please help me to sort my struggles

[Morris]

ok first of all, hi there! im morris from berlin im new in this forum. as you might guessed english is not my first langeruge so im appologizing for the manny spelling mistakes and gramma errors wich are about to follw.

and so far im a big fan of the concept (gaming router, ping stabilisation, advanced qos)

sadly i got lot of problems in my network and this is not about blaming on the router or someting like this i am really looking for advices or may walkarounds.

i think i need to give some details about the past so you can better understand my thought processes.

i am an it specialist but not that much focused on networking more the hardware side and lots of application support etc... generally we can assume that i know what i am doing. but i got hacked last month... they used the exploit around the x-box companion stuff wich is proudly presented and installed (without asking) by our best enemys... micros... this was like an all you can eat nightmare for me an took me 3 weeks to clean up th mess... i had to flash every bios and factory reset even my iphone yes they got my iphone 2! and ipdad... really it was serius stuff... the even got my asus mainbord rooted so it was deploying the virus even on a clean setup and once deployed the update servers where changed... i think you got the point....

logically now im a great fan of al kinds of security features like secure boot core isolation and so on. i also started active tracking prevention with pi hole and my systems are clean af.

now we get to the xr500... i konw that a lot of the dos attack reports are false positives! but i can not resist following every single one of them. due to the recent all you can eat nightmare... it is not that i distrust the firewall on the xr500 but i distrust my connected devices. one ip is hounting me esecially something from singapur (51.79.142.79, port 50002) i can tell you that thing is chasing me! and doesnt matter what i do it finds my ip again and again! and i can not find out how... really my pc is completely skinned almost everything is blocked or uninstalled no additional drivers exept intel´s and my soundblaster z... no cookies no edge really i went a bit crazy on all that windows stuff i dont need. so when my pc is in idle i have just one open tcp connection and that is the search function. i even used wireshark but could not find anything suspicus... so how in netgears name can they track me down all the time... in the end this is kinda my problem i know... it has nothing to do with the router... i hope... the thing is i have a fritz! box as well or lets say 10 of them and they have a filter option: block everything exept surfing (80,443) and mailing (995,465) this is a feature wich gives me an instant feeling of security... on the xr500 i was not really able to acive this behavior. partly because of upnp and port triggering wich i could deactivate but it would be bad for gaming. and when i use it it is for all devices wich is bad again and on top i can not se who has opened or triggered a port in the past. 

i think what i really looking for is a better observing way or a tool to troubleshoot/observe what is going on... something to find the bad pc/laptop/tablet/phone/ipcam/managed swich/air conditioner/ or what ever else is connected to my network...

 

one side note... during my frequend restarts of the xr500 i noticed that when the router boots there is a small frame in which the traffic from the modem blasts threw and flodded the network an enormus amount of arp requests (who is ......... tell .........) basically direct out of the internet or may the dhcp server of my isp...some of the names i see there are fitting to the wireless network names of my neibours...

so sorry for all that input... i hope someone is interested to help me investigate the situation. a different view is somtimes all it takes... may duma os 3 would be an option may there is a way to get different r-apps or something like this... what ever you need just say what it is... loggs, network map, voice chat, or see for your self with anydesk or something like this...

 

cheers

 

Morris

 

log-1597179067725.txt

[Guest Killhippie]

Hi Morris. 51.79.142.79 is a common port scan, any block of IP addresses online get scanned, stealth is not security in reality on firewalls and routers. Kaspersky stopped using stealth on their software firewalls years ago (not sure about now) As if a port scaner scans a block of IP addresses and gets no reply its either not used or its stealthed, port scanners know you are there basically and this background noise of the internet is shown in the logs all the time. UPnP is a security risk, mainly for businesses as we don't have much to offer as individuals, but once again no harm in turning it off, as long as you know every port that all your programmes will use as well as games, imagine how hard that could get, hence UPnP is used on home routers, the average user cannot keep up.

 A good combo is always hardware firewall and software firewall, many of the ARP requests you see may be from your own gear. The address resolution protocol (ARP) is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address.

 You cannot block the internet, and all its scans, if you want enterprise protection it will cost, Ruckus and Cisco would be the route to go down but prohibitorily expensive even they have montlyh patches for bugs and CVE's so nothing is truly secure.

So Keep up with all firmware and software updates, if its in the router logs its blocked. Also be aware Netgear logs show normal traffic as DoS attacks it the packets seem like they are flooding the firewall, its well known for this. I would say if you want better Wi-Fi security get PMF, maybe an idea for the XR500 and R2 maybe that will get added. Above all don't concentrate on those logs to much, you will get to hyper-focused and thats not healthy. Individual users are not big targets, avoid cheap IoT and you should stay safe.Enjoy your game play and be aware many kids like to try and scare poeple. Use a VPN if you are out and about, at home a strong password helps a lot, 8-16 digits would suffice.

Take care.

 

Gary.

[Morris]

first of all thanks alot for your reply! im happy to see that you more or less sugest to do what i already do... vpn and dont worry about arp requests... i think i will make a nice picture of my network it might help in the future...

[Morris]

so to sum it up i keep my network strictly devided in real and vpn. alsmost everything is connected to the vpn part exept the gaming pc´s. the rx500 does no wifi at all. all passwords are brand new with at least 18 digits with upper case numbers and !"&§ (symbols) included.

about my sidenote the arp requests wich burst threw when i reboot the rx500... you see the sniffing laptop... it sees only the traffic mirrowed from the gaming pc1. and usually there is only my internal net traffic arp´s like 50 packets in one minute and everything makes sense. destination, source, interval all good. when i restart the xr500 i have 2-3 seconds with 5000 packets and they all came from the wan so direct out of the modem with external ips arp requests of even different networks and ip ranges... i think this definately should be on the to do list for the developement department. the xr500 should enable the swiching functionality after the firewall started. 

 

now about my most hated ip adress ever... (51.79.142.79) from now on i will call it scabies this is better to handle than 51.79.142.79 and it represents what it is...

i know there are constant portscans out there they hit everyone from time to time... but scarbies really really likes to hang around at my place... i had over 100 different wan ips´s over the last month and scarbies is always there waiting for me... gives me a gentle 4-5 scans and comes back an hour later. this is not your avarage portscanner... scarbies sticks to me like scarbies. usually short before scarbies does its thing i have 2-3 udp chargen attacks listed somtimes an acend kill attack. im not shure if they are connected or just background noise. what really gives me nightmares is that i am not able to figre out how in netgears name scarbies finds me all the time... any dirty litte keybord, mouse oder whatever in my network is still exploited i think and it somhow manages it to announce my current ip all the time.

[Newfie]

Here’s mine, that’s nothing to worry about.

 

[Guest Killhippie]

15 minutes ago, Morris said:

so to sum it up i keep my network strictly devided in real and vpn. alsmost everything is connected to the vpn part exept the gaming pc´s. the rx500 does no wifi at all. all passwords are brand new with at least 18 digits with upper case numbers and !"&§ (symbols) included.

about my sidenote the arp requests wich burst threw when i reboot the rx500... you see the sniffing laptop... it sees only the traffic mirrowed from the gaming pc1. and usually there is only my internal net traffic arp´s like 50 packets in one minute and everything makes sense. destination, source, interval all good. when i restart the xr500 i have 2-3 seconds with 5000 packets and they all came from the wan so direct out of the modem with external ips arp requests of even different networks and ip ranges... i think this definately should be on the to do list for the developement department. the xr500 should enable the swiching functionality after the firewall started. 

 

now about my most hated ip adress ever... (51.79.142.79) from now on i will call it scabies this is better to handle than 51.79.142.79 and it represents what it is...

i know there are constant portscans out there they hit everyone from time to time... but scarbies really really likes to hang around at my place... i had over 100 different wan ips´s over the last month and scarbies is always there waiting for me... gives me a gentle 4-5 scans and comes back an hour later. this is not your avarage portscanner... scarbies sticks to me like scarbies. usually short before scarbies does its thing i have 2-3 udp chargen attacks listed somtimes an acend kill attack. im not shure if they are connected or just background noise. what really gives me nightmares is that i am not able to figre out how in netgears name scarbies finds me all the time... any dirty litte keybord, mouse oder whatever in my network is still exploited i think and it somhow manages it to announce my current ip all the time.

I use a 63 digit ASCII password. That IP you loath has appeared on the XR500,  RAX120,RAX200, and RAX80. Honestly its not after you. its just a port scan and some are legitimate, try googling Netgear firewall false positives. My above friend has posted his it in his logs too. With today's date. its nothing to worry about. Using a VPN will not prevent you from getting hacked. No single thing will protect you from getting hacked. The best way to minimise getting hacked is called “Defence in Depth”, meaning you need to build layers and different things to protect yourself but nobody is really after the little guy they want big corporations or you are a multimillionaire. As to ascend Kill seen on Netgear since 2017. https://community.netgear.com/t5/General-WiFi-Routers-Non/DoS-Attack-Ascend-Kill/td-p/1461692.Take care.

[Morris]

another thing and this is may a lack of knolage on my side... why do i see so manny ipv6 querrys in my pi hole? i definatly deactivated ipv6 in the xr500. i do have dual stack i think... but i do not want to use the native ipv6 connetion! all i need is ipv4!

[Newfie]

If you are really worried I would pop along to Netgears forum and ask these questions again. 
cant really add much more but hope you are enjoying your XR500 Router.

 

[Morris]

ok ok im not completly happy with scarbies but i will accept it for now... i feel a bit better now... about the layers... yeah i feel like a onion right now in the past i used anydesk to support my clients and gamining community from my main rig now i use a vm ware and inside it anoter vpn... ant than i snap back the vm after a support session...

[Morris]

a hardware firewall is definately in the top spots of my to do list but im a bit unshure if it would interfer with the xr500´s abilitys (qos, geofilter)... any suggestions for that maybe? in the range of 500€ +- i have a lot of spare laptops and computers so i could build something as well... question is what software? the main reason for the xr500 was the anti buffer bloat i have 500 down and 50 up but the ping spikes as hell when i utilize it more than 250down and 25 up. would i put a firewall (proxie) in front of the xr500 than the firewall would use the full potential of the internet connection and laggs are back...

[Guest Killhippie]

Hi morris this conversation is more suited for Netgear forums. The XR500 has a state packet inspection firewall built in. That's why you see logs, they are things blocked by the XR500's firewall. I think this topic has reached its limit for this forum now. Maybe @Netduma Fraser can lock it.

Take care Morris.

Be well.