Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

https://db-ip.com/all/1.1.153

Qestion, did you change the default router password, default wifi passphrase on the router?

Yes, and I changed the passwords again after seeing the strange access in the logs. What's strange is that the 1.1.153.x address is showing up as connected to my Wireless. Last night, a different iPhone on my wireless had that IP address. I've just about given up on the router features of this device. Tonight, I'm going to disable DHCP on the device, and hookup a trusty old Linksys router to it to see if it resolves the problems. Thanks for your input, but it's just insane that Netgear doesn't provide even email supoort after 90 days. They used to be my go-to brand for networking equipment, but I guess all companies are feeling the squeeze of the poor economy.

I'm seeing this also. I've started watching this the last couple of days and I see a lot of DOS attacks. The source is listed as 2.x.x.x and the target is multiple other websites.  One day the rogue ip of 2.x.x.x was from my son's iPhone. Then the next day it took over my husband's iPad. Now it is listed as the ip for my phone.

My next step is to set my router back to the default settings. And then, if I can ever find out the current version #, I will update the firmware. 

Anyone have any any other ideas?

i have a C3000. I have remote management turned off. I have a different password that the default (can't find out how to change the admin username so that has stayed the same)

thanks for your help. 

Becky

I'm getting the same exact thing.  I was checking into things because we keep getting kicked off multiple times a day for no apparent reason and saw the logs of attacks and the rogue IP address that moves around to different devices.

Has anyone found the solution yet?  I'm having the same issues.  One of my Android phones will show up as a 176.10.32.0 address in the "attached devices" but that phone shows the correct 192.168.0.10 DHCP address on the device itself.  I verified this phone via MAC to be sure I was looking at the same device. I reset the phone and removed it in the device list.  Same issue.  Oddly, that IP address will switch between phones (I have 2 Android phones) seemingly at random.  I can ping the phone by it's correct address 192.168.0.10 (or .11 if it's the other phone affected) , but since the 176.10.32.0 address isn't a valid host address, I can't ping that one.  The only pleace I see the 176 address is in the attached device list and in the log with periodic, but often, 'teardrop or derivative' attack targeting a host in New Jersey. I'm wondering if this is a bug in NetGear Genie... I don't have a means of capturing data to run thru Wireshark from the outside NetGear interface.  

NetGear N450

Firmware Version

I just had the exact same thing happening with -what I figured out- was my fiance's iPhone 6!  Her iPhone's IP address was spoofed and shown as a similar-looking IP to the one you mentioned under my router's 'attached devices' --> 33.1.152.0.  The strangest part about this happening is that I have manually assisgned all of the IP addresses to devices on my network AND I had enabled 'access control' so that no new devices/IP addresses can join the network.  

I reset her iPhone's network settings and then rejoined the network.  My router's 'attached devices' suddenly showed the correct IP 192.168.1.xx for her iPhone.  After 10-20 seconds, I clicked 'refresh' in the 'attached devices' section and the IP switched back to 33.1.152.0

So I tried blocking her iPhone from joining the network via 'Access Control' and that worked just fine.  I had her iPhone forget the network.  Then, I re-enabled network access for her iPhone and manually rejoined the WiFi network successfully.  After doing this, her iPhone maintained it's proper IP address. The DoS attacks stopped happening completely!  

About 45 minutes later I noticed my iPhone had stopped appearing in the 'attached devices' section even though my it still had an active conection to the Internet over WiFi.  I had my iPhone forget and re-join the network.  After doing this, my iPhone reappeared under 'attached devices' and it still maintained it's proper iPv4 address.   As soon as my iPhone reappeared under 'attached devices' my fiance's iPhone immediately reverted back to being shown as 33.1.152.0 -_-

Two Things:

*I know this can be spoofed, but I used a website to look up the location for 33.1.152.0 and it's listed as belonging to a US-based defense contractor

*the night this started happening, I walked by my Mac running OS X 10.6.11 and saw that someone was controlling my cursor/keyboard via remote access SSH.  I saw them open my bookmark for PayPal and they opened the 'send money to someone' page where my saved login info was just sitting there.  I disconnected my router from power, went to bed and I've spent all day today trying to figure out how that could have happened with no luck.

I would love any suggestions/input/feedback or a fix!  I just want the peace of mind that I’m not vulnerable to an attack.

Holy *****.  I have never known anyone to actually watch their computer being controlled like that and money stolen.  I am completely speechless because otherwise it's a string of obscenities.

Here's what I would do.  One, disconnect everything from the Internet--period.  No phones, no computers, no nothing on any network, anywhere.

Two, get all your personal data off of those machines by backing them up to an external hard drive (or two or three if the data is important).

Three, go to the apple store and tell them to wipe all of those devices clean and start them over, explaining that all your accounts were compromised.

Four, contact banks or anyone else you had any electronic communications with using those devices and confirm if anything was stolen.

Five, contact the police and your insurance company.

This is the real deal and no drill--your identity and life were being stolen before your eyes.  And no router could have ever prevented that.

Be sure to factory reset your router too.  And don't plug it in or go online ANYWHERE until all of this is under control and you know what's going on.

On my router the factory def settings in the wan setup have

disable port scan and dos protection

Toggled ON !!!

meaning there is no protection. I can not imagine netgear having this toggled on as default but I did a hard reset and it was ON!

i got dos attacks and similar symptoms as discussed with ip changes on devices to outside my local network. I am now going through all the set up again.

wtf is netgear doing ?

Disabling a port scan is a protection that prevents an external source from port scanning.  (having it checked enabled the protection.)

Enabling DOS protection (checking it) protects you as well.

I think you simply misinterpreted what those meant.  Most consumer routers (netgear included) ship with all protections turned on.

"By default, the router uses port scan and DoS protection (it is enabled) to help guard a network against those attacks that inhibit or stop network availability. If someone selects the Disable Port Scan and DoS Protection check box on the WAN screen, that disables the protection."

That is from the netgear site. The default factory settings on the router I received had it checked. I did not change it. On my other netgear routers it is unchecked as delivered which is correct. I'm getting the dos attacks and port scans on the new router as described by others in this post.  Having these disabled by checking that box, may have contributed  I now can not stop these attaacks as others in this post have said.  IOS devices have their ips on the router changed which seems like a virus on the router. I will update the firmware and NOT check the box

In light of recent DDOS attacks on major websites like Amazon, Twitter, Reddit, etc... I read an article talking about botnets and how you could be part of one without you knowing. So i decided to check my logs on my c3700 and saw a couple of DOS Teardrop or derivitive logs. The Ip was one i havent seen before in my network, 100.131.130.0. The target was 73.241.60.32, which i believe is located in Rodeo California. I read Amazon has servers in Northern California but didn't say any city in specific. Question is, should I be concerned? Is my personal information conpromised? Am I overreacting? 

I have run into this issue as well. I just purchase the c7000 today and withing minutes of setting it up (yes I changed the default settings and passwords) and browsing around the admin settings I noticed that my log was showing DoS attacks: Ping of Death, Teardrop...etc. All were coming from ip address 78.197.43.0 port 0 (shows France when googled). When I checked connected devices I had one device with that particular IP assignment. I determined it was my Iphone 6S. I switched it over to the 5G network and that solved it for that device. I checked back a few minutes later and I now have the same ip address showing in the connected devices but it is no longer my iphone, it's just an undefined device (listed as ---). Does not appear to be affecting speed or connectivity at the moment

For reference, Time Warner customer in Raleigh, NC

I am running into the same problem.  I have owned the Nighthawk AC1900 for a month.  When I first set it up the first thing I did was change all the default passwords.  Even so, I almost immediately started seeing two symptoms:

1) Everyone in the family would sporadically get kicked off the network, and

2) When I looked at the logs there were entries about DOS attacks. They said that there was a device on the network that was causing much of the problem.  This device had an IP that was not in the range of my DHCP server.  When I dug into it, I found that it was an iPhone.  The thing was, it was jumping between all the iPhones in the family.  At first it was just the kid's phones, but soon my phone was also hit with that IP address.  

I have played with everything (e.g. segregating the iPhones to the "guest" network, blocking their acces, etc) and all that happens is that rogue ip address gets transferred to some other iphone address.  

This is unsettling.  I am not impressed with the support options from Netgear.  Any help would be great.

I think it's a bug in the Netgear equipment.  I sold mine and went with another brand.

Duplicate problem! https://community.netgear.com/t5/Cable-Modems-Routers/NETGEAR-C3700-allowing-a-Denial-of-Service-att...

I also have this problem. My iPad always have this ip address associated with its MAC address. I'm using C3000 with Comcast.

By looking into this problem I realized that it's not hacking.

The fact is that NETGEAR is not supporting IPV6 well. It's mistaking part of the ipv6 address in ipv6 packets as the src and dst of ipv4 packets.

The ipv6 packat is something like this

|   --- 32 bit ---                                   |  Info

|   --- 32 bit ---                                   |  Info

|   --- 32 bit ---                                   |  source ip   e.g.    1111:2222

|   --- 32 bit ---                                   |  source ip   e.g.    3333:4444

|   --- 32 bit ---                                   |  source ip   e.g.    5555:6666

|   --- 32 bit ---                                   |  source ip   e.g.    7777:8888

|   --- 32 bit ---                                   |  destination ip    e.g.    9999:aaaa

|   --- 32 bit ---                                   |  destination ip    e.g.    bbbb:cccc

|   --- 32 bit ---                                   |  destination ip    e.g.    dddd:eeee

|   --- 32 bit ---                                   |  destination ip    e.g.    ffff:0000

While ipv4 is like this

|   --- 32 bit ---                                   |  Info

|   --- 32 bit ---                                   |  Info

|   --- 32 bit ---                                   |  Info

|   --- 32 bit ---                                   |  source ip   e.g.    111.222.111.222

|   --- 32 bit ---                                   |  destination ip    e.g.    000.111.000.111

|   --- 32 bit ---                                   |  options

Netgear is mistaking the line 4 and 5 of an ipv6 packet, which are part of the ipv6 address, as the src and dst of an ipv4 packet.

The source and destination ip addresses in my log is exactly part of my ipv6 address, which is in heximal, of my iPad.

You can verify that by yourself.

ipv6 address:

xxxx:xxxx:aabb:ccdd:eeff:gghh:xxxx:xxxx

Change aa bb cc dd ee ff gg hh from heximal to decimal AAA BBB CCC DDD EEE FFF GGG HHH

Then you can find that AAA.BBB.CCC.DDD is your source and EEE.FFF.GGG.HHH is your destination of 'DoS' packets.

Interesting. Thanks for looking into this. I ended up buying a Motorola router and haven't had any issues since. 

Wow!  Congrats on finding the exact source of this bug!  Now, hopefully Netgear sees this and will fix the code.

Any body have any detailed instruction on how to change the IPv6 addresses in above 

Might you be able to point me towards a more detailed set of steps to follow to fix the ipv6 issue?

thank you

Paul

Might you be able to point me towards a more detailed set of steps to follow to fix the ipv6 issue?

thank you

Paul

Why do I keep buying netgear? I guess cause cheap, and it shows.