×

Introducing the Orbi 970 Series Mesh System with WiFi 7(BE) technology. For more information visit the NETGEAR Press Room.

Orbi WiFi 7 RBE973
Reply

Re: Is it just me?

CrimpOn
Guru

Is it just me?

Starting July 1, my Orbi logs have been filling up with [DoS Attack: SYN/ACK Scan] on port 80 entries from all the IP's in the 212.133.164.x subnet.  If the IP's are not being spoofed, then this from Ankara, Turkey.  This sort of thing happens from time to time, and usually whoever is doing it either tires of the exercise or accomplishes whatever they intended and the scans stop. Continuing for six days is a bit unusual.  No effect on the performance of my Orbi, but I wonder are others seeing the same phenomenon?

Model: RBR50|Orbi AC3000 Tri-band WiFi Router
Message 1 of 10
UK_Wildcats
Apprentice

Re: Is it just me?

I have a XR700 router, and I have been seeing a LOT of the same subnet DOS attacks in my system logs.  In addition, I have been have a lot more internet disruptions that correlate to the same times as this DOS attacks in the logs.

Model: XR700|Nighthawk Pro Gaming Router
Message 2 of 10
CrimpOn
Guru

Re: Is it just me?


@UK_Wildcats wrote:

I have a XR700 router, and I have been seeing a LOT of the same subnet DOS attacks in my system logs.  In addition, I have been have a lot more internet disruptions that correlate to the same times as this DOS attacks in the logs.


Thanks for responding.  day 10 and "still going..." (like the Energizer Bunny). I would think after hammering at port 80 and never getting a connection, this goofball would move on to something else.

 

My Orbi does not seem bothered by the connection attempts.  I have PingInfoView from Nirsoft pinging three DNS servers every 30 seconds (CloudFlare, Google, and Cloud Nine)  Out of the last 10,000 or so pings, only a handful have failed to respond and they do not seem to be "clustered".  i.e. One of the three will miss a ping, but not the other two.  ICMP is a UDP packet, which is not guaranteed to be delivered, so there is no way to know whether the missing ping is

  • a packet that never reached the DNS server
  • a packet that got dropped somewhere along the way back
  • a packet that arrived at my Orbi but the Orbi was "too busy" to process it

There could be different types of DoS attacks that have greater impact on the Orbi, or my experiment is flawed, but so far I do not see a strong correlation beteen Orbi log entries and service disruptions.

 

I really wish Netgear had published something describing how the DoS attack mechanism works.  Surely a single connection attempt is not enough to be called an "attack".  Would it be 10? 20?  100?  No idea.

Message 3 of 10
FURRYe38
Guru

Re: Is it just me?

I'm currently seeing some entries from this address:

23.62.78.137

Some other entries but mostly from this domain: 23.62.

Message 4 of 10
CrimpOn
Guru

Re: Is it just me?


@FURRYe38 wrote:

I'm currently seeing some entries from this address:

23.62.78.137

Some other entries but mostly from this domain: 23.62.


Looks as if this phenomenon is geographically different.  I collect log files from two Orbi systems in the US (East Coast, West Coast) and have combined the DoS log reports from July 1 through mid July 10. (11,634 log entries).  Put them in an Excel file that can be sorted on various columns. On Dropbox at https://www.dropbox.com/s/i2qmfep2v6e0y2d/July-1-10-Attacks.xlsx?dl=0   (My parsing algorithym messed up a couple of entries.)

 

It is bizzare. Some hit both systems, others only one.  I can see trying ports 80, 443, 8080, etc. but some of the port numbers are just strange.

Message 5 of 10
SGINAZ
Aspirant

Re: Is it just me?

Same, same.  Flooded with hits on port 80 from that subnet.  Seems to be slacking off a little now but still going.  Like you, no apparent impact from the noise.

Message 6 of 10
skearcrow
Aspirant

Re: Is it just me?

I'm experiencing the same and I recently reached out to my ISP (Spectrum) to get a new modem to provide a new IP address. I don't have any ports open and the only thing that I could think of accessing from outside was my Arlo camera which I have temporarliy taken offline. The IP Address (most likely spoofed) is looking at port 11095 and port 25565 and port 443. Embedding log copy below but Spectrum claims they have no responsibility and Netgear has no answer. I'm inclined to buy a new router but I have no idea why these attacks are happening (not hosting game server) and why they are sometimes shutting off the whole router.

 

[DoS Attack: SYN/ACK Scan] from source: 51.161.99.79, port 25565, Tuesday, July 13, 2021 12:11:22
[DHCP IP: 10.10.34.102] to MAC address 86:95:fb:87:95:fb, Tuesday, July 13, 2021 12:10:39
[DoS Attack: ACK Scan] from source: 142.250.72.106, port 443, Tuesday, July 13, 2021 12:10:01
[DoS Attack: ACK Scan] from source: 72.5.202.12, port 443, Tuesday, July 13, 2021 11:45:08
[DHCP IP: 10.10.34.110] to MAC address 44:65:0d:69:e1:30, Tuesday, July 13, 2021 11:40:34
[DoS Attack: ACK Scan] from source: 72.5.202.12, port 443, Tuesday, July 13, 2021 11:33:17
[DoS Attack: ACK Scan] from source: 17.248.135.201, port 443, Tuesday, July 13, 2021 11:28:50
[DHCP IP: 10.10.34.113] to MAC address 00:26:bb:01:07:a4, Tuesday, July 13, 2021 11:27:03
[DoS Attack: Ascend Kill] from source: 209.18.47.62, port 53, Tuesday, July 13, 2021 11:25:23
[DHCP IP: 10.10.34.108] to MAC address 46:94:1d:a3:78:0b, Tuesday, July 13, 2021 11:17:35
[DoS Attack: SYN/ACK Scan] from source: 89.44.192.37, port 3389, Tuesday, July 13, 2021 11:16:24
[DHCP IP: 10.10.34.108] to MAC address 46:94:1d:a3:78:0b, Tuesday, July 13, 2021 11:11:55
[DHCP IP: 10.10.34.102] to MAC address 86:95:fb:87:95:fb, Tuesday, July 13, 2021 11:10:36
[DHCP IP: 10.10.34.108] to MAC address 46:94:1d:a3:78:0b, Tuesday, July 13, 2021 11:08:53
[DoS Attack: ACK Scan] from source: 17.248.135.211, port 443, Tuesday, July 13, 2021 11:08:00
[DHCP IP: 10.10.34.108] to MAC address 46:94:1d:a3:78:0b, Tuesday, July 13, 2021 11:07:32
[DHCP IP: 10.10.34.106] to MAC address d4:3b:04:8c:f3:43, Tuesday, July 13, 2021 11:06:44
[DHCP IP: 10.10.34.106] to MAC address d4:3b:04:8c:f3:43, Tuesday, July 13, 2021 11:06:43
[DHCP IP: 10.10.34.108] to MAC address 46:94:1d:a3:78:0b, Tuesday, July 13, 2021 11:03:27
[DHCP IP: 10.10.34.104] to MAC address 9e:35:1d:4d:0d:df, Tuesday, July 13, 2021 10:58:26
[DHCP IP: 10.10.34.104] to MAC address 9e:35:1d:4d:0d:df, Tuesday, July 13, 2021 10:58:26
[DoS Attack: ACK Scan] from source: 31.13.71.52, port 443, Tuesday, July 13, 2021 10:58:14
[DHCP IP: 10.10.34.108] to MAC address 46:94:1d:a3:78:0b, Tuesday, July 13, 2021 10:57:28
[DHCP IP: 10.10.34.108] to MAC address 46:94:1d:a3:78:0b, Tuesday, July 13, 2021 10:56:30
[DoS Attack: ACK Scan] from source: 72.5.202.12, port 443, Tuesday, July 13, 2021 10:55:48
[DHCP IP: 10.10.34.109] to MAC address 14:10:9f:d2:f7:15, Tuesday, July 13, 2021 10:55:04
[DoS Attack: ACK Scan] from source: 72.5.202.12, port 443, Tuesday, July 13, 2021 10:55:03
[Access Control] Device SCIMITAR with MAC address 14:10:9F:D2:F7:15 is allowed to access the network, Tuesday, July 13, 2021 10:
[DHCP IP: 10.10.34.104] to MAC address 9e:35:1d:4d:0d:df, Tuesday, July 13, 2021 10:53:57
[WLAN access rejected: incorrect security] from MAC address 9e:35:1d:4d:0d:df, Tuesday, July 13, 2021 10:53:38
[DHCP IP: 10.10.34.108] to MAC address 46:94:1d:a3:78:0b, Tuesday, July 13, 2021 10:52:42
[DHCP IP: 10.10.34.104] to MAC address 9e:35:1d:4d:0d:df, Tuesday, July 13, 2021 10:47:23
[DHCP IP: 10.10.34.104] to MAC address 9e:35:1d:4d:0d:df, Tuesday, July 13, 2021 10:36:49
[WLAN access rejected: incorrect security] from MAC address 9e:35:1d:4d:0d:df, Tuesday, July 13, 2021 10:36:43
[DHCP IP: 10.10.34.112] to MAC address c8:f7:50:4d:15:9e, Tuesday, July 13, 2021 10:36:35
[DHCP IP: 10.10.34.104] to MAC address 9e:35:1d:4d:0d:df, Tuesday, July 13, 2021 10:36:14
[DHCP IP: 10.10.34.101] to MAC address 38:68:a4:23:00:4c, Tuesday, July 13, 2021 10:28:06
[DHCP IP: 10.10.34.101] to MAC address 38:68:a4:23:00:4c, Tuesday, July 13, 2021 10:28:05
[DHCP IP: 10.10.34.113] to MAC address 00:26:bb:01:07:a4, Tuesday, July 13, 2021 10:21:57
[DHCP IP: 10.10.34.108] to MAC address 46:94:1d:a3:78:0b, Tuesday, July 13, 2021 10:20:43
[DoS Attack: ACK Scan] from source: 72.5.202.12, port 443, Tuesday, July 13, 2021 10:11:41
[DHCP IP: 10.10.34.102] to MAC address 86:95:fb:87:95:fb, Tuesday, July 13, 2021 10:10:32
[DoS Attack: ACK Scan] from source: 142.250.176.202, port 443, Tuesday, July 13, 2021 09:58:08
[DoS Attack: ACK Scan] from source: 142.250.80.106, port 443, Tuesday, July 13, 2021 09:56:20
[DoS Attack: SYN/ACK Scan] from source: 142.44.178.137, port 388, Tuesday, July 13, 2021 09:48:35
[DoS Attack: SYN/ACK Scan] from source: 162.241.216.182, port 443, Tuesday, July 13, 2021 09:44:13
[DoS Attack: ACK Scan] from source: 68.67.179.90, port 443, Tuesday, July 13, 2021 09:31:30
[DoS Attack: ACK Scan] from source: 68.67.160.186, port 443, Tuesday, July 13, 2021 09:30:02
[DoS Attack: ACK Scan] from source: 199.187.193.182, port 443, Tuesday, July 13, 2021 09:30:02
[DoS Attack: ACK Scan] from source: 199.232.37.194, port 443, Tuesday, July 13, 2021 09:29:29
[DHCP IP: 10.10.34.113] to MAC address 00:26:bb:01:07:a4, Tuesday, July 13, 2021 09:22:05

Model: R7800|Nighthawk X4S AC2600 Wifi Router
Message 7 of 10
CrimpOn
Guru

Re: Is it just me?


@skearcrow wrote:

I'm inclined to buy a new router but I have no idea why these attacks are happening (not hosting game server) and why they are sometimes shutting off the whole router.


Well, the good news (for me) is that after 10 days, things are back to normal, i.e. 20-30 reports per day rather than 100's.

 

Spectrum is correct. There is nothing they can do to stop connection attempts and changing modems will make no difference. People are constantly sending packets to every public IP address in attempts to find open ports, just as people are constantly dialing every possible telephone number to let people know about "Renewing your automobile warranty."

 

In my case, this nonsense appears to have had no effect on my Orbi besides filling the log file. The PingInfoView program has been running almost the entire time. I'm now pinging five DNS servers every 30 seconds.  Out of the last 7,000 ping attempts, only 12 have not completed. Three of the five DNS servers failed only one time in 7,000 attempts.  ICMP is a UDP packet (not guaranteed delivery), so there is no way to determine what went wrong.  My expectation is that if my Orbi got too busy dealing with "attacks", it would drop packets and all five DNS servers would fail to respond at the same time. Did not happen even one time.  My Orbi has not rebooted for 83 days. (Since the power went out and my UPS drained its battery.)

 

In my tech support days, we had a saying: "When users report a problem, there is always a problem. But the problem may not be what the user thinks it is."  If your Orbi is shutting off, there is something wrong.  I just think the log entries of "attacks" are not likely to be the cause.

Message 8 of 10
skearcrow
Aspirant

Re: Is it just me?

Thank @CrimpOn I wonder if I shouldn't upgrade my router. This one is just about 2 years old and it was inactive in storage for most of last year but I never had these issues before moving to a new home/IP address. I have seen these cold call DoS attacks before but this is so pervasive and again SOMETHING is making this router disconnect and reboot when it happens. Firmware is the latest. No physical issues with the router but it doesn't make sense to spend $90 on tech support when I could spend $180 on a new router if that is all it takes.

Model: R7800|Nighthawk X4S AC2600 Wifi Router
Message 9 of 10
CrimpOn
Guru

Re: Is it just me?

Might try posting a desscription of the problem in the Nighthawk community forum:

https://community.netgear.com/t5/Nighthawk-WiFi-Routers/bd-p/home-wifi-routers-nighthawk 

My R7000 Nighthawk did not cover the entire house (from the corner where the ISP modem is), so I upgraded to a mesh system.

This might be a known issue with the R7800 (or not)

Message 10 of 10
Top Contributors
Discussion stats
  • 9 replies
  • 1391 views
  • 0 kudos
  • 5 in conversation
Announcements

Orbi WiFi 7