- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Re: DOS attack from Germany now?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DOS attack from Germany now?
This has been showing in my logs recently.
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, November 25, 2019 09:42:27
https://www.ipinfolookup.com/148.251.48.231
Website confirms it's from Berlin, another orbi user posted on there too.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DOS attack from Germany now?
The router is doing it's job by blocking that and reporting it to you. If you think these are becoming more and more prominent, contact your ISP and have them change your WAN IP address.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DOS attack from Germany now?
@FURRYe38 wrote:The router is doing it's job by blocking that and reporting it to you. If you think these are becoming more and more prominent, contact your ISP and have them change your WAN IP address.
Wow so I come back home after work today and a buch of these dos attack logs showed up around noon today even going to almost 2pm. Same IP address from Germany too. Heck my modem apparently went done a few times today as well I checked my modem logs and loads of uncorrectables and event log had a bunch of errors as well for my SB6190. Apparnelty according to down detector a bucnh of the US today had issues with Comcast internet.
So yeah maybe it is time to change WAN, unless I could block offending IP's manually. Anyway I could do that?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DOS attack from Germany now?
The firewall in the RBR is already blocking. It's just reporting what it's seeing. I would make contact with your ISP and let them know whats happening and have them change your WAN IP address there giving you. Usually a power OFF of the ISP modem for 1 minute will be needed. Also something to do, power OFF The ISP modem over night then back on or leave it off if nobody is home for a extended period of time. This can trigger a new IP address from the ISP sometimes.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DOS attack from Germany now?
So wait does it change everytime I power cycle. I had to powercycle the other day due to Comcast issues. I usually leave the modem off for a minute before plugging it back in. Does that do it too?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DOS attack from Germany now?
Only if you power cycle the modem which may trigger a new IP address assignment from the ISP. Leaving it OFF or long periods of time may do this as well.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DOS attack from Germany now?
I'm having the same, my logs get filled with attacks from this IP to the same port or port 50003. All this has happened since the firmware update for me the other day, and the router has been factory reset. I have a static IP, but the DoS logs starts as soon as the router boots up with literally everything else turned off. Really odd.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DOS attack from Germany now?
Interesting. I rarely check my logs (guess I should).....since October 31, 2019, I am getting hammered everyday by DoS attacks. Looks like Orbi is doing its thing and blocking. My ISP is Comcast. I have an Orbi RBR50 (FW v2.3.5.30).
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002
[DoS Attack: SYN/ACK Scan] from source: 194.88.104.9, port 80
DoS Attack: TCP/UDP Chargen] from source: 80.82.77.245, port 50535
[DoS Attack: SYN/ACK Scan] from source: 195.201.167.44, port 443
I may check-out Reddit-Comcast or DSLReports-Comcast to see if others are reporting an uptick.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DOS attack from Germany now?
Id contact your ISP and have them help you with this as well. See if they can get you a different WAN IP.
whois.domaintools.com
@Ken2122 wrote:Interesting. I rarely check my logs (guess I should).....since October 31, 2019, I am getting hammered everyday by DoS attacks. Looks like Orbi is doing its thing and blocking. My ISP is Comcast. I have an Orbi RBR50 (FW v2.3.5.30).
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002
[DoS Attack: SYN/ACK Scan] from source: 194.88.104.9, port 80
DoS Attack: TCP/UDP Chargen] from source: 80.82.77.245, port 50535
[DoS Attack: SYN/ACK Scan] from source: 195.201.167.44, port 443
I may check-out Reddit-Comcast or DSLReports-Comcast to see if others are reporting an uptick.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DOS attack from Germany now?
MY ISP is saying its the router calling for something or a vulnerability but nothig to do with them. Also changing IP (mines static) will not help if its a router issue. <sigh> My log looks like this but with hours and hours more of them.
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:52:34
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:52:25
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:52:16
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:51:37
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:51:28
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:51:23
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:50:05
[
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DOS attack from Germany now?
Mines not an Orbi and I'm in the UK. Most strange. Did you update firmware recently?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DOS attack from Germany now?
Please post about this over in the NH AX router forum if you haven't already:
I would make contact with NG support and let them know what your experiening and what the ISP said about this. NG needs to look in to this. Both Orbi and R series products.
@Killhippie wrote:MY ISP is saying its the router calling for something or a vulnerability but nothig to do with them. Also changing IP (mines static) will not help if its a router issue. <sigh> My log looks like this but with hours and hours more of them.
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:52:34
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:52:25
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:52:16
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:51:37
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:51:28
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:51:23
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002, Monday, December 02, 2019 12:50:05
[
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DOS attack from Germany now?
Just curious, Have you tried updating FW to v34 or v40? Factory reset and setup from scratch and see if these still continue.
@Ken2122 wrote:Interesting. I rarely check my logs (guess I should).....since October 31, 2019, I am getting hammered everyday by DoS attacks. Looks like Orbi is doing its thing and blocking. My ISP is Comcast. I have an Orbi RBR50 (FW v2.3.5.30).
[DoS Attack: SYN/ACK Scan] from source: 148.251.48.231, port 50002
[DoS Attack: SYN/ACK Scan] from source: 194.88.104.9, port 80
DoS Attack: TCP/UDP Chargen] from source: 80.82.77.245, port 50535
[DoS Attack: SYN/ACK Scan] from source: 195.201.167.44, port 443
I may check-out Reddit-Comcast or DSLReports-Comcast to see if others are reporting an uptick.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DOS attack from Germany now?
I have asked in the RAX120 latest firmware to see if anyone has seen this and passed the info on to Netgear.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DOS attack from Germany now?
The Netgear router DoS Protection function provides DoS (Denial of Service) protection from the Internet for the hosts on the connected LAN. The protection is needed when the Port Forwarding or DMZ function is turned on or there is a LAN host accessing the Internet (and hence there is a NAT mapping for an Internet host to reach the LAN host), so a host on the LAN is exposed to the Internet and may get attacked.
If you are seeing DoS entries in your router log its a good thing it means that router was able to ID a possible DoS attack and prevent it. So I am not sure where all the concern is coming from. The DoS entries showing up in router log simply means that DoS protection is doing its job and protecting and the router log is simply advising you of that.
Also, I see some entries for ports 50002, 50003, 50535 while these ports can be used as private ports they are also utilized by Apple for Xsan. Xsan Filesystem Access services. It would be interesting to see if anyone getting these entries has any Apple devices and if they are disconnected if the DoS entries still show up in the router logs for these ports.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DOS attack from Germany now?
Thank you for this information. Kind of confirms what I was seeing with my cell phone microcell placed in the DMZ a while back. I was seeing some logged DDOS attempted attacks against the microcell. After disabling the DMZ, the attacks stopped. I'll be sure to keep this in mind.
Thank you.
@ErnestTheGreat wrote:The Netgear router DoS Protection function provides DoS (Denial of Service) protection from the Internet for the hosts on the connected LAN. The protection is needed when the Port Forwarding or DMZ function is turned on or there is a LAN host accessing the Internet (and hence there is a NAT mapping for an Internet host to reach the LAN host), so a host on the LAN is exposed to the Internet and may get attacked.
If you are seeing DoS entries in your router log its a good thing it means that router was able to ID a possible DoS attack and prevent it. So I am not sure where all the concern is coming from. The DoS entries showing up in router log simply means that DoS protection is doing its job and protecting and the router log is simply advising you of that.
Also, I see some entries for ports 50002, 50003, 50535 while these ports can be used as private ports they are also utilized by Apple for Xsan. Xsan Filesystem Access services. It would be interesting to see if anyone getting these entries has any Apple devices and if they are disconnected if the DoS entries still show up in the router logs for these ports.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DOS attack from Germany now?
The attacks are coming from Germany, a comany called Hetzner. I have been in contact though thier abuse portal. Here are the replies in order, the last being a bit odd tbh.
We have received your information regarding spam and/or abuse and we shall follow up on this matter.
The person responsible has been sent the following instructions:
- Solve the issue
- Send us a response
Important note:
When replying to us, please leave the abuse ID [AbuseID:*****] unchanged in the subject line.
Kind regards
Dominik Prüßner
Hetzner Online GmbH
Dear Sir or Madam,
thanks for your reply.
Our customer have time to solve the abuse-complaint within 24 - 48 hours.
If the issue isn't solved after this time or we didn't received any statement it may to lock the ip.
Important note:
When replying to us, please leave the abuse ID [AbuseID:*****] unchanged in the subject line.
Kind regards
Marianne Heumann
Hetzner Online GmbH
Dear Sir or Madam,
This is the reply of our customer:
"There is a DDoS ongoing on my Server. The Server will get a possibly
spoofed TCP SYN packet and will answer with a TCP SYN+ACK.
That is what you are seeing
I can block your network if you wish so."
Important note:
When replying to us, please leave the abuse ID [AbuseID:*****]
unchanged in the subject line.
Kind regards
Dominik Prüßner
Hetzner Online GmbH
Im not sure how they can block a network if they ase under a DDoS or why it would send out Port Syn and ACK scans.
From the looks of this link the attcks are still happening.
https://www.abuseipdb.com/check/148.251.48.231
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DOS attack from Germany now?
Are they attacking your WAN IP address or something in the routers DMZ?
@Killhippie wrote:The attacks are coming from Germany, a comany called Hetzner. I have been in contact though thier abuse portal. Here are the replies in order, the last being a bit odd tbh.
We have received your information regarding spam and/or abuse and we shall follow up on this matter.
The person responsible has been sent the following instructions:
- Solve the issue
- Send us a responseImportant note:
When replying to us, please leave the abuse ID [AbuseID:*****] unchanged in the subject line.Kind regards
Dominik Prüßner
Hetzner Online GmbH
Dear Sir or Madam,
thanks for your reply.
Our customer have time to solve the abuse-complaint within 24 - 48 hours.
If the issue isn't solved after this time or we didn't received any statement it may to lock the ip.
Important note:
When replying to us, please leave the abuse ID [AbuseID:*****] unchanged in the subject line.Kind regards
Marianne Heumann
Hetzner Online GmbH
Dear Sir or Madam,
This is the reply of our customer:
"There is a DDoS ongoing on my Server. The Server will get a possibly
spoofed TCP SYN packet and will answer with a TCP SYN+ACK.
That is what you are seeing
I can block your network if you wish so."
Important note:
When replying to us, please leave the abuse ID [AbuseID:*****]
unchanged in the subject line.
Kind regards
Dominik Prüßner
Hetzner Online GmbH
Im not sure how they can block a network if they ase under a DDoS or why it would send out Port Syn and ACK scans.
From the looks of this link the attcks are still happening.
https://www.abuseipdb.com/check/148.251.48.231
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DOS attack from Germany now?
MY ISP said contact them via the abuse contact as indiviual ISP's cant block attacking IP's you would need to block the offending IP at your Firewall. It seems the person using this server is struggling or possibly causing (not Hetzner) a pretty large attack on many countries, there is info on Hertzner. at the end of this. I declined the offer of stopping an attack on my network for reasons of not being sure if Hetzner have a bad actor on one of thier servers or the person talking to me was in fact the cause and this is tbh this beyond my scope anyway. Its not the routers, its just a bad acrtor and the comany seem to have a record of this occuring on that IP. https://en.wikipedia.org/wiki/Hetzner
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DOS attack from Germany now?
Seems liek were seeing others.
Well at least the firewalll in the routers are for the most part blocking them. Just seem to be logging lots of attempts. Hopefully they will stop.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DOS attack from Germany now?
Netgear routers seem to go though binges of attacks, this port 50002 can be used for PCoiP whatever that is. Yes lets hope they stop, I'm guessing someone knows of a vulnerability thats been patched and are on the hunt. Sorry about the Typos and double post (no idea how that happened) I'm disabled and on high doses of morphine (110mg daily) so I make errors, more so on this site than any other for some reason. @FURRYe38
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: DOS attack from Germany now?
Thats ok. Undstandable.
Ya seems like theres always something out there trying to fo something nefarious. I saw simiar logs when I had my ATT Microcell in the DMZ. After I disabled this, no more attacks.
Keep us posted on how it goes with that company. In mean time, don't use DMZ. Hopefully this will stop soon.
• What is the difference between WiFi 6 and WiFi 7?
• Yes! WiFi 7 is backwards compatible with other Wifi devices? Learn more