 

Message 18 of 22
Killhippie
Prodigy

Re: DOS attack from Germany now?

MY ISP said contact them via the abuse contact as indiviual ISP's cant block attacking IP's you would need to block the offending IP at your Firewall. It seems the person using this server is struggling or possibly causing (not Hetzner) a pretty large attack on many countries, there is info on Hertzner. at the end of this. I declined the offer of stopping an attack on my network for reasons of not being sure if Hetzner have a bad actor on one of thier servers or the person talking to me was in fact the cause and this is tbh this beyond my scope anyway. Its not the routers, its just a bad acrtor and the comany seem to have a record of this occuring on that IP. https://en.wikipedia.org/wiki/Hetzner

Model: RAX120|Nighthawk AX12 12-Stream WiFi Router
Message 19 of 22
FURRYe38
Guru

Re: DOS attack from Germany now?

Seems liek were seeing others. 

 

Well at least the firewalll in the routers are for the most part blocking them. Just seem to be logging lots of attempts. Hopefully they will stop. 

Message 20 of 22
Killhippie
Prodigy

Re: DOS attack from Germany now?

Netgear routers seem to go though binges of attacks, this port 50002 can be used for PCoiP whatever that is. Yes lets hope they stop, I'm guessing someone knows of a vulnerability thats been patched and are on the hunt. Sorry about the Typos and double post (no idea how that happened) I'm disabled and on high doses of morphine (110mg daily) so I make errors, more so on this site than any other for some reason. @FURRYe38 

Model: RAX120|Nighthawk AX12 12-Stream WiFi Router
Message 21 of 22
FURRYe38
Guru

Re: DOS attack from Germany now?

Thats ok. Undstandable. 

 

Ya seems like theres always something out there trying to fo something nefarious. I saw simiar logs when I had my ATT Microcell in the DMZ. After I disabled this, no more attacks. 

 

Keep us posted on how it goes with that company. In mean time, don't use DMZ. Hopefully this will stop soon. 

Message 22 of 22
Top Contributors
Discussion stats
  • 21 replies
  • 11267 views
  • 2 kudos
  • 5 in conversation
Announcements

Orbi WiFi 7