Getting weird DoS attacks on my home router

ekectriekectri Member Posts: 5 ■□□□□□□□□□
Hope it's okay to ask this here, but I'm not too knowledgeable about this stuff. I couldn't really find a proper place to ask so hoping you guys wouldn't mind me doing so at this site.

But basically, I've been noticing that I'm losing internet connection very often, so I did some digging and saw these entries in my router logs:

"[DoS attack: TCP- or UDP-based Port Scan] from 68.105.29.11, port 53"

Googling that ip address says it's from Cox dns? How do I stop this - should I call Cox and tell them about this?

Another thing to note, one of my iphones shows up in the attached device list, but the ip address is wrong. For example, on the phone itself, the ip address shows 185.23.0.0 (made up), but on the attached device list, it shows 153.0.9.0. None of my other devices do this.. can someone please tell me what could be causing this? The router/modem I have is a Netgear C3700.

Thanks!

Comments

  • FillAwfulFillAwful Member Posts: 119 ■■■□□□□□□□
    Welcome to the Forums. I have Cox internet and their DNS is notoriously bad and it seems that is where your problem stems. Cox's DNS server connecting to port 53 is normal behavior and wouldn't normally be a problem unless their DNS server is sending bad traffic or just too much traffic in general, causing the router to log a DoS attempt.

    I would suggest changing the DNS settings on your router to use public DNS servers (Google and Verizon have reputable ones) such as 8.8.8.8 or 4.4.4.4 I think you will finds that this will help solve your issue.
  • ekectriekectri Member Posts: 5 ■□□□□□□□□□
    What about the weird ip address showing up in my attached device list?
  • Mike-MikeMike-Mike Member Posts: 1,860
    ekectri wrote: »
    What about the weird ip address showing up in my attached device list?
    are you sure that is your iPhone and not another iPhone? does it show the MAC address? You can setup MAC address filtering, cut some people you do not recognize out. You can always change your wifi password and see if anything purges I have Google OnHub, and with the update to Google WiFi, it adds a "pause" feature. I created an "unknown device" list and I just pause all of them, until I find something not working or until someone complains.
    Currently Working On

    CWTS, then WireShark
  • ekectriekectri Member Posts: 5 ■□□□□□□□□□
    Yes the mac address is the same. I've tried forgetting the network and removing it when it's in the not being used list. Then log back into the network, at this point it has the correct ip address as what is shown on the phone, but a few minutes later it switches back to that 153.0.9.0 address.
  • ekectriekectri Member Posts: 5 ■□□□□□□□□□
    After switching to google's dns as FillAwful suggested, I'm seeing the same DoS attack message in the logs...

    [DoS attack: TCP- or UDP-based Port Scan] from 8.8.8.8, port 53
  • FillAwfulFillAwful Member Posts: 119 ■■■□□□□□□□
    ekectri wrote: »
    After switching to google's dns as FillAwful suggested, I'm seeing the same DoS attack message in the logs...

    [DoS attack: TCP- or UDP-based Port Scan] from 8.8.8.8, port 53

    I wouldn't worry about it too much. DNS traffic is UDP (in most cases) and normal DNS traffic shouldn't cause a DoS. To me, its more likely that the condition that is causing the router to log the traffic is too sensitive or poorly written.

    As for your phone's ip address, that is strange. Typically DHCP on home routers is set up to lease on a /24 in the 192.168.x.x range. You can check your DHCP settings and see what your router is leasing. 153.0.9.0 is not APIPA or Private and that to me is suspicious. Is there a VPN on your iPhone?
  • MAC_AddyMAC_Addy Member Posts: 1,740 ■■■■□□□□□□
    Have you looked on the manufacturers website for the router to see if there's a firmware update? This could be a minor glitch.
    2017 Certification Goals:
    CCNP R/S
  • WafflesAndRootbeerWafflesAndRootbeer Member Posts: 555
    Netgear routers are notoriously sensitive to attacks or anything they perceive as an attack. Always make sure you are running the latest firmware and if there are no firmware updates for your router for two years or more, switch to a new router, because the manufacturer isn't likely going to offer any more bugfixes. Keep in mind that Netgear equipment is supported based on it's hardware revision, so you have to use whatever firmware is available for the version of your hardware, which is shown on a sticker on the bottom of the hardware. It will say something like "Netgear C3700 V.3".
  • Moldygr33nb3anMoldygr33nb3an Member Posts: 241
    MAC_Addy wrote: »
    Have you looked on the manufacturers website for the router to see if there's a firmware update? This could be a minor glitch.



    this.

    Sounds like a firmware issue.
    Current: OSCP

    Next: CCNP (R&S and Sec)

    Follow my OSCP Thread!
  • Moldygr33nb3anMoldygr33nb3an Member Posts: 241
    ekectri wrote: »
    Another thing to note, one of my iphones shows up in the attached device list, but the ip address is wrong. For example, on the phone itself, the ip address shows 185.23.0.0 (made up), but on the attached device list, it shows 153.0.9.0. None of my other devices do this.. can someone please tell me what could be causing this? The router/modem I have is a Netgear C3700.

    Thanks!

    Download ZENMAP (FREE) and run a quick scan of your network (192.168.0.0/24 or 192.168.1.0/24) and see what mac addresses and IPs are associated to each device.
    Current: OSCP

    Next: CCNP (R&S and Sec)

    Follow my OSCP Thread!
  • ekectriekectri Member Posts: 5 ■□□□□□□□□□
    I have the latest firmware version. The only available downloads on netgear's site is the management app for windows/mac, and a hot fix for vpn-pass through. Which I don't have any vpn installed.

    I also noticed that my android phone had it's ip address labeled as that 153.0.9.0 for a short moment today as well. This is what is in the logs for that address.

    [DoS attack: Teardrop or derivative] from 153.0.9.0, port 0
Sign In or Register to comment.