Jump to content

Welcome to Netduma Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. If you already have an account, login here - otherwise create an account for free today!
Photo

DDOS Attacks on Xbox Console- HELP

Dos DDOS XR500 UPNP Call of Duty Xbox Xbox One X

  • Please log in to reply
21 replies to this topic

#1
Matty XB1

Matty XB1

    Junior Member

  • Members
  • PipPip
  • 7 posts
  • Local time: 01:11 PM

Hi All,

 

For the last two days I've been getting DDOS'd offline on my Xbox One X. (I play Call of Duty WW2 and my ranking encourages dislike from other players.) The first time it happened was at halftime during a game of domination. Since then, my console has been randomly losing internet connection.

 

Below are logs from my XR500- does anyone have experience with this? Do I need to do a factory reset on my Xbox console? I've turned UPNP off for the time being, but I'm not sure if there are other settings I need to enable/disable on the XR500.

 

[DoS Attack: SYN/ACK Scan] from source: 54.36.24.186, port 9987, Wednesday, May 30, 2018 13:30:49
[DoS Attack: SYN/ACK Scan] from source: 54.36.24.186, port 9987, Wednesday, May 30, 2018 13:43:09
[DHCP IP: 192.168.1.8] to MAC address 98:e0:d9:a2:ee:95, Wednesday, May 30, 2018 13:51:32
[DumaOS] DHCP new event., Wednesday, May 30, 2018 13:51:32
[DumaOS] DHCP new lease allocated., Wednesday, May 30, 2018 13:51:32
[Internet connected] IP address: , Wednesday, May 30, 2018 14:36:13
[DHCP IP: 192.168.1.8] to MAC address 98:e0:d9:a2:ee:95, Wednesday, May 30, 2018 14:37:40
[DumaOS] DHCP new event., Wednesday, May 30, 2018 14:37:40
[DumaOS] DHCP lease change., Wednesday, May 30, 2018 14:37:40
[DoS Attack: SYN/ACK Scan] from source: 54.39.41.224, port 4444, Wednesday, May 30, 2018 15:20:31
[UPnP set event: del_nat_rule] from source 192.168.1.3, Wednesday, May 30, 2018 15:30:19
[UPnP set event: add_nat_rule] from source 192.168.1.3, Wednesday, May 30, 2018 15:34:56
[UPnP set event: del_nat_rule] from source 192.168.1.3, Wednesday, May 30, 2018 15:36:23
[UPnP set event: add_nat_rule] from source 192.168.1.3, Wednesday, May 30, 2018 15:36:26
[DoS Attack: SYN/ACK Scan] from source: 185.53.160.216, port 80, Wednesday, May 30, 2018 15:50:40
[DoS Attack: SYN/ACK Scan] from source: 54.39.41.224, port 4444, Wednesday, May 30, 2018 15:55:14
[DumaOS] Resync R-App store cloud, Wednesday, May 30, 2018 16:08:25
[DumaOS] HTTP download failed with code '404', Wednesday, May 30, 2018 16:08:25
[DumaOS] R-App store cloud sync failed, Wednesday, May 30, 2018 16:08:25
[DumaOS] Cloudsync DPI result 'false','All mirrors are down', Wednesday, May 30, 2018 16:09:09
[admin login] from source 192.168.1.2, Wednesday, May 30, 2018 16:25:43
[DHCP IP: 192.168.1.2] to MAC address cc:40:d0:43:0c:4d, Wednesday, May 30, 2018 16:43:39
[DumaOS] DHCP new event., Wednesday, May 30, 2018 16:43:39
[DumaOS] DHCP lease change., Wednesday, May 30, 2018 16:43:39
[WLAN access rejected: incorrect security] from MAC address 70:14:a6:46:d7:16, Wednesday, May 30, 2018 16:43:46
[DHCP IP: 192.168.1.6] to MAC address 1c:5c:f2:e1:28:89, Wednesday, May 30, 2018 16:43:46
[DumaOS] DHCP new event., Wednesday, May 30, 2018 16:43:46
[DumaOS] DHCP lease change., Wednesday, May 30, 2018 16:43:46
[WLAN access rejected: incorrect security] from MAC address 70:14:a6:46:d7:16, Wednesday, May 30, 2018 16:43:49
[WLAN access rejected: incorrect security] from MAC address 70:14:a6:46:d7:16, Wednesday, May 30, 2018 16:44:26
[WLAN access rejected: incorrect security] from MAC address 70:14:a6:46:d7:16, Wednesday, May 30, 2018 16:44:29
[WLAN access rejected: incorrect security] from MAC address 70:14:a6:46:d7:16, Wednesday, May 30, 2018 16:44:38
[WLAN access rejected: incorrect security] from MAC address 70:14:a6:46:d7:16, Wednesday, May 30, 2018 16:44:41
[DHCP IP: 192.168.1.3] to MAC address 2c:54:91:50:fb:d1, Wednesday, May 30, 2018 16:44:48
[DumaOS] DHCP new event., Wednesday, May 30, 2018 16:44:48
[DumaOS] DHCP lease change., Wednesday, May 30, 2018 16:44:48
[DHCP IP: 192.168.1.51] to MAC address 70:14:a6:46:d7:16, Wednesday, May 30, 2018 16:44:56
[DumaOS] DHCP new event., Wednesday, May 30, 2018 16:44:56
[DumaOS] DHCP lease change., Wednesday, May 30, 2018 16:44:56
[DHCP IP: 192.168.1.51] to MAC address 70:14:a6:46:d7:16, Wednesday, May 30, 2018 16:44:57
[DumaOS] DHCP new event., Wednesday, May 30, 2018 16:44:57
[DumaOS] DHCP lease change., Wednesday, May 30, 2018 16:44:57
[DHCP IP: 192.168.1.34] to MAC address cc:40:d0:43:0c:4d, Wednesday, May 30, 2018 16:51:06
[DumaOS] DHCP new event., Wednesday, May 30, 2018 16:51:06
[DumaOS] DHCP new lease allocated., Wednesday, May 30, 2018 16:51:06
[admin login] from source 192.168.1.34, Wednesday, May 30, 2018 16:51:09
[WLAN access rejected: incorrect security] from MAC address 70:14:a6:46:d7:16, Wednesday, May 30, 2018 16:51:12
[DHCP IP: 192.168.1.4] to MAC address 94:9a:a9:c3:2a:44, Wednesday, May 30, 2018 16:51:13
[DumaOS] DHCP new event., Wednesday, May 30, 2018 16:51:13
[DumaOS] DHCP lease change., Wednesday, May 30, 2018 16:51:13
[WLAN access rejected: incorrect security] from MAC address 70:14:a6:46:d7:16, Wednesday, May 30, 2018 16:51:15
[DHCP IP: 192.168.1.6] to MAC address 1c:5c:f2:e1:28:89, Wednesday, May 30, 2018 16:51:17
[DumaOS] DHCP new event., Wednesday, May 30, 2018 16:51:17
[DumaOS] DHCP lease change., Wednesday, May 30, 2018 16:51:17
[WLAN access rejected: incorrect security] from MAC address 70:14:a6:46:d7:16, Wednesday, May 30, 2018 16:51:35
[WLAN access rejected: incorrect security] from MAC address 70:14:a6:46:d7:16, Wednesday, May 30, 2018 16:51:38
[DHCP IP: 192.168.1.2] to MAC address 70:14:a6:46:d7:16, Wednesday, May 30, 2018 16:51:54
[DumaOS] DHCP new event., Wednesday, May 30, 2018 16:51:54
[DumaOS] DHCP new lease allocated., Wednesday, May 30, 2018 16:51:54
[DumaOS] Marking device that is marked 192.168.1.2 7 1., Wednesday, May 30, 2018 16:51:54
[DHCP IP: 192.168.1.254] to MAC address 2c:54:91:50:fb:d1, Wednesday, May 30, 2018 16:52:17
[DumaOS] DHCP new event., Wednesday, May 30, 2018 16:52:17
[DumaOS] DHCP new lease allocated., Wednesday, May 30, 2018 16:52:17
[DoS Attack: ARP Attack] from source: 192.168.1.3, Wednesday, May 30, 2018 17:03:27
 
Any help is greatly appreciated. Thank you!


#2
e38BimmerFN

e38BimmerFN

    Senior Member

  • Members
  • PipPipPipPip
  • 410 posts
  • Local time: 06:11 AM
  • LocationUSA

The router is reporting a attack coming in from the reported IP address from the WAN side. Doesn't mean it's pointed at your xbox. You maybe seeing some attack against the router. 

 

I would contact your ISP and ask them to help you get a new public IP address and also block any of those IP address as well seen listed for attacks. The router is probably blocking it and doing just that, reporting what it's seeing. Go to domaintools.com and look up whois for that IP address as well. 

 

I would reboot your ISP modem and router. After rebooting the modem, you should get a new IP address from your ISP.

 

Set up a reserved IP address for the xbox. Give a new IP address and reserve it ON the router.

What is the Mfr and model# if your ISP modem? 



#3
Matty XB1

Matty XB1

    Junior Member

  • Members
  • PipPip
  • 7 posts
  • Local time: 01:11 PM

The router is reporting a attack coming in from the reported IP address from the WAN side. Doesn't mean it's pointed at your xbox. You maybe seeing some attack against the router. 

 

I would contact your ISP and ask them to help you get a new public IP address and also block any of those IP address as well seen listed for attacks. The router is probably blocking it and doing just that, reporting what it's seeing. Go to domaintools.com and look up whois for that IP address as well. 

 

I would reboot your ISP modem and router. After rebooting the modem, you should get a new IP address from your ISP.

 

Set up a reserved IP address for the xbox. Give a new IP address and reserve it ON the router.

What is the Mfr and model# if your ISP modem? 

 

Thank you e38BimmerFN for your quick response. The cable modem I use is the ASUS CM-16 DOCSIS 3.0 CableLabs-certified 16x4 



#4
e38BimmerFN

e38BimmerFN

    Senior Member

  • Members
  • PipPipPipPip
  • 410 posts
  • Local time: 06:11 AM
  • LocationUSA

Let us know how it goes with the ISP. Hopefully they can help you on this...



#5
Netduma Jack

Netduma Jack

    Graphic Artist

  • Administrators
  • 2,669 posts
  • Local time: 01:11 PM

Hi, welcome to the forum!

 

Those logs are for developers to look over in specific situations. Every XR500 router will display these types of logs (which look like DoS attacks). In reality, this is your router doing its job - it has a built in firewall and is displaying the prevention of such attacks. Every router in the world would show these kinds of events if they too had log files like the XR500. Most routers don't show you this information for this reason - it can be misinterpreted.

 

It's more likely that your consoles are losing connection for other reasons. The way to stop DDoS attacks entirely is through a VPN though this is an extreme step. For now, try to narrow down the issue.

 

Do you lose connection on any other devices? Have you tried switching the Ethernet cables between the XR500 and your consoles? Does this happen over WiFi, Wired or both?


Technical support:

 

Fine tuning guide - How to set up your Netduma R1 quickly with optimum settings. Includes: How to get your full speeds, opening your NAT & Geo-filter settings etc.
FAQ - Includes: How to play with friends using the Geo-filter, I can't access the router control panel, Wifi keeps dropping out etc.
Wiki - Main link to the Wiki, for everything else please search here or on the forum.
Current firmware version (1.03.6) - If you are on anything below this, follow the instructions carefully to upgrade.

 

Any other issues please make a new thread on the forum, thank you  :)

 

Twitter - Facebook - YouTube - Twitch - Instagram - Steam Group - Discord


#6
Matty XB1

Matty XB1

    Junior Member

  • Members
  • PipPip
  • 7 posts
  • Local time: 01:11 PM

Hi, welcome to the forum!

 

Those logs are for developers to look over in specific situations. Every XR500 router will display these types of logs (which look like DoS attacks). In reality, this is your router doing its job - it has a built in firewall and is displaying the prevention of such attacks. Every router in the world would show these kinds of events if they too had log files like the XR500. Most routers don't show you this information for this reason - it can be misinterpreted.

 

It's more likely that your consoles are losing connection for other reasons. The way to stop DDoS attacks entirely is through a VPN though this is an extreme step. For now, try to narrow down the issue.

 

Do you lose connection on any other devices? Have you tried switching the Ethernet cables between the XR500 and your consoles? Does this happen over WiFi, Wired or both?

 

Hi Jack! Thank you for your response. My girlfriend loses connection on her PS4 (also playing CoD WW2) at the same time but, those are the only devices to lose connection that I know of. After it happens, my profile will repeatedly attempt to sign in to Xbox Live without me doing anything. On the home screen, it will sign in and show that it's connected to the internet but then sign out a few moments later. This will continue until I reset the console which has been the only solution I've found for getting back online.

 

I have not tried swapping Ethernet cables nor tried WiFi yet, but I'll test both tonight!

 

Does any of what I described above sound familiar?

 

Thanks again,

Matt



#7
Netduma Fraser

Netduma Fraser

    Tech & Customer Support

  • Administrators
  • 18,563 posts
  • Local time: 01:11 PM

Okay well good news is you're not being DDoSed otherwise every device would go offline. It could be related to a bug we are tracking at the moment but doesn't have all the symptoms, could just be a PSN issue. I was signed out of PSN earlier as well. Let us know how you get on with the tests done tonight and we can go from there!


Twitter/Facebook/YouTube/Twitch/Instagram/Steam Group/Discord

 

Official R1 Support Times: 10am - 6pm BST

World Clock

Official DumaOS/XR500 Support Times: 12pm - 2am BST



If you're having Settings or Hardware issues with the XR500 please go here and login to get the number for Netgear's 24/7 support line: http://support.netgear.com/


#8
e38BimmerFN

e38BimmerFN

    Senior Member

  • Members
  • PipPipPipPip
  • 410 posts
  • Local time: 06:11 AM
  • LocationUSA

I have two xbox consoles connected to my router. Here what I do,

1. Connect both of them and power them ON.

2. Go into the router and set up IP address reservations for both consoles. I use 192.168.#.198 and .199. My routers default IP address pool is 192.168.#.100 to .200. This leaves me room on each side of the pool for statics if needed.

3. Power OFF the consoles. I like to hold the power button on the xbox ones until they shut off. This does a warm reset on the console.

4. Enable uPnp. No Port Forwarding configurations are needed. I don't use them.

5. Set Nat Filter from Secure to Open. This is recommended for two or more game consoles online at the same time. Helps in getting OPEN NAT on the console and in game. Especially play same game across two consoles.

6. Make sure all settings on router are applied then do a full reboot of the router.

7. Power on 1st game console. Should have reserved IP address and check NAT status on the system dashboard. Then check nat status in game. Should be OPEN for both consoles.



#9
AsNCo

AsNCo

    Clubhouse Member

  • Clubhouse Member
  • PipPipPipPip
  • 252 posts
  • Local time: 08:11 PM
  • LocationSingapore

Mind if I use this thread too?

My log is the opposite of the TS's (thread starter) post. The log is too vague for me to know if it is an inside attack or an external one.
The attack seems to be happening every 20 minutes. Below is just a slice of how it happens every 20 minutes in the log.

 

 

[DoS Attack: IP Spoofing] from source: 192.168.1.1, port 1900, Friday, June 01, 2018 13:03:04

[DoS Attack: IP Spoofing] from source: 192.168.1.1, port 1900, Friday, June 01, 2018 13:03:04
[DoS Attack: IP Spoofing] from source: 192.168.1.1, port 1900, Friday, June 01, 2018 13:03:04
[DoS Attack: IP Spoofing] from source: 192.168.1.1, port 1900, Friday, June 01, 2018 13:03:04
[DoS Attack: IP Spoofing] from source: 192.168.1.1, port 1900, Friday, June 01, 2018 13:03:04
[DoS Attack: IP Spoofing] from source: 192.168.1.1, port 1900, Friday, June 01, 2018 13:03:04
[DoS Attack: IP Spoofing] from source: 192.168.1.1, port 1900, Friday, June 01, 2018 13:03:04
[DoS Attack: IP Spoofing] from source: 192.168.1.1, port 1900, Friday, June 01, 2018 13:03:04
[DoS Attack: IP Spoofing] from source: 192.168.1.1, port 1900, Friday, June 01, 2018 13:03:04
[DHCP IP: 192.168.1.102] to MAC address *************, Friday, June 01, 2018 13:15:06
[DumaOS] DHCP new event., Friday, June 01, 2018 13:15:06
[DumaOS] DHCP lease change., Friday, June 01, 2018 13:15:06
[DoS Attack: IP Spoofing] from source: 192.168.1.1, port 1900, Friday, June 01, 2018 13:23:04
[DoS Attack: IP Spoofing] from source: 192.168.1.1, port 1900, Friday, June 01, 2018 13:23:04
[DoS Attack: IP Spoofing] from source: 192.168.1.1, port 1900, Friday, June 01, 2018 13:23:04
[DoS Attack: IP Spoofing] from source: 192.168.1.1, port 1900, Friday, June 01, 2018 13:23:04
[DoS Attack: IP Spoofing] from source: 192.168.1.1, port 1900, Friday, June 01, 2018 13:23:04
[DoS Attack: IP Spoofing] from source: 192.168.1.1, port 1900, Friday, June 01, 2018 13:23:04
[DoS Attack: IP Spoofing] from source: 192.168.1.1, port 1900, Friday, June 01, 2018 13:23:04
[DoS Attack: IP Spoofing] from source: 192.168.1.1, port 1900, Friday, June 01, 2018 13:23:04
[DoS Attack: IP Spoofing] from source: 192.168.1.1, port 1900, Friday, June 01, 2018 13:23:04

So is this an internal or external attack?
Also, if I were to place my PC in DMZ mode, I will at times get a notifications from my extremely reliable Eset Smart Security Anti-Virus of ARP Cache Poisoning Attacks (from IP addresses belonging to other users on my ISP network) and Port Scan attacks from China and France but mostly China.

 

 

Time 5/1/2018 2:55:18 PM

Event Detected ARP cache poisoning attack
Source 000.00.000.000
Target 000.00.000.000
Protocol ARP
 
 
Time 5/1/2018 3:04:28 PM
Event Detected ARP cache poisoning attack
Source 000.00.000.00
Target 000.00.000.000
Protocol ARP
 
Time 5/1/2018 9:03:59 PM
Event Detected Port Scanning attack
Source 113.96.223.207:59838
Target 192.168.1.2:20010
Protocol TCP
 
Time 5/3/2018 11:48:46 AM
Event Detected Port Scanning attack
Source 203.90.178.35:6000
Target 192.168.1.2:22433
Protocol TCP
 
Time 5/3/2018 1:11:54 PM
Event Detected Port Scanning attack
Source 124.42.124.131:7944
Target 192.168.1.2:91
Protocol TCP

(I replaced my local ISP WAN addresses with 0 zeroes for privacy reasons.)


All these attacks are no longer popping up when I disable DMZ for my PC which means the router is doing its job. However, those logs above do not show any of these attacks as well as specific details of the attack and which specific local network it is attacking. This is after all for the safety of the Home Automation devices I have at home including one that has a camera and mic/speaker on the pet feeder.

It would be very helpful in getting my ISP to deal with the issue especially the ARP Cache Poisoning from fellow ISP users who are either intentionally or unintentionally trying to get data off the internet stream. I want to do this while not exposing my PC to it again under DMZ mode since the router could tell it for me.



#10
Netduma Fraser

Netduma Fraser

    Tech & Customer Support

  • Administrators
  • 18,563 posts
  • Local time: 01:11 PM

Just from looking online the responses are ranging from its nothing to worry about to you may have a virus/trojan/malware on one of your devices. So I'd do a scan on all devices just in case.

 

Also in WAN Setup ensure both Disable Port Scan and DoS Protection & Respond to Ping on Internet Port are unticked.

 

This particular entry is created by the Netgear part of the router so my knowledge on it is limited.


Twitter/Facebook/YouTube/Twitch/Instagram/Steam Group/Discord

 

Official R1 Support Times: 10am - 6pm BST

World Clock

Official DumaOS/XR500 Support Times: 12pm - 2am BST



If you're having Settings or Hardware issues with the XR500 please go here and login to get the number for Netgear's 24/7 support line: http://support.netgear.com/


#11
AsNCo

AsNCo

    Clubhouse Member

  • Clubhouse Member
  • PipPipPipPip
  • 252 posts
  • Local time: 08:11 PM
  • LocationSingapore

Just from looking online the responses are ranging from its nothing to worry about to you may have a virus/trojan/malware on one of your devices. So I'd do a scan on all devices just in case.

 

Also in WAN Setup ensure both Disable Port Scan and DoS Protection & Respond to Ping on Internet Port are unticked.

 

This particular entry is created by the Netgear part of the router so my knowledge on it is limited.

Thanks for the useful tips. As I said before, the ARP Cache Poisoning is from a different WAN address but related to my ISP and definitely does not originate from one of my local IP addresses.
Interestingly enough, when I connect my PC directly to the modem, my Anti-virus can map out a lot of WAN addresses on the network in my ISP's WAN pool.

So far, I have yet gotten any attacks or snooping from my own local devices. So that's a good sign that the router has done a good job blocking the other devices in the network from being used by any attackers. Similarly I have not received any sort of network attacks ever since I turn off DMZ for my PC. Goes to show the router is doing well to block such things.

Was just hoping I can use it to inform my ISP of irresponsible customers in the network trying to extract data from other users.
But I do not want to risk my PC to the attacks directly like before even if my Anti-virus is reliable.

Not to mention, the router can easily show even more details such as the attacks are for all devices in the network or to a specific device in the network so I can pin-point and isolate that device from being used for an intrusion.

Nevertheless, thanks for answering. Too bad Netgear is not as open as Asus router's logs.



#12
Netduma Fraser

Netduma Fraser

    Tech & Customer Support

  • Administrators
  • 18,563 posts
  • Local time: 01:11 PM

For the most part networks do get scanned a lot so it could just be that and nothing sinister at all. I don't really have anything else to advise, the router is definitely protecting you. I've got an idea for you, I'll PM.


Twitter/Facebook/YouTube/Twitch/Instagram/Steam Group/Discord

 

Official R1 Support Times: 10am - 6pm BST

World Clock

Official DumaOS/XR500 Support Times: 12pm - 2am BST



If you're having Settings or Hardware issues with the XR500 please go here and login to get the number for Netgear's 24/7 support line: http://support.netgear.com/


#13
Matty XB1

Matty XB1

    Junior Member

  • Members
  • PipPip
  • 7 posts
  • Local time: 01:11 PM

Hi Fraser-

 

I changed my IP address and this put a stop to all of the disconnects. However, it has begun happening again as of about 6 minutes ago. My Xbox was disconnected from Xbox Live, it connected once again, and I got booted two minutes later. I imagine this will continue happening if I don't shut off my Xbox...below are the logs showing DOS attacks at the exact times I'm kicked offline-

 

[DoS Attack: ACK Scan] from source: 31.13.69.195, port 443, Friday, June 01, 2018 20:40:11
[UPnP set event: del_nat_rule] from source 192.168.1.59, Friday, June 01, 2018 20:40:14
[DumaOS] applying qos for zone wan, Friday, June 01, 2018 20:40:51
[DumaOS] applying qos for zone lan, Friday, June 01, 2018 20:40:52
[UPnP set event: add_nat_rule] from source 192.168.1.59, Friday, June 01, 2018 20:41:00
[DumaOS] applying qos for zone wan, Friday, June 01, 2018 20:41:42
[DumaOS] applying qos for zone lan, Friday, June 01, 2018 20:41:43
[DumaOS] applying qos for zone wan, Friday, June 01, 2018 20:41:53
[DumaOS] applying qos for zone lan, Friday, June 01, 2018 20:41:54
[DoS Attack: ACK Scan] from source: 31.13.69.195, port 443, Friday, June 01, 2018 20:42:11
[DumaOS] applying qos for zone wan, Friday, June 01, 2018 20:42:45
[DumaOS] applying qos for zone lan, Friday, June 01, 2018 20:42:45


#14
Killhippie

Killhippie

    Member

  • Members
  • PipPipPip
  • 96 posts
  • Local time: 01:11 PM
  • LocationUK

 

Hi Fraser-

 

I changed my IP address and this put a stop to all of the disconnects. However, it has begun happening again as of about 6 minutes ago. My Xbox was disconnected from Xbox Live, it connected once again, and I got booted two minutes later. I imagine this will continue happening if I don't shut off my Xbox...below are the logs showing DOS attacks at the exact times I'm kicked offline-

 

[DoS Attack: ACK Scan] from source: 31.13.69.195, port 443, Friday, June 01, 2018 20:40:11
[UPnP set event: del_nat_rule] from source 192.168.1.59, Friday, June 01, 2018 20:40:14
[DumaOS] applying qos for zone wan, Friday, June 01, 2018 20:40:51
[DumaOS] applying qos for zone lan, Friday, June 01, 2018 20:40:52
[UPnP set event: add_nat_rule] from source 192.168.1.59, Friday, June 01, 2018 20:41:00
[DumaOS] applying qos for zone wan, Friday, June 01, 2018 20:41:42
[DumaOS] applying qos for zone lan, Friday, June 01, 2018 20:41:43
[DumaOS] applying qos for zone wan, Friday, June 01, 2018 20:41:53
[DumaOS] applying qos for zone lan, Friday, June 01, 2018 20:41:54
[DoS Attack: ACK Scan] from source: 31.13.69.195, port 443, Friday, June 01, 2018 20:42:11
[DumaOS] applying qos for zone wan, Friday, June 01, 2018 20:42:45
[DumaOS] applying qos for zone lan, Friday, June 01, 2018 20:42:45

 

The Dos attacks are constant but its just background noise mainly, there ars many services and constant port scans happening all the time. If you see them in your logs it means the firewall is doing its job. I would not worry, Netgear routers tend to sometimes show false flag attacks, but I get many over the day and have always on all routers I have had. You cant stop them and bots port scan all the time. They can come in batches or just the odd one here and there. Its really nothing to worry about.

 The only thing I saw in your logs was a device on WAN trying to connect 'WLAN access rejected: incorrect security] from MAC address 70:14:a6:46:d7:16, Wednesday, May 30, 2018 16:43:49' I had that when a friend across the road had a old blu-ray player of mine and had not wiped the thing properly (I forgot to) so it kept trying to connect to my network. I just changed my SSID's and I use a 63 character ASCII password for wifi (over the top but better safe than sorry) then those attempts to connect stopped, if you know the IP of that device then maybe its just got the wrong password to your wifi network. If not maybe some cheeky git is trying to get onto your network.

 Make sure you change the original SSID and password of you router for your networks, use a password of about 12-16 characters. Use something random and make sure you keep a copy safely, same with the SSID make it unique so somebody wont try to connect to it by accident. Never leave it as Netgear** that's asking for trouble. As to the attacks don't worry, they will happen every day for as long as you are online, its the internet at work and your firewall is doing its job just fine.



#15
Netduma Fraser

Netduma Fraser

    Tech & Customer Support

  • Administrators
  • 18,563 posts
  • Local time: 01:11 PM

Would reiterate the above.

 

Also that IP address is from Facebook using HTTPS, so nothing malicious going on causing you to be disconnected in the slightest, no one is DDoSing you. I'd replace your ethernet cable to see if that resolves it. If using WiFi could be interference and would highly suggest switching to wired.


Twitter/Facebook/YouTube/Twitch/Instagram/Steam Group/Discord

 

Official R1 Support Times: 10am - 6pm BST

World Clock

Official DumaOS/XR500 Support Times: 12pm - 2am BST



If you're having Settings or Hardware issues with the XR500 please go here and login to get the number for Netgear's 24/7 support line: http://support.netgear.com/


#16
Matty XB1

Matty XB1

    Junior Member

  • Members
  • PipPip
  • 7 posts
  • Local time: 01:11 PM

Hi Guys,

 

I enabled DMZ to my Xbox One as UPNP is not currently working with the new software update. Five minutes after enabling, the log read something like, [Remote Lan Access] IP Address X to 192.168.1.254(my local Xbox IP). Then, there were about 9 lines all saying this. I instantly changed my IP address and rebooted. Does this mean I can't forward any ports to my Xbox, or is this something I don't have to worry about?

 

Best,

Matt



#17
Netduma Admin

Netduma Admin

    Netduma Staff

  • Administrators
  • 616 posts
  • Local time: 01:11 PM
  • LocationNetduma HQ
Hi Matty - Netgear have pulled the latest version until they solve the UPNP issue, so for now could you downgrade back to the previous version and enable UPNP again.

https://kb.netgear.c...ersion-2-2-1-10

#18
Matty XB1

Matty XB1

    Junior Member

  • Members
  • PipPip
  • 7 posts
  • Local time: 01:11 PM

After reverting back to the previous firmware, the first line in the logs reads, [OpenVPN] VPN Client disconnected. This is strange since I've never signed into VPN. Any thoughts?



#19
Matty XB1

Matty XB1

    Junior Member

  • Members
  • PipPip
  • 7 posts
  • Local time: 01:11 PM

Also, I just got disconnected again after another [DoS Attack: SYN/ACK Scan]. Can someone please take a look at my logs, and let me know if there's something I can be doing to prevent these disconnects?

 
[DoS Attack: SYN/ACK Scan] from source: 61.147.67.163, port 80, Wednesday, June 06, 2018 07:44:18
[DumaOS] kill 2 sent to 'com.netdumasoftware.networkmonitor', Wednesday, June 06, 2018 07:44:28
[DumaOS] kill 2 sent to 'com.netdumasoftware.nghal', Wednesday, June 06, 2018 07:44:28
[DumaOS] kill 2 sent to 'com.netdumasoftware.neighwatch', Wednesday, June 06, 2018 07:44:28
[DumaOS] kill 2 sent to 'com.netdumasoftware.systeminfo', Wednesday, June 06, 2018 07:44:28
[DumaOS] skipping 'com.netdumasoftware.autoadmin', Wednesday, June 06, 2018 07:44:28
[DumaOS] kill 2 sent to 'com.netdumasoftware.qos', Wednesday, June 06, 2018 07:44:28
[DumaOS] kill 2 sent to 'com.netdumasoftware.desktop', Wednesday, June 06, 2018 07:44:28
[DumaOS] kill 2 sent to 'com.netdumasoftware.rappstore', Wednesday, June 06, 2018 07:44:28
[DumaOS] kill 2 sent to 'com.netdumasoftware.geofilter', Wednesday, June 06, 2018 07:44:28
[DumaOS] skipping 'com.netdumasoftware.devicemanager', Wednesday, June 06, 2018 07:44:28
[DumaOS] App 'com.netdumasoftware.networkmonitor' cleanup finished, Wednesday, June 06, 2018 07:44:28
[DumaOS] App 'com.netdumasoftware.neighwatch' cleanup finished, Wednesday, June 06, 2018 07:44:28
[DumaOS] App 'com.netdumasoftware.systeminfo' cleanup finished, Wednesday, June 06, 2018 07:44:28
[DumaOS] App 'com.netdumasoftware.desktop' cleanup finished, Wednesday, June 06, 2018 07:44:28
[DumaOS] App 'com.netdumasoftware.rappstore' cleanup finished, Wednesday, June 06, 2018 07:44:28
[DumaOS] recovering state com.netdumasoftware.neighwatch, Wednesday, June 06, 2018 07:44:28
[DumaOS] App 'com.netdumasoftware.nghal' cleanup finished, Wednesday, June 06, 2018 07:44:28
[DumaOS] App 'com.netdumasoftware.qos' cleanup finished, Wednesday, June 06, 2018 07:44:28
[DumaOS] Unable to uninstall GeoFilter, Wednesday, June 06, 2018 07:44:31
[DumaOS] killing 5966, Wednesday, June 06, 2018 07:44:31
[DumaOS] App 'com.netdumasoftware.geofilter' cleanup finished, Wednesday, June 06, 2018 07:44:31
[DumaOS] skipping 'com.netdumasoftware.autoadmin', Wednesday, June 06, 2018 07:44:31
[DumaOS] kill 2 sent to 'com.netdumasoftware.devicemanager', Wednesday, June 06, 2018 07:44:31
[DumaOS] Exception caught in cleanup 'com.netdumasoftware.devicemanager': bad argument #3 to 'call' (table expected, got string, -> stack traceback: ^I?: in function <?:73> ^I[C]: in function 'call' ^I?: in function 'long_call' ^I?: in function '?' ^I?: in function 'cleanup' ^I?: in function '?' ^I?: in function <?:388> ^I[C]: in function 'xpcall' ^I?: in function 'try' ^I?: in function <?:385> ^I?: in function 'try' ^I?: in function <?:283> ^I(tail call): ? ^I/dumaos/api/cli.lua:48: in function </dumaos/api/cli.lua:30> ^I[C]: in function 'xpcall' ^I/dumaos/api/cli.lua:59: in main chunk ^I[C]: ? Wednesday, June 06, 2018 07:44:31
[DumaOS] kill 2 sent to 'com.netdumasoftware.autoadmin', Wednesday, June 06, 2018 07:44:31
[DumaOS] App 'com.netdumasoftware.autoadmin' cleanup finished, Wednesday, June 06, 2018 07:44:32
[DumaOS] App 'com.netdumasoftware.procmanager' cleanup finished, Wednesday, June 06, 2018 07:44:32
[DumaOS] Starting process manager, Wednesday, June 06, 2018 07:44:33
[Internet disconnected] Wednesday, June 06, 2018 07:44:33


#20
Netduma Fraser

Netduma Fraser

    Tech & Customer Support

  • Administrators
  • 18,563 posts
  • Local time: 01:11 PM

After reverting back to the previous firmware, the first line in the logs reads, [OpenVPN] VPN Client disconnected. This is strange since I've never signed into VPN. Any thoughts?

 

The logs are verbose and primarily for Developers so I wouldn't worry about anything you see there. It's likely just that once it's regained internet it's checked to see if it needs to go through a VPN which is doesn't. It's just backend processes that are happening. 


Twitter/Facebook/YouTube/Twitch/Instagram/Steam Group/Discord

 

Official R1 Support Times: 10am - 6pm BST

World Clock

Official DumaOS/XR500 Support Times: 12pm - 2am BST



If you're having Settings or Hardware issues with the XR500 please go here and login to get the number for Netgear's 24/7 support line: http://support.netgear.com/






Also tagged with one or more of these keywords: Dos, DDOS, XR500, UPNP, Call of Duty, Xbox, Xbox One X

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users