[DoS Attack: Ascend Kill]

[Guest Killhippie]

This router is driving me bonkers at times. Its dropping packets as [DoS Attack: Ascend Kill] from source: 212.69.40.23 which is one of the DNS servers of IDnet. Also yesterday again it got caught in the loop of not switching back from high priority traffic so the red indicator was stuck on, no device was listed as a PlayStation apart from the PlayStation and even with my entire LAN shut down (thanks to carer) it would not go back to how its set up (when high priority traffic is detected) you can shut down the entire QoS/antibufferbloat and the indicator stays on <sigh> I had to hard shut the router down to deal with this. Has any progress been made with why high priority traffic gets stuck on? Also why is Netgears firewall seeing one of my ISP's DNS servers as a DoS attack and dropping the packets? Really hoping the next firmware update sorts this out and the other problems associated with 2.3.2.40. 

[Netduma Admin]

2 hours ago, Killhippie said:

Also why is Netgears firewall seeing one of my ISP's DNS servers as a DoS attack and dropping the packets?

Not a scooby do on this one, obviously that shouldn't happen unless. Are you using a manual DNS instead of the ISP? If so, I wonder if setting IDNet's as a secondary DNS would prevent this from happening (I'm guessing here)

2 hours ago, Killhippie said:

Has any progress been made with why high priority traffic gets stuck on?

We know it happens if an absolute shed load of data gets sent through it as it's obviously just for low-latency traffic. Did you add all ports for your PS4 to Traffic Prio as that would explain it. (I realise you probably haven't, but this is the first step we would ask anyone!).

Hope you're doing well.

[Guest Killhippie]

22 hours ago, Netduma Admin said:

Not a scooby do on this one, obviously that shouldn't happen unless. Are you using a manual DNS instead of the ISP? If so, I wonder if setting IDNet's as a secondary DNS would prevent this from happening (I'm guessing here)

We know it happens if an absolute shed load of data gets sent through it as it's obviously just for low-latency traffic. Did you add all ports for your PS4 to Traffic Prio as that would explain it. (I realise you probably haven't, but this is the first step we would ask anyone!).

Hope you're doing well.

The router is set to automatically to pick up IDNets DNS servers, this behaviour has only been noticed in 2.3.2.40 and is the way IDNet suggest you set the router, I think the firewall is currently dropping packets when it should not, It even thinks my TV is attacking it at times [ DoS Attack: ARP Attack]  its like its in in some kind of paranoid mode <sigh>   As to your other question, nope I didn't do that, PS4 is added normally, no special prioritisations, Just PS4 added as console and DumaOS Classified games ticked, I think the DPI is picking up other traffic as a false positive, so it thinks its gaming traffic when its not. It seemed to occur when using speed tests, Ooklas app for iOS and BT wholesales new HTML test but that could be coincidence but I thought I would mention it as those have been the times it occurred for me, I removed the iOS Ookla speedtest app from my iPad, all was okay for a long time and then I used the BT Wholesale speedtest the other day (HTML one as I don't use flash player or even have it installed) and I noticed it had got locked on to high priority traffic later on that day so that test may have caused that and I had not noticed at the time. Maybe those two speedtests use a port that the router's DPI engine thinks is a game? Once again I've only noticed this on 2.3.2.40. There seems to be no new firmware on the horizon which feels like the XR500 and its brethren are being slowly forgotten almost (hope I'm wrong)

 I have to say it feels like the XR routers have been kind of kicked to the curb with much needed updates from Netgears side which means much needed updates to DumaOS are not getting though from Netduma, or maybe that's just me seeing it in a slightly bad light right now.

Not doing great on the health front but that's the nature of my illness, its debilitating and very painful. Life is going to change a lot this year with new help coming though I hope. Thanks for asking.

[Netduma Admin]

10 hours ago, Killhippie said:

Maybe those two speedtests use a port that the router's DPI engine thinks is a game?

That's the most likely reason, yes. But I would only expect this to happen if you set a device to a console, e.g. your PC is set to the PS4 device type. Have you manually changed any of the device types?

 

10 hours ago, Killhippie said:

I have to say it feels like the XR routers have been kind of kicked to the curb with much needed updates from Netgears side which means much needed updates to DumaOS are not getting though from Netduma, or maybe that's just me seeing it in a slightly bad light right now.

Things should be faster this year. We're working on Milestone 1.4 at the moment and we're helpful that the gap from it rolling out on the R1 to the XRs won't be as long this time.

10 hours ago, Killhippie said:

Not doing great on the health front but that's the nature of my illness, its debilitating and very painful. Life is going to change a lot this year with new help coming though I hope. Thanks for asking.

Sorry to you've not been well but fingers crossed the new help makes things better for you 

[Guest Killhippie]

13 hours ago, Netduma Admin said:

That's the most likely reason, yes. But I would only expect this to happen if you set a device to a console, e.g. your PC is set to the PS4 device type. Have you manually changed any of the device types?

All device types are as they should be, no changes have been made. I went though all my devices, to check, although things like the iPad turning to "phone" because it uses iMessage are a bit annoying but still these are not the cause of the issue. I have reset the device, rebooted it re uploaded firmware, I have done more fiddling with it than any other router and I'm hoping the next scheduled update has a bit more "stability" and the device table issue gets sorted out too as I'm wondering if that may be at the heart of a lot of these issues.

[Netduma Fraser]

Based on what you've said, as you have the PS4 manually added anyway disable DumaOS Classified Games. If anything is getting incorrectly identified that should solve it.

[Guest Killhippie]

11 hours ago, Netduma Fraser said:

Based on what you've said, as you have the PS4 manually added anyway disable DumaOS Classified Games. If anything is getting incorrectly identified that should solve it.

Thanks Fraser it would be good though if we didn’t have to keep disabling things though to solve issues but I appreciate the help. 

[Netduma Fraser]

Totally understand but it's helpful for both of us to get you up and running and for us to determine where the issue may be coming from. Did that resolve the issue?

[Guest Killhippie]

25 minutes ago, Netduma Fraser said:

Totally understand but it's helpful for both of us to get you up and running and for us to determine where the issue may be coming from. Did that resolve the issue?

Bit early to tell yet, Fraser. I'll let you know if it did when I can. It needs some testing as its such an intermittent issue.

[Zaroo]

What do you do in situations like this? I started getting these attacks yesterday and thier only getting worse. I dont know how it’s gonna eventually effect me. Since, I’m exposed, will my router become useless to me? Do I stop using the internet? Do I turn off everything and sit in a dark room?  It’s freaking me out.  Do I move lol.  I changed my isp changed my ip and still getting hit all of these attacks. I have no clue what do. 

[Netduma Jack]

56 minutes ago, Zaroo said:

What do you do in situations like this? I started getting these attacks yesterday and thier only getting worse. I dont know how it’s gonna eventually effect me. Since, I’m exposed, will my router become useless to me? Do I stop using the internet? Do I turn off everything and sit in a dark room?  It’s freaking me out.  Do I move lol.  I changed my isp changed my ip and still getting hit all of these attacks. I have no clue what do. 

They are not attacks Zaroo. Your router is not exposed in any way, and is in fact protected by its own firewall on top of the firewalls your connected devices have.

Do not pay any attention to the logs - they are intended for developers or testers only. DoS attack messages are standard behaviour; they are false readings caused by certain internet traffic, and every router on the planet shows them.

[Zaroo]

Okay. Thanks for the early assessment, but I understand that developers or what have you, do network testing and and they show up as DOS attacks. These are non threating. I’m aware of these and I maybe protected. 

However, I downloaded a portforwarding program through a bad source, which required me to login to my router. As it was connected,  it displayed all of my network information such as ips, Mac addresses etc, etc. Same info found in the dumaos GUI. I quit after running into some problems. 

Afterwards, I onslaught of DOS attacks began to poor in, different in nature, ever couple of hours. I eventually disconnected everything. Received a new ip from isp and  they are still coming in strong. Looked some of them up on the internet. Didn’t like what I seen.

Could you prove to me otherwise, please? I’m frightened. 

 

[Netduma Fraser]

Your network information that you gave the program access to is essentially useless. It's local information that can't do much with. Also basically every website you ever visit logs your IP address and the device you're using.

Have you actually experienced any issues due to these log entries? I doubt that you will have. They won't be able to access files on your PC or anything like that or passwords etc. There is an option in the WAN Settings that has DoS protection enabled by default so nothing to worry about. The entries will mostly be traffic from websites or applications on your devices communicating with the internet. If you're worried I'd suggest properly uninstalling that port forwarding program. 

[Guest Killhippie]

On 2/24/2019 at 12:39 PM, Killhippie said:

Bit early to tell yet, Fraser. I'll let you know if it did when I can. It needs some testing as its such an intermittent issue.

Still doing it, and my ISP's primary DNS server is still getting hit with random and fake DoS attacks, resulting in being kicked off Destiny. Since nobody is mentioning this on IDnets forums I am guess more Netgear shenanigans, and maybe some DPI issues. 2.3.2.32 worked fine it never listed my TV as doing a single [DoS Attack: ARP Attack] on my router (its not and a DoS Arp attack once makes no sense) this happens after the TV reboots its OS during the night (Android TV quirk but the TV frees up ram this way) Whatever changed between 2.3.2.32 and 2.3.2.40 networking wise like the Device manager mapping issues may not be helping as the router gets more confused the longer its on. This time as I posted it was not [DoS Attack: Ascend Kill] but [DoS Attack: TCP/UDP Echo]

 

[Netduma Admin]

NETGEAR dev has sent this through to ask you:

Quote

Could user collect WAN(/LAN) capture using http://routerlogin.net/debug.htm while the issue is happening? It will help to clarify the problem.

Their thinking is the "TCP/UDP Echo from source: 212.69.40.23, port 53" might be classified as DoS 

Would you be able to try this the next time it happens? Thanks.

[Guest Killhippie]

[DoS Attack: Ascend Kill]

29 minutes ago, Netduma Admin said:

NETGEAR dev has sent this through to ask you:

Their thinking is the "TCP/UDP Echo from source: 212.69.40.23, port 53" might be classified as DoS 

Would you be able to try this the next time it happens? Thanks.

Not easily as its quite random tbh, also since other users have seen this same issue its not just my DNS causing this. Also it was a few days ago labelled as something completely different, the router then thought it was a DoS Attack: Ascend Kill]

 

[xr500user]

seen this from time to time from google dns also, mostly happens on router first boot.  mis-identified dos attack

[Netduma Fraser]

6 hours ago, Killhippie said:

[DoS Attack: Ascend Kill]

Not easily as its quite random tbh, also since other users have seen this same issue its not just my DNS causing this. Also it was a few days ago labelled as something completely different, the router then thought it was a DoS Attack: Ascend Kill]

 

The capture can last awhile so could you start it and then note down the time that it occurs so we can skip to it in the capture? 

[oRaGaMi]

Kicked in destiny 2. I bet your using strict mode in the geofilter! And likely what they have been saying is true. Stay out of your log file!

[Guest Killhippie]

12 hours ago, oRaGaMi said:

Kicked in destiny 2. I bet your using strict mode in the geofilter! And likely what they have been saying is true. Stay out of your log file!

I don't use strict mode in Destiny and never have. As to the rest of your post, If you have nothing constructive to say then don't say anything.

[Guest Killhippie]

16 hours ago, xr500user said:

seen this from time to time from google dns also, mostly happens on router first boot.  mis-identified dos attack

My routers been up for seven days though since the priority traffic got locked on and had to be shut down, and booted up again (with every device not attached or its Wi-Fi switched off) It does happen at boot though as you say, you see it almost immediately but mines continued It will be interesting to see if it stops after being up past seven days..

[Guest Killhippie]

14 hours ago, Netduma Fraser said:

The capture can last awhile so could you start it and then note down the time that it occurs so we can skip to it in the capture? 

I'll give it a go when it next happens, but I cant promise as to when that will be, it all depends on the router. Also this cant be hard for Netgear to sanity check themselves tbh.

[Netduma Fraser]

10 hours ago, Killhippie said:

I'll give it a go when it next happens, but I cant promise as to when that will be, it all depends on the router. Also this cant be hard for Netgear to sanity check themselves tbh.

No problem, I find it is always more valuable to get information from real world testing rather than in a lab environment because sometimes issues that occur for customers don't happen in the lab.

[Guest Killhippie]

8 minutes ago, Netduma Fraser said:

No problem, I find it is always more valuable to get information from real world testing rather than in a lab environment because sometimes issues that occur for customers don't happen in the lab.

I totally agree Fraser. This one seems quite common though  and I’ve seen quite a few users mention it even though some of them think it’s an actual attack when it’s not. xr500user noticed this amongst others so maybe getting more than one set of logs could be useful. 

[Zaroo]

Their thinking is the "TCP/UDP Echo from source: 212.69.40.23, port 53" might be classified as DoS 

 

I’m getting similar, Dos attack: TCP/UDP Echo from source 118.26.141.212, port 3363 I should just rules those out?