Reoccurring Unknown Device

[Netduma Fraser]

Thank you for the logs, what game are you playing exactly? It appears to me that you're either being DDoSed or the router is interpreting your connection to the game as an attack and then disconnecting.

[Zaroo]

I am playing Destiny 2. One thing, I notice frequently is whenever I load up the DumaOs Dashboard to check it out, it is displaying all of the Tour dialogs. It doesn't do this all the time. Could the DDOS attacks be non game related, such as someone remotely connecting to my network from the internet?

[Netduma Liam]

7 hours ago, Zaroo said:

I am playing Destiny 2. One thing, I notice frequently is whenever I load up the DumaOs Dashboard to check it out, it is displaying all of the Tour dialogs. It doesn't do this all the time. Could the DDOS attacks be non game related, such as someone remotely connecting to my network from the internet?

That may just be a caching issue in your browser. If you clear your cache in your browser, do you still see tour pop-ups?  If you're actually being DDoS'd it wouldn't be a case of someone remotely connecting to your network. It will just be a huge amount of traffic directed at you that's causing you to lose internet access.

[Zaroo]

Okay. I understand that. It just made think if I was get knocked off line maybe something was resetting in the router. No biggie. So, I am trying to figure out what to do here. I called my ISP. They said since my xr500 is bridged then I am using that firewall and suggested doing a factory reset and contact Netgear and get some setting tweeked on my firewall. I take what he said with a grain of salt. Nonetheless, I need to come up with a solution. I am lost on this matter. I am not an expert on using wireshark either, but seems to be some suspicious activity going on through that. Reguardless, lets say my network is comprimised to some unknown degree and you were in my shoes, what would you do going forward, please help.

[Netduma Fraser]

Your network won't be comprised, anyone with your IP address could launch an attack. The reason I asked about the game was that it was a game server IP address that seemed to be flooding you. Could you provide a screenshot of your WAN Settings please?

[Zaroo]

Holy smokes. That's wild. I don't see too many settings on this page. Hope this is what you were asking for.... Thanks 

[Zaroo]

It's odd. I looked up 3 of the IP addresses in the log. One was located in Oregon under the Organization of Amazon. The other was located in Texas under the Organization of Nuclear Fallout enterprises INC. The 3rd was located in Germany. lol How did you determine it was seems to be related to game servers, jw? Really interesting. I might have to also become familar with identifying was I have been witnessing on Wireshark because it looks extremally suspect. 

[Netduma Fraser]

Yes that's the correct screenshot thanks, nothing out of the ordinary there. NAT is secured so no security issues on your side, just this ping flood I think. Given your experience of gaming and feeling like you were going to disconnect that would make the most sense, Amazon and Hetzner definitely do game servers, the Nuclear one do sell dedicated servers I believe. Let's put it to the test, if you're able to, go one day without gaming but monitor your connection, see if you get any lag, disconnects or buffering and keep an eye on the log, does the ping flood still appear?

[Zaroo]

Okay. I won't turn on my PS5 today and will send you an additional log this afternoon. Apparently my time zone are settings are in DumaOS are not accurate in comparison to the times in the log. I am going to send you a log of today in the mean time. I got to go to work. Thanks for the feedback.

[Zaroo]

I love it. It's getting very interesting here. Hopefully, I will get the time to become more of an expert on what I am seeing take place behind the scenes on wireshark. It's hard to describe it with a degree of clarity because I am not familiar with all the verbiage  A grand majority of these attacks seen in this list are taken place behind the scenes. It's like watching a TV show. At any rate, a part of the reason why I sent you last log was because Monday I didn't really game. Basically on Monday, I turned on my PS5, logged into Destiny 2, and didn't play. Did fly to the tower once. With that being said, I have been home for around 3 hours working on my labtop. Just pulled up a the log just to see if anything peculiar populated. I looked up the IP of the most recent entry and this is what this is what I have found in the second image and third image. I'll send an updated log.

[Netduma Liam]

7 hours ago, Zaroo said:

I love it. It's getting very interesting here. Hopefully, I will get the time to become more of an expert on what I am seeing take place behind the scenes on wireshark. It's hard to describe it with a degree of clarity because I am not familiar with all the verbiage  A grand majority of these attacks seen in this list are taken place behind the scenes. It's like watching a TV show. At any rate, a part of the reason why I sent you last log was because Monday I didn't really game. Basically on Monday, I turned on my PS5, logged into Destiny 2, and didn't play. Did fly to the tower once. With that being said, I have been home for around 3 hours working on my labtop. Just pulled up a the log just to see if anything peculiar populated. I looked up the IP of the most recent entry and this is what this is what I have found in the second image and third image. I'll send an updated log.

 

That's interesting, clearly a lot of people similarly curious too.  Did you notice any issues with service/performance around the time this entry was logged? Or were you just curious?

[Zaroo]

To be fair, I was more less curious at the time of checking. It's hard for me to gauge any services and performance issues. If I had to be a little be more critical, I would say yes. There was times where I felt like I was experiencing minor hiccups to some degree. Typically, when I do work like this.. I am periodically performing tasks to boost my pc/internet performance in attempt to alleviate any service/performance issues I feel like I am experiencing like system cleaner, registry cleaner etc. At any rate, I didn't turn on my PS5 at all and my pc was basically online all night. I am going to send the logs to Fraser.   

[Zaroo]

Been sorta of busy. I like to begin figuring out what to ultimately do to resolve this issue. I dunno I find everything odd at this point and this is prolly normal, but in the log it says del_nat rule and add_nat rule in 1 second intervals. I believe last week, I removed all of the static IP address to my devices because of lag etc and I noticed the abundance of addresses populated for each device as before.. At any rate, what will I need to do or have to do to resolve this? 

[Netduma Liam]

OK, I wouldn't worry too much about what you see in the logs, they're mostly just for developers to use when debugging. Sometimes the things you see in there can be misleading or worry you unnecessarily. 

We'll take a look at the logs and see if there's anything concerning in there.

[Netduma Fraser]

Thanks for the logs, could you try using your ISP router for a day or two and see if you have the same experience?

[Zaroo]

Most definitely. I'll get that setup as soon as I can. I'm not very familiar with my ISP router interface. I imagine there will be a similar feature to look at the logs. Once I switch over, is there anything you want me to do or change as far as any of the settings or features etc? Thanks again. Appreciate the support.  

[Netduma Fraser]

5 minutes ago, Zaroo said:

Most definitely. I'll get that setup as soon as I can. I'm not very familiar with my ISP router interface. I imagine there will be a similar feature to look at the logs. Once I switch over, is there anything you want me to do or change as far as any of the settings or features etc? Thanks again. Appreciate the support.  

Great thanks! If it has logs that's great, if not no worries, just use it in its standard configuration, no need to change anything. Use it with all your normal devices in the same way you normally would and monitor your experience for the issues you've been seeing.

[Zaroo]

Okay. Hopefully, it has logs. My only minor concern is that when these ping floods/ddos attacks are coming through, the impact is hard to gauge. Like. Yes, I have been experiencing disconnects, contacting servers etc, and sometimes everything just seems unreasonably laggy. Whereas, sometimes the "attacks" come through, I don't notice because I guess playing or working with what can be perceived as the "norm"..lmfao. I'll do my best and see what happens and go from there. Thanks again

[Netduma Fraser]

50 minutes ago, Zaroo said:

Okay. Hopefully, it has logs. My only minor concern is that when these ping floods/ddos attacks are coming through, the impact is hard to gauge. Like. Yes, I have been experiencing disconnects, contacting servers etc, and sometimes everything just seems unreasonably laggy. Whereas, sometimes the "attacks" come through, I don't notice because I guess playing or working with what can be perceived as the "norm"..lmfao. I'll do my best and see what happens and go from there. Thanks again

Give it a good amount of time on the ISP router in that case, if you only notice it every other day then use it for 3 or 4 days, hopefully it will have logs and you can check that way but if not, use it enough where you would normally have noticed it connected to the XR.

[Zaroo]

As of right now, I am trying to figure out how to check the logs on the Hitron interface. There was something called DOCSIS event logs, but it didn't seem to show network related activity in comparison to DumaOS. 

[Zaroo]

As of today, I can say it's been sorta hard to tell. I have my game on and I am not really play it. Just have it on and the game loaded up. It disconnect twice. These were a little unusual because it said Lan Cable disconnected. I don't recall that happening before. After the first disconnect, I switched lan cable and port on back of modem. After the second, I switched to a 3rd lan cable and a different port on the modem. Web browsing was not loading and I restarted my labtop. Not sure if those DOCSIS logs are provide any info worth looking at? 

[Netduma Liam]

8 hours ago, Zaroo said:

As of today, I can say it's been sorta hard to tell. I have my game on and I am not really play it. Just have it on and the game loaded up. It disconnect twice. These were a little unusual because it said Lan Cable disconnected. I don't recall that happening before. After the first disconnect, I switched lan cable and port on back of modem. After the second, I switched to a 3rd lan cable and a different port on the modem. Web browsing was not loading and I restarted my labtop. Not sure if those DOCSIS logs are provide any info worth looking at? 

OK so the issue is still present with the console connected to the modem? If so, I'd suggest reaching out to the ISP and having them assess your logs, check the line and make sure nothing suspicious is going on.

[Zaroo]

Yeah. I guess. I could do that. It's hard to tell with Destiny because their servers are not that great. What are the DOCSIS logs? The only thing I have really been seeing is  toNo Ranging Response received - T3 time-out; SYNC Timing Synchronization failure - Loss of Sync etc .. I don't know. I'll call them and see what can they can dig up, but I have no faith in them in their ability to do anything. Supposed they don't find anything or maybe they do, I am under the assumption that what ever was going on is still going on behind the scenes. I just can't view it on logs on my router, I have disconnected. I'm not sure if it's feasible to assume whomever or whatever was causing the attacks was only limited to the information just related to the router. 

[Netduma Fraser]

It indicates there was an unsuccessful internet connection attempt so you were disconnected and it failed to reconnect, it could just be the case that the modem needs a reboot if it hasn't had one in awhile. The attacks may not necessarily be attacks but rather the modem/ISP view misinterpret it as one which causes it to disconnect. The best thing is to check with the ISP - don't mention the router as it's irrelevant and they may blame that, you have the disconnects while connected to the modem so that's on them to figure out why really.

[Zaroo]

Let me digest that.. Hey, Fraser.. let me send this to you. So, I my router hasn't been connected for several weeks now. I tried communicating with ISP. Don't feel like a whole lot was accomplish, but I'll get to that at a later point. They basically adjusted some firewall levels, something I could have done myself... like you know how you can choose minimum, moderate or whatever .. I think they put it on moderate or whatever... and set my DHCP to renew I guess more periodically. They said it was not enabled. I thought it was .. I don't know what to say or how to communicate with them. They basically said try that.. and if you get disconnects run a trace route and speed test for science. No clue.. Anyway

 

I just hooked up my router. Only thing connected, is my labtop wireless.. and I just wanted to send you this little portion of the logs that popped up. Sorta confusing.