Banana Posted August 11, 2020 Share Posted August 11, 2020 I'm utilizing a XR450 on firmware V2.3.2.56 via passthrough from a AT&T fiber connection using one of their newer Arris modem. This problem just started today and just recently I've been able to maintain a constant connection for more than 10 minutes. The loss of connection is coming from the router, I can tell due to the modem's status page that tells me I haven't lost internet connection. I can also connect to the modem's wifi and maintain internet albeit at a slower speed when the router is going through the restarting process. My logs look like this; Quote [DoS Attack: ACK Scan] from source: 104.244.42.194, port 443, Tuesday, August 11, 2020 18:40:00 [DoS Attack: ACK Scan] from source: 104.244.42.194, port 443, Tuesday, August 11, 2020 18:39:28 [DoS Attack: ACK Scan] from source: 104.244.42.66, port 443, Tuesday, August 11, 2020 18:32:02 [DoS Attack: ACK Scan] from source: 104.244.42.66, port 443, Tuesday, August 11, 2020 18:31:29 shortly followed by; Quote [DumaOS] DHCP new lease allocated., Tuesday, August 11, 2020 18:26:42 [DumaOS] DHCP new event., Tuesday, August 11, 2020 18:26:42 the IPs recently changed from a Valve registered IP to the above Twitter IP. I understand "Dos ack scan"s aren't a rarity in the logs but the frequency of these are booting me offline repeatedly, sometimes every 5-6 minutes. What are the chances these are in fact false dos attacks and the router is misjudging incoming traffic? Would the upcoming V3 of Duma resolve such an issue? Are birds real and not some government surveillance hivemind? Link to comment Share on other sites More sharing options...
Guest Killhippie Posted August 12, 2020 Share Posted August 12, 2020 10 hours ago, Banana said: I'm utilizing a XR450 on firmware V2.3.2.56 via passthrough from a AT&T fiber connection using one of their newer Arris modem. This problem just started today and just recently I've been able to maintain a constant connection for more than 10 minutes. The loss of connection is coming from the router, I can tell due to the modem's status page that tells me I haven't lost internet connection. I can also connect to the modem's wifi and maintain internet albeit at a slower speed when the router is going through the restarting process. My logs look like this; shortly followed by; the IPs recently changed from a Valve registered IP to the above Twitter IP. I understand "Dos ack scan"s aren't a rarity in the logs but the frequency of these are booting me offline repeatedly, sometimes every 5-6 minutes. What are the chances these are in fact false dos attacks and the router is misjudging incoming traffic? Would the upcoming V3 of Duma resolve such an issue? Are birds real and not some government surveillance hivemind? I cant see 'internet disconnected' also they are blocked by the firewall. If it was a true DoS attack you would see thousands and have no internet connection, and the router would say internet disconnected. The lease renewal are probably coincidental and there is a lease renewal bug I believe where they renew to often.I think also the Arris modems have the puma 6 chipset which is known to cause issues. @Netduma Fraser or @Zippymay be of more help as this is a US set up. Link to comment Share on other sites More sharing options...
Administrators Netduma Fraser Posted August 12, 2020 Administrators Share Posted August 12, 2020 Hey, welcome to the forum! It's very unlikely they will actually be causing this but as a test try not accessing Twitter or Steam, do you have a connection for a longer period of time? A few things to try, in Internet Setup change from dynamic to static. In LAN Settings give IP reservations to some devices. Link to comment Share on other sites More sharing options...
Banana Posted August 13, 2020 Author Share Posted August 13, 2020 On 8/12/2020 at 6:03 AM, Killhippie said: I cant see 'internet disconnected' also they are blocked by the firewall. If it was a true DoS attack you would see thousands and have no internet connection, and the router would say internet disconnected. The lease renewal are probably coincidental and there is a lease renewal bug I believe where they renew to often.I think also the Arris modems have the puma 6 chipset which is known to cause issues. @Netduma Fraser or @Zippymay be of more help as this is a US set up. I've recently (2-3 weeks ago) made a change to AT&T Fiber from Xfinity, who couldn't keep us connected for more than an hour at a time. All due to hourly DHCP lease renewals causing disconnections and even after buying all brand new equipment. Within those 2-3 weeks of switch I've haven't had any issues with lease renewal disconnections but have had plenty of renewals per day. Is there a timeframe for when V3 of DumaOS will be out, or even the public beta? My hope is the new firmware addresses the DHCP renewals. Even setting a timeframe for DHCP leases in the modem of 7 days does nothing to the router and just continues to refresh multiple times a day. Also, as far as I can tell the Arris BGW210 isn't one equipped with the Intel Puma 6 chips. On 8/12/2020 at 10:57 AM, Netduma Fraser said: Hey, welcome to the forum! It's very unlikely they will actually be causing this but as a test try not accessing Twitter or Steam, do you have a connection for a longer period of time? A few things to try, in Internet Setup change from dynamic to static. In LAN Settings give IP reservations to some devices. Thank you Fraser, I made sure to quit all steam related processes but was still getting Dos Ack scan readings originating from Valve. At the time Twitter came knocking none of our devices were on twitter (phones were using cellular data.) so I do not know how that came about. I've assigned static IPs to our devices which seemed to have helped but now we've got way more Dos Ack/Syn scan results in the logs but zero disconnections, which is nice, i guess. Quote [admin login] from source 10.0.0.5, Thursday, August 13, 2020 12:23:30 [DoS Attack: SYN/ACK Scan] from source: 185.68.16.30, port 443, Thursday, August 13, 2020 12:19:54 [DoS Attack: SYN/ACK Scan] from source: 185.68.16.30, port 443, Thursday, August 13, 2020 12:13:42 [DoS Attack: SYN/ACK Scan] from source: 159.69.117.200, port 30120, Thursday, August 13, 2020 12:12:18 [DoS Attack: ACK Scan] from source: 50.62.198.97, port 443, Thursday, August 13, 2020 12:09:52 [DoS Attack: SYN/ACK Scan] from source: 31.214.243.221, port 30120, Thursday, August 13, 2020 11:54:26 [DoS Attack: SYN/ACK Scan] from source: 194.146.59.81, port 443, Thursday, August 13, 2020 11:42:17 [DoS Attack: SYN/ACK Scan] from source: 45.125.45.187, port 3389, Thursday, August 13, 2020 11:34:57 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 11:34:33 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 11:34:33 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 11:34:33 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 11:34:33 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 11:34:33 [DoS Attack: SYN/ACK Scan] from source: 159.69.117.200, port 30120, Thursday, August 13, 2020 11:10:28 [DoS Attack: SYN/ACK Scan] from source: 51.79.180.212, port 8080, Thursday, August 13, 2020 11:05:58 [DoS Attack: SYN/ACK Scan] from source: 45.125.45.187, port 3389, Thursday, August 13, 2020 11:01:46 [DoS Attack: SYN/ACK Scan] from source: 159.69.117.200, port 30120, Thursday, August 13, 2020 10:42:54 [DumaOS] Cloudsync Themes result 'false','All mirrors are down', Thursday, August 13, 2020 10:26:23 [DoS Attack: SYN/ACK Scan] from source: 95.216.25.182, port 80, Thursday, August 13, 2020 08:11:54 [DoS Attack: SYN/ACK Scan] from source: 95.216.25.182, port 80, Thursday, August 13, 2020 07:56:29 [DoS Attack: SYN/ACK Scan] from source: 94.45.137.16, port 443, Thursday, August 13, 2020 07:24:57 [DoS Attack: SYN/ACK Scan] from source: 95.216.25.182, port 80, Thursday, August 13, 2020 07:22:25 [DoS Attack: SYN/ACK Scan] from source: 95.216.25.182, port 80, Thursday, August 13, 2020 07:21:16 [DumaOS] Cloudsync Themes result 'false','All mirrors are down', Thursday, August 13, 2020 06:26:23 [DumaOS] DHCP lease change., Thursday, August 13, 2020 06:26:17 [DumaOS] DHCP new event., Thursday, August 13, 2020 06:26:17 [DHCP IP: 10.0.0.3] to MAC address 08:a6:bc:3a:32:8d, Thursday, August 13, 2020 06:26:17 [DoS Attack: RST Scan] from source: 54.248.44.10, port 80, Thursday, August 13, 2020 06:20:22 [DoS Attack: ACK Scan] from source: 27.77.29.6, port 41017, Thursday, August 13, 2020 05:55:21 [DumaOS] DHCP lease change., Thursday, August 13, 2020 04:50:30 [DumaOS] DHCP new event., Thursday, August 13, 2020 04:50:30 [DHCP IP: 10.0.0.2] to MAC address a8:60:b6:27:a0:b9, Thursday, August 13, 2020 04:50:30 [DumaOS] Error parsing line in ARP table: 'fe80::3e04:61ff:fe90:a520 dev brwan lladdr 3c:04:61:90:a5:20 router REACHABLE', Thurs [DumaOS] Error parsing line in ARP table: '2600:1700:1650:59af:a5c5:81b2:1d5a:8bdd dev br0 lladdr 40:23:43:60:60:ff STALE', Thur [DumaOS] Error parsing line in ARP table: 'fe80::d41a:1543:4079:b896 dev br0 lladdr 40:23:43:60:60:ff STALE', Thursday, August 1 [DumaOS] Error parsing line in ARP table: '2600:1700:1650:59a0::1 dev brwan lladdr 3c:04:61:90:a5:20 router STALE', Thursday, Au [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 04:19:42 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 04:19:42 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 04:19:42 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 04:19:42 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 04:19:42 [DoS Attack: SYN/ACK Scan] from source: 172.106.6.14, port 22, Thursday, August 13, 2020 03:59:18 [DoS Attack: SYN/ACK Scan] from source: 23.43.21.18, port 80, Thursday, August 13, 2020 03:26:11 [DoS Attack: SYN/ACK Scan] from source: 95.216.25.182, port 80, Thursday, August 13, 2020 03:23:54 [DoS Attack: SYN/ACK Scan] from source: 178.34.184.182, port 80, Thursday, August 13, 2020 03:08:48 [DumaOS] Cloudsync Themes result 'false','All mirrors are down', Thursday, August 13, 2020 02:26:23 [DumaOS] DHCP lease change., Thursday, August 13, 2020 01:19:29 [DumaOS] DHCP new event., Thursday, August 13, 2020 01:19:29 [DHCP IP: 10.0.0.5] to MAC address 40:23:43:60:60:ff, Thursday, August 13, 2020 01:19:29 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 01:12:42 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 01:12:42 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 01:12:42 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 01:12:42 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 01:12:42 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 01:12:42 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 01:12:42 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 01:12:42 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 01:12:42 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 01:12:42 [DoS Attack: ACK Scan] from source: 73.62.169.250, port 3074, Thursday, August 13, 2020 01:00:57 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 00:51:22 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 00:51:22 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 00:51:22 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 00:51:22 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 00:51:22 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 00:51:21 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 00:51:21 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 00:51:21 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 00:51:21 [DumaOS] Error parsing line in ARP table: 'fe80::3e04:61ff:fe90:a520 dev brwan lladdr 3c:04:61:90:a5:20 router REACHABLE', Thurs [DumaOS] Error parsing line in ARP table: '2600:1700:1650:59af:a5c5:81b2:1d5a:8bdd dev br0 lladdr 40:23:43:60:60:ff REACHABLE', [DumaOS] Error parsing line in ARP table: 'fe80::d41a:1543:4079:b896 dev br0 lladdr 40:23:43:60:60:ff REACHABLE', Thursday, Augu [DumaOS] Error parsing line in ARP table: '2600:1700:1650:59a0::1 dev brwan lladdr 3c:04:61:90:a5:20 router REACHABLE', Thursday [DumaOS] Error parsing line in ARP table: '2600:1700:1650:59af:a150:8c57:4e1b:4837 dev br0 lladdr a8:60:b6:27:a0:b9 REACHABLE', [DoS Attack: SYN/ACK Scan] from source: 95.216.25.182, port 80, Thursday, August 13, 2020 00:49:23 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 00:34:05 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 00:34:05 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 00:34:05 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 00:34:05 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Thursday, August 13, 2020 00:34:05 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 23:53:24 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 23:53:24 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 23:53:24 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 23:53:24 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 23:53:24 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 23:53:24 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 23:53:24 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 23:53:24 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 23:53:24 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 23:53:24 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 22:52:32 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 22:52:32 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 22:52:32 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 22:52:32 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 22:52:32 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 22:52:32 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 22:52:32 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 22:52:32 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 22:52:32 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 22:52:32 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 22:41:42 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 22:41:42 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 22:41:42 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 22:41:42 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 22:41:42 [DumaOS] R-App store cloud sync failed, Wednesday, August 12, 2020 22:26:24 [DumaOS] HTTP download failed with code '404', Wednesday, August 12, 2020 22:26:24 [DumaOS] Resync R-App store cloud, Wednesday, August 12, 2020 22:26:24 [DumaOS] Cloudsync DPI result 'false','All mirrors are down', Wednesday, August 12, 2020 22:26:22 [DumaOS] Cloudsync Themes result 'false','All mirrors are down', Wednesday, August 12, 2020 22:26:22 [DumaOS] DHCP lease change., Wednesday, August 12, 2020 22:22:39 [DumaOS] DHCP new event., Wednesday, August 12, 2020 22:22:39 [DHCP IP: 10.0.0.2] to MAC address a8:60:b6:27:a0:b9, Wednesday, August 12, 2020 22:22:39 [DoS Attack: ACK Scan] from source: 98.199.228.128, port 3074, Wednesday, August 12, 2020 21:45:47 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 19:47:52 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 19:47:52 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 19:47:52 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 19:47:52 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 19:47:52 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 19:47:52 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 19:15:21 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 19:15:21 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 19:15:21 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 19:15:21 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 19:15:21 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 19:15:21 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 19:15:21 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 19:15:21 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 19:15:21 [DoS Attack: SYN/ACK Scan] from source: 51.79.142.79, port 50002, Wednesday, August 12, 2020 19:15:21 [DumaOS] Geo-Filter cloudsync result 'true','Geo-Filter is up to date', Wednesday, August 12, 2020 18:26:24 [DumaOS] Cloudsync Themes result 'false','All mirrors are down', Wednesday, August 12, 2020 18:26:22 [DumaOS] DHCP lease change., Wednesday, August 12, 2020 18:26:15 [DumaOS] DHCP new event., Wednesday, August 12, 2020 18:26:15 [DHCP IP: 10.0.0.3] to MAC address 08:a6:bc:3a:32:8d, Wednesday, August 12, 2020 18:26:15 [Time synchronized with NTP server] Wednesday, August 12, 2020 18:26:04 [DumaOS] DHCP lease change., Wednesday, August 12, 2020 18:22:00 [DumaOS] DHCP new event., Wednesday, August 12, 2020 18:22:00 [DHCP IP: 10.0.0.5] to MAC address 40:23:43:60:60:ff, Wednesday, August 12, 2020 18:22:00 Link to comment Share on other sites More sharing options...
Administrators Netduma Fraser Posted August 13, 2020 Administrators Share Posted August 13, 2020 There is a new build going out very soon and hopefully there will be a lot more people invited. Okay that's good, if they're not causing you disconnects not then you can ignore them. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now