NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Router mvpn purge and suspicious insight xcloud communication with orbi pro sxr80; and ddos attacks
I have not initiated or setup insight app or xcloud. Router log shows insight and xcloud login to orbi pro router and mention of mvpn in router logs. Is this unauthorized access? Unusual amount of ddos attacks - how do I protect or stop ddos attacks of these type mentioned in logs.
DoS Attack: SYN/ACK Scan] from source: 194.26.228.174, port 19135, Monday, October 24, 2022 13:49:48
[DoS Attack: ACK Scan] from source: 194.26.228.174, port 5359, Monday, October 24, 2022 13:25:04
[DoS Attack: SYN/ACK Scan] from source: 85.232.251.78, port 80, Monday, October 24, 2022 12:39:58
[DoS Attack: SYN/ACK Scan] from source: 198.7.29.5, port 53, Monday, October 24, 2022 12:36:25
[Insight] Purge mvpn service successfully., Monday, October 24, 2022 12:18:35
[Insight] Disable concentrator mvpn., Monday, October 24, 2022 12:18:35
[Insight] Disable content filtering successfully., Monday, October 24, 2022 12:18:35
[Insight] Set auto_upgrade to 1., Monday, October 24, 2022 12:18:35
[Insight] Set upgrade http url to ., Monday, October 24, 2022 12:18:35
[Insight] Device is not claimed on Insight cloud (1003)., Monday, October 24, 2022 12:18:35
[Insight] Boot API request: data = {"serialNo":"6KW10B5XA4EAF","macAddress":"9c:c9:eb:dd:1d:f3","model":"SXR80","xDeviceId":"GEDNAGV7-3220-336-184411967","deviceType":"ORBI","fwVersion":"4.2.3.102","sendPendingC, Monday, October 24, 2022 12:18:35
[Insight] Register the device and send request to get device token., Monday, October 24, 2022 12:18:35
[DoS Attack: ACK Scan] from source: 155.133.253.34, port 27032, Monday, October 24, 2022 12:18:33
[DoS Attack: ACK Scan] from source: 155.133.253.34, port 27032, Monday, October 24, 2022 12:18:32
[Insight] Connection to XCloud was established., Monday, October 24, 2022 12:18:27
[DoS Attack: SYN/ACK Scan] from source: 85.232.251.78, port 80, Monday, October 24, 2022 12:17:59
[DoS Attack: ACK Scan] from source: 162.254.195.71, port 27021, Monday, October 24, 2022 12:17:38
[DoS Attack: ACK Scan] from source: 162.254.195.71, port 27021, Monday, October 24, 2022 12:17:37
[Insight] Connection to XCloud was disconnected., Monday, October 24, 2022 12:17:26
[DoS Attack: ACK Scan] from source: 162.247.241.1
Interesting mix of wild combinations of individual log entries and speculations... Simple stack protection under the DoS label does become DDoS in your wild ideas, even more widely added secured BGP (considering consumer and end-user routers rarely use BGP). Combine a DoS log entry with a remote access by Insight (what it clearly isn't) and much more. Yes, Insight does make use of a certain VPN to enable the management of multiple or many Insight managed devices on the same network and location, for this purpose it also maintains a look-up service for device information on the same local subnet and beyond, allowing to locate multiple Insight devices easily for adding more insight managed devices like switches, wireless access points, mesh satellites, ... (this is what for the registration you see in the log is for), and much more.
Neither is the mvpn nor the xcloud communication suspicious - both are part of the proprietary Netgear Insight implementation - nor has the update control for the Insight devices update mechanism much in common of what Netgear support has told you based on consumer product firmware update mechanism information.
it's a good behavior to set an environment on a managed to known and defined defaults before it might be used any further, or just before it's set to certain idle or stop state if not required in the current basic set-up. matter of fact, there are different management entities and functionalities involved on these Insight or Netgear cloud manageable devices, depending on how the user does configure and operate these. From standalone, local managed, to a single location cloud managed, to a multi-site location there can be big differences. And I have not talked about about the easy expansion or migration of a standalone local managed device to a single location cloud environment, to a multi-location environment.
No idea why users are so keen to manage one or even more multiple Insight manageable devices locally, massively crippling the oversight and limiting the service quality. The Insight App is yet another alternate UI to using the Insight web portal, so allowing the user the get the best of the Insight environment. But hey if you prefer to do everything manually by device, feel free.
it's not the job for the Netgear support organization for providing design internals or to item by item explanation of each and every log entry you might ever see in the logs. it's ok trying to understand what is going on under the hood, but don't bring in unrelated features like your (non-existing) ip phones or no longer available telephony. Undoubted, everything is IP based here in Insight). and during normal operations of devices (like mobiles, computers, ...) things can change very quickly. like a mobile device roaming to another wireless, to the WWAN (4G/5G carrier network), by a device going to sleep for power saving, so the ip stack on the router does have to deal with what is appearing as "DoS" - even if the reasons triggering can be very different during such state changes.
Beyond, there is no word (anwhere!) that these DoS protections mentioned are blocking any IP addresses just to add one more example of false or freely interpreted ideas. Correct is that if you should become a target of a DDoS attack that no CPE-side router can do anything against it. Even if you invest a lot into your router, security appliance, ... At the end of the day, you have to depend on what the ISP can do.
9 Replies
No experience with Insight, sorry. The SXR80 Product Data Sheet says that a 5-Year subscription to Insight is bundled with the purchase. Looks like you paid for it. Did you register the product? Maybe registration links Insight to the product? Might want to give them a call (since it appears you paid for it).
https://www.downloads.netgear.com/files/GDC/SXK80/SXK80_DS.pdf
With regard to the entries Netgear places in the log file labeled Denial of Service (DoS) Attacks, there is nothing anyone can do to prevent these except turn off the feature that reports them.
- If you have a telephone number, what can you do to prevent Robocalls? -- Nothing. Anyone, anywhere, can dial any number they damn well please. All you can do is choose not to answer, but you cannot stop them from calling.
- If you have a mailbox, what can you do to prevent Junk Mail? -- Nothing. You can bring in the mail, stand over a trash can, and throw things away without opening, but you cannot stop people from sending mail to your address.
- Each internet subscriber has a public IP address. There is nothing that can be done to prevent people from attempting to connect. -- Nothing. The router firewall refuses to accept any connections, unless the user has deliberately forwarded ports to specific local devices or has placed a device in the DMZ.
Netgear has written software, which is not documented anywhere, that monitors connection attempts and looks for familiar patterns. When it detects a pattern, an entry is made in the log file. This has absolutely zero to do with accepting any of these connection requests. My phone keeps a log of every call that I (deliberately) failed to answer.
Sorry for the rant. It is just frustrating how much angst engineers create when they try to show off how cool they are.
Thank you for feedback.
i have no ip phone - not needed yet. Will have to learn also.
i did contact tech support who said may have to do with automatic update but my automatic update is off. The logs aside from some ddos attacks showed an insight login, token request, issuance of token, established connection a mention of mvpn, a purge, and an and end of session. Maybe part of Netgear device environment and its relation with corporate resources. Periodic contact and review of devices on its network. Not sure.
I do not use the app and have not signed up - has no advantage of additional features only multi site administration of orbi pro. I have one site and prefer to access by lan onsite.
timely to evaluate address of ddos attackers and block address and probably not effective by this approach.
It seems isp would seek to identify ad remove ddos from their network - also difficult until encrypted bgp is implemented .
Orbipro1 wrote:
i have no ip phone - not needed yet. Will have to learn also.
We get robocalls on our house phone and both cell phones. Nothing to do with internet.
(Another rant) House phone is through Spectrum. They are able to describe many calls as "SPAM RISK" or "Unknown", yet they do not offer to simply block those calls. Grrrr.
The cool part about having five years of Insight is the ability to call Netgear support. We who purchased the residential products get 90 days of 'complimentary support', after which our choices are (a) pay Gearhead, or (b) hope that some volunteer on the community forum can help. That's how I came to the forum five years ago. (Too cheap to pay Gearhead and not convinced that Level 1 support would be much more capable than I was to begin with.)
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
