Re: Router mvpn purge and suspicious insight xcloud communication with orbi pro sxr80; and ddos atta
Interesting mix of wild combinations of individual log entries and speculations... Simple stack protection under the DoS label does become DDoS in your wild ideas, even more widely added secured BGP (considering consumer and end-user routers rarely use BGP). Combine a DoS log entry with a remote access by Insight (what it clearly isn't) and much more. Yes, Insight does make use of a certain VPN to enable the management of multiple or many Insight managed devices on the same network and location, for this purpose it also maintains a look-up service for device information on the same local subnet and beyond, allowing to locate multiple Insight devices easily for adding more insight managed devices like switches, wireless access points, mesh satellites, ... (this is what for the registration you see in the log is for), and much more.
Neither is the mvpn nor the xcloud communication suspicious - both are part of the proprietary Netgear Insight implementation - nor has the update control for the Insight devices update mechanism much in common of what Netgear support has told you based on consumer product firmware update mechanism information.
it's a good behavior to set an environment on a managed to known and defined defaults before it might be used any further, or just before it's set to certain idle or stop state if not required in the current basic set-up. matter of fact, there are different management entities and functionalities involved on these Insight or Netgear cloud manageable devices, depending on how the user does configure and operate these. From standalone, local managed, to a single location cloud managed, to a multi-site location there can be big differences. And I have not talked about about the easy expansion or migration of a standalone local managed device to a single location cloud environment, to a multi-location environment.
No idea why users are so keen to manage one or even more multiple Insight manageable devices locally, massively crippling the oversight and limiting the service quality. The Insight App is yet another alternate UI to using the Insight web portal, so allowing the user the get the best of the Insight environment. But hey if you prefer to do everything manually by device, feel free.
it's not the job for the Netgear support organization for providing design internals or to item by item explanation of each and every log entry you might ever see in the logs. it's ok trying to understand what is going on under the hood, but don't bring in unrelated features like your (non-existing) ip phones or no longer available telephony. Undoubted, everything is IP based here in Insight). and during normal operations of devices (like mobiles, computers, ...) things can change very quickly. like a mobile device roaming to another wireless, to the WWAN (4G/5G carrier network), by a device going to sleep for power saving, so the ip stack on the router does have to deal with what is appearing as "DoS" - even if the reasons triggering can be very different during such state changes.
Beyond, there is no word (anwhere!) that these DoS protections mentioned are blocking any IP addresses just to add one more example of false or freely interpreted ideas. Correct is that if you should become a target of a DDoS attack that no CPE-side router can do anything against it. Even if you invest a lot into your router, security appliance, ... At the end of the day, you have to depend on what the ISP can do.
