Jump to content

getting DDosed


Recommended Posts

A36D3C0B-F3A8-47C2-96C2-D86BA0D8A5BB.thumb.png.2fe42672d549d5edb1e53d3b9dbd61ed.pngA36D3C0B-F3A8-47C2-96C2-D86BA0D8A5BB.thumb.png.2fe42672d549d5edb1e53d3b9dbd61ed.pngI guess this is a question for whoever could answer... I keep getting random DOS sent to my router from ports 80,53, 2556.. I’ve heard about “blocking ports” would that help me with my problem? If it would how could I do it? Also, is there any other way to prevent being ddosed? Besides a vpn which would obviously do me no good.. Thanks 

 

Link to comment
Share on other sites

Your welcome! As far as you getting DOS sent to your router as you call it I don't think there is anything to worry about.. Im sure the Netduma staff will chime in to verify..  That usually is considered background noise or whatever they call it.. If your getting DOS from 71.10.216.1 and 71.10.216.2 I would consider that normal because those are your dns primary and secondary dns servers that Charter Spectrum use and you have.. If you go into your router settings you will see them in the setup.. As far as blocking those ports you actually need them.. Many devices like xbox still use them.. Just keep your firmware up to date and keep things secure and you should be fine..

Zippy.

Link to comment
Share on other sites

  • Administrators
On 1/19/2019 at 6:24 AM, Zippy said:

Your welcome! As far as you getting DOS sent to your router as you call it I don't think there is anything to worry about.. Im sure the Netduma staff will chime in to verify..  That usually is considered background noise or whatever they call it.. If your getting DOS from 71.10.216.1 and 71.10.216.2 I would consider that normal because those are your dns primary and secondary dns servers that Charter Spectrum use and you have.. If you go into your router settings you will see them in the setup.. As far as blocking those ports you actually need them.. Many devices like xbox still use them.. Just keep your firmware up to date and keep things secure and you should be fine..

Zippy.

As Zippy said - this is nothing to worry about. If you google the log you will see plenty of threads online on Netgear forums confirming the same 😊

Link to comment
Share on other sites

  • Netduma Staff

Yeh in case you need affirmation, the logs often display entries which look really bad. Sometimes it looks like you're getting DoS attacked, sometimes it looks like processes have stopped working or things have failed on the router... In reality, it's a language only our developers can understand, and nothing negative is happening at all :D

(We're thinking of hiding the logs for that reason!)

Link to comment
Share on other sites

Guest Killhippie
1 hour ago, Netduma Jack said:

Yeh in case you need affirmation, the logs often display entries which look really bad. Sometimes it looks like you're getting DoS attacked, sometimes it looks like processes have stopped working or things have failed on the router... In reality, it's a language only our developers can understand, and nothing negative is happening at all :D

(We're thinking of hiding the logs for that reason!)

Hiding logs would be a bad move I think, Netgear let the logs be seen in all their routers. If there is a issue with say wireless dropouts due to a bad radio those logs would be really useful in diagnosing that as would WAN issues with internet dropouts or your ISP/Modem causing either complete loss of connection or PPP. I recently had a issue where my TV was seen as attacking my LAN with a [DoS Attack: ARP Attack] Re-uploading the current firmware sorted that out (it was causing my TV not to update apps things like YouTube) So those logs are very useful for diagnosing events. Also it shows that things like cloud updates for Geo Filter are working.

 Maybe having a sticky in the forum saying what to ignore on DumaOS's side in the logs would be better. Dumbing down the interface is not something I think should be done or would want myself. Also it means people learn about the logs, and if they googled this stuff they would see Netgear routers are a tad paranoid with logging anyway, also this is the noise of the internet and port scans happen all the time, they should not be hidden...

Link to comment
Share on other sites

Guest Killhippie

Talking of logs (not wanting to start a new thread hope thats okay) the DumaOS stuff that always says HTTP failed to connect (because they are maybe not being used at present) should those not be HTTPS these days for security? I ask because I wondered if the cloud updates to the routers are HTTP or HTTPS ?

Link to comment
Share on other sites

On 1/19/2019 at 1:24 AM, Zippy said:

Your welcome! As far as you getting DOS sent to your router as you call it I don't think there is anything to worry about.. Im sure the Netduma staff will chime in to verify..  That usually is considered background noise or whatever they call it.. If your getting DOS from 71.10.216.1 and 71.10.216.2 I would consider that normal because those are your dns primary and secondary dns servers that Charter Spectrum use and you have.. If you go into your router settings you will see them in the setup.. As far as blocking those ports you actually need them.. Many devices like xbox still use them.. Just keep your firmware up to date and keep things secure and you should be fine..

Zippy.

 

Link to comment
Share on other sites

  • Netduma Staff
3 hours ago, Killhippie said:

Hiding logs would be a bad move I think, Netgear let the logs be seen in all their routers. If there is a issue with say wireless dropouts due to a bad radio those logs would be really useful in diagnosing that as would WAN issues with internet dropouts or your ISP/Modem causing either complete loss of connection or PPP. I recently had a issue where my TV was seen as attacking my LAN with a [DoS Attack: ARP Attack] Re-uploading the current firmware sorted that out (it was causing my TV not to update apps things like YouTube) So those logs are very useful for diagnosing events. Also it shows that things like cloud updates for Geo Filter are working.

 Maybe having a sticky in the forum saying what to ignore on DumaOS's side in the logs would be better. Dumbing down the interface is not something I think should be done or would want myself. Also it means people learn about the logs, and if they googled this stuff they would see Netgear routers are a tad paranoid with logging anyway, also this is the noise of the internet and port scans happen all the time, they should not be hidden...

By hide, I mean make it more difficult to find! You should be able to get the logs if they're required, but it's having them out in the open that's causing a some people to panic. We need to find a place to tuck them away :)

Link to comment
Share on other sites

Guest Killhippie
18 hours ago, Netduma Jack said:

By hide, I mean make it more difficult to find! You should be able to get the logs if they're required, but it's having them out in the open that's causing a some people to panic. We need to find a place to tuck them away :)

Maybe just leave them in Netgear settings on Netgear router.  If you dumb down the interface so people don't panic what kind of user are you catering for? Search engines are not hard to use, maybe encourage the useful skill of "looking it up yourself"  Seriously though the removal idea seems like dumbing down the interface to make life easy, Netgear has had the same log feature in every router from them I've had and people now and then get confused, they ask questions and move on but equally they have  learnt something, which is the point about owning this kind of tech, as you have to take some responsibility for knowing what you are doing with it. Dont turn Netduma and DumaOS into the Fisher-Price of routers, that's not a good look.

 I have to say I think this is idea is wrong on many levels, removing a feature or making it hard to find is a form of censorship. I would seriously look at moving on from DumaOS over that move. If you have a sticky on both Netegar's site and your own pages here, you could just refer people to the part that explains what they are seeing in the logs, surely that would suffice? Don't dumb down a great interface, that's one of the reasons people came to DumaOS, more information on what the router is doing not less.  If I wanted a dumb easy to use router that I would move from IDNet and go to a  ISP with a dumbed down router they post to you that does not even let you change the DNS settings or have a guest network. People need to learn what the logs mean if needed or learn to ignore them from a simple sticky on the site. This whole hide the logs idea feels like a solution looking for a problem.

Link to comment
Share on other sites

  • Netduma Staff
2 hours ago, Killhippie said:

Maybe just leave them in Netgear settings on Netgear router.  If you dumb down the interface so people don't panic what kind of user are you catering for? Search engines are not hard to use, maybe encourage the useful skill of "looking it up yourself"  Seriously though the removal idea seems like dumbing down the interface to make life easy, Netgear has had the same log feature in every router from them I've had and people now and then get confused, they ask questions and move on but equally they have  learnt something, which is the point about owning this kind of tech, as you have to take some responsibility for knowing what you are doing with it. Dont turn Netduma and DumaOS into the Fisher-Price of routers, that's not a good look.

 I have to say I think this is idea is wrong on many levels, removing a feature or making it hard to find is a form of censorship. I would seriously look at moving on from DumaOS over that move. If you have a sticky on both Netegar's site and your own pages here, you could just refer people to the part that explains what they are seeing in the logs, surely that would suffice? Don't dumb down a great interface, that's one of the reasons people came to DumaOS, more information on what the router is doing not less.  If I wanted a dumb easy to use router that I would move from IDNet and go to a  ISP with a dumbed down router they post to you that does not even let you change the DNS settings or have a guest network. People need to learn what the logs mean if needed or learn to ignore them from a simple sticky on the site. This whole hide the logs idea feels like a solution looking for a problem.

Wow, you are passionate about those logs! I get it, there's a principal behind what you're saying that holds true. Don't worry - I'm one of the UI designers here, and we're not looking to make the fisher price of routers, lmao. Quite the opposite. We've designed the worlds first router operating system, and it's not going to stop improving. With the R-apps we have planned for the future, you'll just keep getting more and more information to work with, and more tools to control your network.

Logs will be accessible to folks like you who want them, and they'll be easy to access. They just won't be in your face like they are now. It'll be a better solution, since the people who like logs can just pin them and see them all the time, and the majority of people who misinterpret / are troubled by the logs will understand more clearly that it's back-end information and not for everyone. It's the same solution every operating system or UI eventually adopts.

Link to comment
Share on other sites

On 1/21/2019 at 6:16 AM, Killhippie said:

Hiding logs would be a bad move I think, Netgear let the logs be seen in all their routers. If there is a issue with say wireless dropouts due to a bad radio those logs would be really useful in diagnosing that as would WAN issues with internet dropouts or your ISP/Modem causing either complete loss of connection or PPP. I recently had a issue where my TV was seen as attacking my LAN with a [DoS Attack: ARP Attack] Re-uploading the current firmware sorted that out (it was causing my TV not to update apps things like YouTube) So those logs are very useful for diagnosing events. Also it shows that things like cloud updates for Geo Filter are working.

 Maybe having a sticky in the forum saying what to ignore on DumaOS's side in the logs would be better. Dumbing down the interface is not something I think should be done or would want myself. Also it means people learn about the logs, and if they googled this stuff they would see Netgear routers are a tad paranoid with logging anyway, also this is the noise of the internet and port scans happen all the time, they should not be hidden...

 

On 1/21/2019 at 5:19 AM, Netduma Jack said:

Yeh in case you need affirmation, the logs often display entries which look really bad. Sometimes it looks like you're getting DoS attacked, sometimes it looks like processes have stopped working or things have failed on the router... In reality, it's a language only our developers can understand, and nothing negative is happening at all :D

(We're thinking of hiding the logs for that reason!)

Alrighty well I’ve learned a bit more just by listening but I can definitely tell you both that there is something more than typical “communication” I used to be a fairly active competitive player so I know all about getting “doxxed” or “dos”. Anyways.. it’s not like I’m continually getting “hit offline”. A few times everyday just about around the same times I get disconnected for a short period of time.. (probably however long his “stresser” is capable of holding me offline by pinging my router. Now with all of this being said... IS THERE ANYTHING TO DO TO PREVENT THIS BASTARD FROM ATTACKING MY IP ADDESS?! Outside of the typical contact your service provider or to use a vpn.. Contacting my service provider don’t do anything because they don’t care unless you are a “commercial customer” and the vpn won’t do shit because.... They have my  IP address 

Link to comment
Share on other sites

  • Netduma Staff
17 hours ago, Bruined37 said:

Alrighty well I’ve learned a bit more just by listening but I can definitely tell you both that there is something more than typical “communication” I used to be a fairly active competitive player so I know all about getting “doxxed” or “dos”. Anyways.. it’s not like I’m continually getting “hit offline”. A few times everyday just about around the same times I get disconnected for a short period of time.. (probably however long his “stresser” is capable of holding me offline by pinging my router. Now with all of this being said... IS THERE ANYTHING TO DO TO PREVENT THIS BASTARD FROM ATTACKING MY IP ADDESS?! Outside of the typical contact your service provider or to use a vpn.. Contacting my service provider don’t do anything because they don’t care unless you are a “commercial customer” and the vpn won’t do shit because.... They have my  IP address 

A VPN wouldn't help you since they already know your IP, absolutely correct. I'm afraid there's only two options (well, really one option) left. The option is to contact your ISP and get your IP address changed - then once it's changed, get a VPN ASAP. The other option is move house, which I can't imagine you'll want to do.

Link to comment
Share on other sites

On ‎1‎/‎22‎/‎2019 at 10:34 AM, Bruined37 said:

 

Alrighty well I’ve learned a bit more just by listening but I can definitely tell you both that there is something more than typical “communication” I used to be a fairly active competitive player so I know all about getting “doxxed” or “dos”. Anyways.. it’s not like I’m continually getting “hit offline”. A few times everyday just about around the same times I get disconnected for a short period of time.. (probably however long his “stresser” is capable of holding me offline by pinging my router. Now with all of this being said... IS THERE ANYTHING TO DO TO PREVENT THIS BASTARD FROM ATTACKING MY IP ADDESS?! Outside of the typical contact your service provider or to use a vpn.. Contacting my service provider don’t do anything because they don’t care unless you are a “commercial customer” and the vpn won’t do shit because.... They have my  IP address 

Bruined37 what Ip addresses do you think are attacking you?  Also are you using googles dns servers or another of similar?

Link to comment
Share on other sites

38 minutes ago, Zippy said:

Bruined37 what Ip addresses do you think are attacking you?  Also are you using googles dns servers or another of similar?

Well unfortunately there isn’t really a way to tell.. when you look in the logs it will tell me the ip of where the pings are  sent from which is useless (that’s my understanding). I’ve looked through them extensively and checked where each address is from and tried to cross reference with people I play with to just figure it out and I can’t.. the fucked up thing is I think it’s a buddy of mine. Idk.. I mean I’ve been through the process of  explaining this to a Charter representative and they just don’t understand or won’t help lol.  

Link to comment
Share on other sites

31 minutes ago, Bruined37 said:

Well unfortunately there isn’t really a way to tell.. when you look in the logs it will tell me the ip of where the pings are  sent from which is useless (that’s my understanding). I’ve looked through them extensively and checked where each address is from and tried to cross reference with people I play with to just figure it out and I can’t.. the fucked up thing is I think it’s a buddy of mine. Idk.. I mean I’ve been through the process of  explaining this to a Charter representative and they just don’t understand or won’t help lol.  

I can only imagine what that phone call was like when you called Charter about this!! Talking to a Charter representative is like having the circus come to town! Its clown time! LOL.. If this is a buddy of yours id kick his butt!!! What time does this seem to happen at?

Link to comment
Share on other sites

22 minutes ago, Zippy said:

I can only imagine what that phone call was like when you called Charter about this!! Talking to a Charter representative is like having the circus come to town! Its clown time! LOL.. If this is a buddy of yours id kick his butt!!! What time does this seem to happen at?

 Around 5:30pm eastern time and it’s usually only for a short period.. one time it was for like 3 hours lol.. I thought my router had shit the bed (didn’t check my logs) and I went out and bought a nighthawk rx500 and I use to have a netduma  r1

Link to comment
Share on other sites

  • Netduma Staff
9 hours ago, Bruined37 said:

 Around 5:30pm eastern time and it’s usually only for a short period.. one time it was for like 3 hours lol.. I thought my router had shit the bed (didn’t check my logs) and I went out and bought a nighthawk rx500 and I use to have a netduma  r1

It's a pretty messed up situation, I'm not sure why anyone would want to DoS someone else. Any idea how they discovered your IP address?

I'm sure it's a service any ISP offers so you should be able to get your IP address changed. I'm not sure if explaining the whole VPN / DoS attack thing will help you get that or not - if they're complete noobs it might be worth just ringing and saying 'hey, can I get a new IP address?'

Link to comment
Share on other sites

Guest Killhippie
On 1/22/2019 at 11:17 AM, Netduma Jack said:

Wow, you are passionate about those logs! I get it, there's a principal behind what you're saying that holds true. Don't worry - I'm one of the UI designers here, and we're not looking to make the fisher price of routers, lmao. Quite the opposite. We've designed the worlds first router operating system, and it's not going to stop improving. With the R-apps we have planned for the future, you'll just keep getting more and more information to work with, and more tools to control your network.

Logs will be accessible to folks like you who want them, and they'll be easy to access. They just won't be in your face like they are now. It'll be a better solution, since the people who like logs can just pin them and see them all the time, and the majority of people who misinterpret / are troubled by the logs will understand more clearly that it's back-end information and not for everyone. It's the same solution every operating system or UI eventually adopts.

Not passionate about logs, just passionate about learning,  educating and getting people to take a look themselves and work out issues if they can. If they try and fail so be it but at least they tried. The knowledge we have, that was not planted there, we learnt it from a multitude of sources and Netgear kept their logs you can hide the Dos attacks etc but why, learning about the internet, its constant port scans the fact that Netgear hardware is super paranoid so a lot of those scans are just normal communication is useful, Also as I mentioned I had an issue with my Sony Android TV not updating apps like YouTube. It was the routers firewall blocking what it thought was ARP poisoning, the router needed some tender loving care, a reset and a reinstall of the firmware and that went. Without those logs I and many others would be really lost. Above all yes its a principal. Thanks for listening, Jack. I can see both sides, but I always think learning rather than dumbing things down is a better path.

Link to comment
Share on other sites

Guest Killhippie
On 1/24/2019 at 12:47 AM, Bruined37 said:

Well unfortunately there isn’t really a way to tell.. when you look in the logs it will tell me the ip of where the pings are  sent from which is useless (that’s my understanding). I’ve looked through them extensively and checked where each address is from and tried to cross reference with people I play with to just figure it out and I can’t.. the fucked up thing is I think it’s a buddy of mine. Idk.. I mean I’ve been through the process of  explaining this to a Charter representative and they just don’t understand or won’t help lol.  

Your ISP would see increased traffic if you were being attacked. I do think its highly unlikely you are. There is a difference between DoS attacks and DDoS attacks. If you were basing it on the logs and it says DoS its blocked for a start and I would think its just internet noise like normal port scans, because by your firewall not responding they see a black hole and know you are their, stealth really isn't what people think it is Also a DoS attack is from one machine and is really about stealing info so very unlikely.

 A true DDoS attack is from many computers at once. Unless your ISP is under attack via someone using a batch of IPs I think the reason may be pretty harmless tbh.  Also if it were a true attack it would not follow that pattern, it would be pretty much non stop constant and knock you offline completely. Its more likely something far less threatening. Sadly most ISP's follow a script and its hard to talk to them. If you have a Fixed IP ask for a new one, if its dynamic reboot your modem and you will pick up a new IP. That should really sort the issue out. If not get your line checked. I'm from the UK so have no idea what your ISP is like, but I would rest easy on the attack thing. :)

Link to comment
Share on other sites

for peace of mind (even though you may not be getting DoS attacked, its probably something else) you may need to request a new public IP from your isp. The front line will not have a clue so you will have to escalate it to level 2 or 3 ..  it really depends on if they lock your public IP to your cable modem or ONT's mac addr. if they do they are the only ones who can release it, or just return the cable modem and get a new one that has a different mac addr, tell them its broken and you want a new modem.

if you are sure they don't lock this, you need to check the public WAN ip lease time on Duma -- in Settings, Monitoring, Connection Status  -- take note of Lease Expires time.. when it gets close (within minutes) turn off your XR and turn off your Cable modem..  now wait..  how long you wait after that really depends on if some new customer joins the network and gets your old public IP and even waiting a few minutes is not enough -  it may re-request the one it was using and if available, get it back.  some recommended turning both off for a whole day. try to make sure your off time is during business hours when new customers are being added to the network or new modems are being activated.  You may or may not luck out , its chance gamble .. technically nobody could be added that day and you just get your old public IP back, lol.

Link to comment
Share on other sites

5 hours ago, xr500user said:

for peace of mind (even though you may not be getting DoS attacked, its probably something else) you may need to request a new public IP from your isp. The front line will not have a clue so you will have to escalate it to level 2 or 3 ..  it really depends on if they lock your public IP to your cable modem or ONT's mac addr. if they do they are the only ones who can release it, or just return the cable modem and get a new one that has a different mac addr, tell them its broken and you want a new modem.

if you are sure they don't lock this, you need to check the public WAN ip lease time on Duma -- in Settings, Monitoring, Connection Status  -- take note of Lease Expires time.. when it gets close (within minutes) turn off your XR and turn off your Cable modem..  now wait..  how long you wait after that really depends on if some new customer joins the network and gets your old public IP and even waiting a few minutes is not enough -  it may re-request the one it was using and if available, get it back.  some recommended turning both off for a whole day. try to make sure your off time is during business hours when new customers are being added to the network or new modems are being activated.  You may or may not luck out , its chance gamble .. technically nobody could be added that day and you just get your old public IP back, lol.

Whoever you are.. ty! That was the closest thing to helpful information! Sorry for my misrepresenting what’s actually occurring. I am being ddosed.. and it’s such s pathetically easy thing to do you’d think it would be easier to protect against... ya know? I’ll give what you said a shot next time I leave for work. It’s really annoying because I’m almost positive it’s a buddy of mine who is “salty” over some bs and just hits me randomly ass he pleases. Nobody else has the means to get my IP other than  friends. 

Link to comment
Share on other sites

Guest Killhippie

I still do not see your friend launcing a Dos attack against you using port 53. I believe what you are seeing is netgears very paranoid logs for the firewall for charters DNS. Netgear routers are well known to log normal traffic as DoS attacks please google that so you see you are not alone in seeing odd things in logs. Here is a quote from GRC https://www.grc.com/port_53.htm

""DNS" is the glue that translates human-readable domain and machine names like "grc.com" or "amazon.com" into their machine-readable Internet Protocol (IP) address equivalents. DNS servers listen on port 53 for queries from DNS clients. Incoming UDP packets carry queries which expect a short reply, and TCP connections carrying queries requiring longer and more complete replies"

 I have seen my own IDNet servers listed once or twice as a DoS attack myself on port 53, it wasn't an attack it was Netgears paranoid logging. Have you contacted Charter to see if there is a increase in traffic? Do what xr500user has said but honestly I really doubt you are under attack even from a "salty" friend, and charter would be able to them to see increased traffic hitting your IP. I hope all gets sorted, but I really would not worry, its very unlikely to be any malign

Link to comment
Share on other sites

Hi,

Nothing showing in the logs fropm what I can see, as you can see below, Google DNS servers as I use them.
Also 192.168.100.1 is my Virgin Media Modem

[admin login] from source 192.168.1.2, Saturday, January 26, 2019 12:44:53
[DoS Attack: SYN/ACK Scan] from source: 192.168.100.1, port 80, Saturday, January 26, 2019 10:31:21
[DoS Attack: SYN/ACK Scan] from source: 192.168.100.1, port 80, Saturday, January 26, 2019 10:31:20
[DoS Attack: SYN/ACK Scan] from source: 192.168.100.1, port 80, Saturday, January 26, 2019 10:31:20
[DoS Attack: SYN/ACK Scan] from source: 192.168.100.1, port 80, Saturday, January 26, 2019 10:31:20
[DoS Attack: TCP/UDP Chargen] from source: 8.8.4.4, port 53, Saturday, January 26, 2019 09:51:54
[DoS Attack: TCP/UDP Chargen] from source: 8.8.8.8, port 53, Saturday, January 26, 2019 09:51:54
[DoS Attack: TCP/UDP Chargen] from source: 8.8.8.8, port 53, Saturday, January 26, 2019 09:51:50
[DoS Attack: TCP/UDP Chargen] from source: 8.8.4.4, port 53, Saturday, January 26, 2019 09:51:50
[DoS Attack: TCP/UDP Chargen] from source: 8.8.4.4, port 53, Saturday, January 26, 2019 09:51:48
[DoS Attack: TCP/UDP Chargen] from source: 8.8.8.8, port 53, Saturday, January 26, 2019 09:51:48
[DoS Attack: TCP/UDP Chargen] from source: 8.8.4.4, port 53, Saturday, January 26, 2019 09:51:47
[DoS Attack: TCP/UDP Chargen] from source: 8.8.8.8, port 53, Saturday, January 26, 2019 09:51:47
[DoS Attack: TCP/UDP Chargen] from source: 8.8.8.8, port 53, Saturday, January 26, 2019 09:51:47

 

As for changing your IP, can you not just change your MAC address in the router settings to get a new IP?


Regards,
Gaz

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...