I think I'm under attack - any action required?

Scuzi · 5 Jan 2024 at 18:25

Earlier my router (Netgear MR60) kept throwing a fit. I reset it a few times but it would continue to lock up. I went into the logs and saw some entries referring to a DOS attack. From what I can tell these are fairly common false positives with Netgear, but nevertheless it isn't a common log for me to see and it was coincident with the problems.

I checked all of my security settings and continued to watch what happened. uPNP is disabled and the only ports forwarded were those in the 6xxx range for the Xbox. I disabled this after seeing access to the ports in the logs. Being a bit paranoid, I unplugged the NAS anyway.

Have a look at the logs. 192.168.1.137 is the Xbox IP which had ports forwarded but it has been powered off the whole time. Is it likely my network has been compromised? I'm on a static IP with my ISP and the DOS attack logs keep coming. Worth changing this?

Code:

[DoS attack: RST Scan] from source 17.250.81.69,port 443 Friday, Jan 05,2024 18:07:22
[DoS attack: RST Scan] from source 17.250.81.65,port 443 Friday, Jan 05,2024 18:02:25
[LAN access from remote] from 167.94.146.19 port 34897 to 192.168.1.137 port 6005 Friday, Jan 05,2024 17:55:42
[LAN access from remote] from 80.66.76.17 port 43120 to 192.168.1.137 port 6024 Friday, Jan 05,2024 17:51:39
[DHCP IP: (192.168.1.123)] to MAC address  [REDACTED] , Friday, Jan 05,2024 17:48:04
[DHCP IP: (192.168.1.123)] to MAC address [REDACTED] , Friday, Jan 05,2024 17:46:59
[LAN access from remote] from 78.128.113.250 port 50291 to 192.168.1.137 port 6002 Friday, Jan 05,2024 17:37:50
[DoS attack: RST Scan] from source 17.250.81.69,port 443 Friday, Jan 05,2024 17:33:19
[Admin login] from source 192.168.1.217, Friday, Jan 05,2024 17:25:41
[DHCP IP: (192.168.1.123)] to MAC address  [REDACTED] , Friday, Jan 05,2024 17:21:25
[DoS attack: RST Scan] from source 17.250.81.65,port 443 Friday, Jan 05,2024 17:19:48
[DHCP IP: (192.168.1.123)] to MAC address  [REDACTED] , Friday, Jan 05,2024 17:16:53
[DoS attack: RST Scan] from source 17.250.81.65,port 443 Friday, Jan 05,2024 17:15:26
[DHCP IP: (192.168.1.123)] to MAC address  [REDACTED] , Friday, Jan 05,2024 17:13:39
[DHCP IP: (192.168.1.123)] to MAC address  [REDACTED] , Friday, Jan 05,2024 17:13:24
[DHCP IP: (192.168.1.123)] to MAC address  [REDACTED] , Friday, Jan 05,2024 17:13:09
[DoS attack: RST Scan] from source 17.250.81.65,port 443 Friday, Jan 05,2024 17:12:17
[DoS attack: RST Scan] from source 17.250.81.69,port 443 Friday, Jan 05,2024 17:11:54
[DHCP IP: (192.168.1.123)] to MAC address  [REDACTED] , Friday, Jan 05,2024 17:07:44
[Admin login] from source 192.168.1.131, Friday, Jan 05,2024 17:07:36
[DoS attack: RST Scan] from source 17.250.81.69,port 443 Friday, Jan 05,2024 17:04:13
[DHCP IP: (192.168.1.140)] to MAC address  [REDACTED] , Friday, Jan 05,2024 17:02:30
[DoS attack: RST Scan] from source 17.250.81.64,port 443 Friday, Jan 05,2024 17:01:51
[DoS attack: RST Scan] from source 17.250.81.65,port 443 Friday, Jan 05,2024 16:57:37
[DHCP IP: (192.168.1.204)] to MAC address  [REDACTED] , Friday, Jan 05,2024 16:56:24
[DHCP IP: (192.168.1.204)] to MAC address  [REDACTED] , Friday, Jan 05,2024 16:55:08
[DoS attack: ACK Scan] from source 2.16.170.49,port 443 Friday, Jan 05,2024 16:52:59
[Time synchronized with NTP server] Friday, Jan 05,2024 16:52:31
[Internet connected] IP address:
[DoS attack: RST Scan] from source 17.250.81.69,port 443 Friday, Jan 05,2024 18:07:22
[DoS attack: RST Scan] from source 17.250.81.65,port 443 Friday, Jan 05,2024 18:02:25
[LAN access from remote] from 167.94.146.19 port 34897 to 192.168.1.137 port 6005 Friday, Jan 05,2024 17:55:42
[LAN access from remote] from 80.66.76.17 port 43120 to 192.168.1.137 port 6024 Friday, Jan 05,2024 17:51:39
[DHCP IP: (192.168.1.123)] to MAC address [REDACTED], Friday, Jan 05,2024 17:48:04
[DHCP IP: (192.168.1.123)] to MAC address[REDACTED], Friday, Jan 05,2024 17:46:59
[LAN access from remote] from 78.128.113.250 port 50291 to 192.168.1.137 port 6002 Friday, Jan 05,2024 17:37:50
[DoS attack: RST Scan] from source 17.250.81.69,port 443 Friday, Jan 05,2024 17:33:19
[Admin login] from source 192.168.1.217, Friday, Jan 05,2024 17:25:41
[DHCP IP: (192.168.1.123)] to MAC address [REDACTED], Friday, Jan 05,2024 17:21:25
[DoS attack: RST Scan] from source 17.250.81.65,port 443 Friday, Jan 05,2024 17:19:48
[DHCP IP: (192.168.1.123)] to MAC address [REDACTED], Friday, Jan 05,2024 17:16:53
[DoS attack: RST Scan] from source 17.250.81.65,port 443 Friday, Jan 05,2024 17:15:26
[DHCP IP: (192.168.1.123)] to MAC address [REDACTED], Friday, Jan 05,2024 17:13:39
[DHCP IP: (192.168.1.123)] to MAC address [REDACTED], Friday, Jan 05,2024 17:13:24
[DHCP IP: (192.168.1.123)] to MAC address [REDACTED], Friday, Jan 05,2024 17:13:09
[DoS attack: RST Scan] from source 17.250.81.65,port 443 Friday, Jan 05,2024 17:12:17
[DoS attack: RST Scan] from source 17.250.81.69,port 443 Friday, Jan 05,2024 17:11:54
[DHCP IP: (192.168.1.123)] to MAC address [REDACTED], Friday, Jan 05,2024 17:07:44
[Admin login] from source 192.168.1.131, Friday, Jan 05,2024 17:07:36
[DoS attack: RST Scan] from source 17.250.81.69,port 443 Friday, Jan 05,2024 17:04:13
[DHCP IP: (192.168.1.140)] to MAC address [REDACTED], Friday, Jan 05,2024 17:02:30
[DoS attack: RST Scan] from source 17.250.81.64,port 443 Friday, Jan 05,2024 17:01:51
[DoS attack: RST Scan] from source 17.250.81.65,port 443 Friday, Jan 05,2024 16:57:37
[DHCP IP: (192.168.1.204)] to MAC address [REDACTED], Friday, Jan 05,2024 16:56:24
[DHCP IP: (192.168.1.204)] to MAC address [REDACTED], Friday, Jan 05,2024 16:55:08
[DoS attack: ACK Scan] from source 2.16.170.49,port 443 Friday, Jan 05,2024 16:52:59
[Time synchronized with NTP server] Friday, Jan 05,2024 16:52:31
[Internet connected] IP address: [REDACTED], Friday, Jan 05,2024 16:52:31
[Internet disconnected] Friday, Jan 05,2024 16:52:12
[DoS attack: ACK Scan] from source 17.253.77.201,port 443 Friday, Jan 05,2024 16:51:13
[DHCP IP: (192.168.1.140)] to MAC address [REDACTED], Friday, Jan 05,2024 16:51:09
[Time synchronized with NTP server] Friday, Jan 05,2024 16:51:08
[Internet connected] IP address: [REDACTED], Friday, Jan 05,2024 16:51:08
[Internet disconnected] Friday, Jan 05,2024 16:50:50
[DHCP IP: (192.168.1.100)] to MAC address [REDACTED], Friday, Jan 05,2024 16:49:11
[DHCP IP: (192.168.1.100)] to MAC address [REDACTED], Friday, Jan 05,2024 16:48:43
[Admin login] from source 192.168.1.131, Friday, Jan 05,2024 16:47:18
[DHCP IP: (192.168.1.119)] to MAC address [REDACTED], Friday, Jan 05,2024 16:47:03
[DHCP IP: (192.168.1.136)] to MAC address [REDACTED], Friday, Jan 05,2024 16:45:32
[DHCP IP: (192.168.1.136)] to MAC address [REDACTED], Friday, Jan 05,2024 16:44:55
, Friday, Jan 05,2024 16:52:31
[Internet disconnected] Friday, Jan 05,2024 16:52:12
[DoS attack: ACK Scan] from source 17.253.77.201,port 443 Friday, Jan 05,2024 16:51:13
[DHCP IP: (192.168.1.140)] to MAC address  [REDACTED] , Friday, Jan 05,2024 16:51:09
[Time synchronized with NTP server] Friday, Jan 05,2024 16:51:08
[Internet connected] IP address: [REDACTED], Friday, Jan 05,2024 16:51:08
[Internet disconnected] Friday, Jan 05,2024 16:50:50
[DHCP IP: (192.168.1.100)] to MAC address  [REDACTED] , Friday, Jan 05,2024 16:49:11
[DHCP IP: (192.168.1.100)] to MAC address  [REDACTED] , Friday, Jan 05,2024 16:48:43
[Admin login] from source 192.168.1.131, Friday, Jan 05,2024 16:47:18
[DHCP IP: (192.168.1.119)] to MAC address  [REDACTED] , Friday, Jan 05,2024 16:47:03
[DHCP IP: (192.168.1.136)] to MAC address  [REDACTED] , Friday, Jan 05,2024 16:45:32
[DHCP IP: (192.168.1.136)] to MAC address [REDACTED], Friday, Jan 05,2024 16:44:55

Thanks!

uvarvu · 5 Jan 2024 at 18:50

Just looked around, I think the consensus to look at the logs with a pinch of salt!

Search - NETGEAR Communities

community.netgear.com

Scuzi · 5 Jan 2024 at 18:57

Yeah that’s what I thought but it seemed too much of a coincidence and earlier log entries don’t mention it

paradigm · 5 Jan 2024 at 19:09

Given the origin IP addresses are Apple and Akamai, I’d be pretty confident to say that they aren’t legitimate DoS attacks and are indeed false positives as per the numerous threads on the Netgear forums observing the same.

ChrisD. · 5 Jan 2024 at 19:14

Agreed - they look like false positives.

Hugest_UK · 5 Jan 2024 at 19:15

paradigm said:
Given the origin IP addresses are Apple and Akamai, I’d be pretty confident to say that they aren’t legitimate DoS attacks and are indeed false positives as per the numerous threads on the Netgear forums observing the same.

Yeah I was going to say this in these instances I always check the source IP you can use Whois on those IP addresses as paradigm says if legitimate and the logs are notoriously bad then I wouldn’t worry unless you notice anything else.

Scuzi · 5 Jan 2024 at 19:39

Do the connections through the forwarded port to the Xbox (which was powered off) IP also seem normal?

The router is now continuously freezing and dropping connections, so I’m guessing there’s something else going on. I’ll attempt a firmware flash to see if that makes any difference. If not, then maybe it’s on its way out?

ChrisD. · 5 Jan 2024 at 20:04

Is the firmware up to date?

Scuzi · 5 Jan 2024 at 20:24

ChrisD. said:
Is the firmware up to date?

Yes latest firmware is on there

ChrisD. · 5 Jan 2024 at 20:31

Scuzi said:
Yes latest firmware is on there

It's unlikely the few incoming connections are affecting the router, a DDoS attack would be hundreds of thousands of requests coming in constantly.

When you say constantly freezing and dropping connections, what do you mean exactly? Browsing the router's web UI is slow, wireless clients are losing connectivity, Xbox games don't work etc?

Scuzi · 5 Jan 2024 at 20:38

A bit of all of that. I thought the firmware flash might at least change the behaviour but no. The devices I’m using are dropping the wifi connection for ~20 seconds. Some devices just won’t connect at all. e.g. I’m posting this from my iPad which is connected but my iphone right next to me won’t connect. Browsing the router UI via a wired connection leads to random pages failing to load. Only one of the Amazon Echo devices can connect whilst the others just can’t see the network.

I have tried it with the mesh satellites connected and without. I had seen similar random behaviour before when there has been an IP conflict but I’ve checked for this and can’t find one.

ChrisD. · 5 Jan 2024 at 20:44

Unplug everything from the Netgear apart from a single wired device (laptop or PC etc), turn off wireless on it, then see how it behaves. If it fixes it, then start adding devices back slowly.

It sounds like possibly wireless interference or as you say an IP conflict, or potential loop.

Scuzi · 5 Jan 2024 at 22:21

Thanks for your help so far. I’ve tried that and it seems okay on a single wired connection straight into the router, or wired into a satellite and connected via the backhaul. On trying to connect Wi-Fi devices, nothing will now connect. Did another hard reset, no joy. I think it is ****ed!

I’m currently eyeing up some ubiquiti gear…

paradigm · 6 Jan 2024 at 07:34

Scuzi said:
Thanks for your help so far. I’ve tried that and it seems okay on a single wired connection straight into the router, or wired into a satellite and connected via the backhaul. On trying to connect Wi-Fi devices, nothing will now connect. Did another hard reset, no joy. I think it is ****ed!

I’m currently eyeing up some ubiquiti gear…

At least you’ve been through all the logical troubleshooting steps so can be confident that you have kit issues rather than an attack.

I doubt you’ll be disappointed with Ubiquiti/Unifi kit, when I finally made the investment, I wondered why I hadn’t done so earlier.

Felon · 6 Jan 2024 at 09:39

ACK and RST scans, mixed in together is typically an automated attack, especially in that pattern.

It’s probably a bot using spoofed source addresses, trying to find a way through stateful filters, it’s very common.

The fact you’re seeing impact suggests to me that it isn’t a false positive.

Although typically this is the sort of thing you might see for an hour, where it wrecks your internet - then it’ll never happen again, once the bot moves to something else.

I wouldn’t worry too much, anything connected to the internet will experience this sort of thing every once in a while.

KIA · 6 Jan 2024 at 11:06

False positive.

bledd · 7 Jan 2024 at 12:26

Generally a bad idea to forward ports, unless you absolutely have to. Only one I do it with now is my VPN..

paradigm · 7 Jan 2024 at 14:54

bledd said:
Generally a bad idea to forward ports, unless you absolutely have to. Only one I do it with now is my VPN..

It’s a bad idea to port forward if you don’t explicitly need to. Stating that it’s OK for a VPN but not for reason y is daft.

Port forwarding isn’t bad, bad port forwards are bad.

Scuzi · 7 Jan 2024 at 16:07

After some digging I found a report from a user who had the same problem but resolved it by disabling DDOS protection. I’ve disabled it and everything seems to be working great now.
The Xbox works fine without forwarded ports now so I’ll just leave that disabled.

I’m still going to replace the setup.

bledd · 7 Jan 2024 at 22:15

paradigm said:
It’s a bad idea to port forward if you don’t explicitly need to. Stating that it’s OK for a VPN but not for reason y is daft.

Port forwarding isn’t bad, bad port forwards are bad.

Fair comment. To expand, I meant when possible better to VPN in and then access services. Rather than open everything up via port forwards.

I don't have an xbox, but can't think of a good reason to open up ports to one..