What the heck is going on with Internet/Router?

[Bateluer]

For the past two months, I've been experiencing brief disconnects with my cable modem. Usually only for a few minutes, and the lights do cycle on the cable modem itself. Seems to happen whenever I pull a large amount of data, streaming Netflix, downloading a slew of Windows Updates, downloading large files, etc.

The router, a Netgear WNDR3700v3, has events like this in the logs.

[Service blocked: ICMP_echo_req] from source 92.42.38.238, Tuesday, Dec 03,2013 08:48:52
[Service blocked: ICMP_echo_req] from source 69.59.82.30, Tuesday, Dec 03,2013 08:11:06
[Service blocked: ICMP_echo_req] from source 68.105.28.12, Tuesday, Dec 03,2013 07:49:05
[UPnP set event: Public_UPNP_C3] from source 192.168.1.20, Tuesday, Dec 03,2013 07:39:50
[LAN access from remote] from 82.239.83.212:61560 to 192.168.1.20:13855 Tuesday, Dec 03,2013 07:39:47
[LAN access from remote] from 93.79.173.37:53794 to 192.168.1.20:13855 Tuesday, Dec 03,2013 07:39:47
[Service blocked: ICMP_echo_req] from source 96.42.108.175, Tuesday, Dec 03,2013 07:39:45

There are times when it'll have security events in the logs, claiming my Internet was overwhelmed with a DOS attack . . . from the IP of my tablet.

As a precaution, I changed my WiFi SSD and changed the internal IP range I've been using, but it didn't have any effect. I was thinking it was a configuration issue with the router, but I'd made no changes prior to this starting. Netgear did release two firmware updates in between September and October, but their changelogs were nothing more than 'Updated revision to xx.xxxx'

Thoughts?

 

[SecurityTheatre]

The sort of traffic in this log coming from the Internet (random ICMP, etc) is totally completely normal. It's everywhere and can be safely considered "noise".

I doubt it's related to the outages you have seen.

 

[Bateluer]

The sort of traffic in this log coming from the Internet (random ICMP, etc) is totally completely normal. It's everywhere and can be safely considered "noise".

I doubt it's related to the outages you have seen.

And the DOS events? And the LAN access events?


And this? This is occurring while I download a 3.6GB Windows 8.1 update over wifi. That 192.168.100.11 IP is not an IP assigned to any of my machines and not from the IP range I've set the router to hand out.

[Time synchronized with NTP server] Tuesday, Dec 03,2013 12:21:10
[Internet connected] IP address: 70.190.66.88, Tuesday, Dec 03,2013 12:21:00
[Internet disconnected] Tuesday, Dec 03,2013 12:20:55
[Internet connected] IP address: 192.168.100.11, Tuesday, Dec 03,2013 12:20:46
[Internet disconnected] Tuesday, Dec 03,2013 12:20:45
[Time synchronized with NTP server] Tuesday, Dec 03,2013 12:15:06
[Internet connected] IP address: 70.190.66.88, Tuesday, Dec 03,2013 12:14:56
[Internet disconnected] Tuesday, Dec 03,2013 12:14:51
[Internet connected] IP address: 192.168.100.11, Tuesday, Dec 03,2013 12:14:42
[Internet disconnected] Tuesday, Dec 03,2013 12:14:41

I'll try to get some of the DOS events next time they show up in the logs.

 

[SecurityTheatre]

I'm not that familiar with the Netgear log format specifically, but I'm guessing that the address 70.190.66.88 is your public IP.

If you go to google at type "what is my IP", is that the address you see?

I should also point out that lots of consumer-grade routers throw DOS attack alerts all the time. I read about Netgears throwing a DOS attack alert just from a PC connecting to Battlefield 2... something about the nature of the traffic to that kind of server.

Here's some such links:
http://forum1.netgear.com/showthread.php?t=6212
https://discussions.apple.com/message/12023030#12023030
http://www.geekstogo.com/forum/topic/272972-netgear-router-log-dos-attacks/
http://www.tomshardware.com/forum/41954-42-router-logs-showing-attacks

I honestly don't think it's a big issue. Netgear routers have gained a bit of a reputation of having over-sensitive logs.

The 192.168.100.11 is a bit weird though, especially if that 70.190 address is your public interface. That might indicate some sort of IP conflict or routing problem...

What IP range are you using internally?

 

[JackMDS]

The log is meaningless to solve a problem like yours.

First step you have to ascertain whether it is a Modem Problem or a Router problem.

A way to try is to disconnect the Router and use a single computer single computer connected directly to the Modem.

If problem persists call your ISP.

 

[Bateluer]

I'm not that familiar with the Netgear log format specifically, but I'm guessing that the address 70.190.66.88 is your public IP.

If you go to google at type "what is my IP", is that the address you see?

I should also point out that lots of consumer-grade routers throw DOS attack alerts all the time. I read about Netgears throwing a DOS attack alert just from a PC connecting to Battlefield 2... something about the nature of the traffic to that kind of server.

Here's some such links:
http://forum1.netgear.com/showthread.php?t=6212
https://discussions.apple.com/message/12023030#12023030
http://www.geekstogo.com/forum/topic/272972-netgear-router-log-dos-attacks/
http://www.tomshardware.com/forum/41954-42-router-logs-showing-attacks

I honestly don't think it's a big issue. Netgear routers have gained a bit of a reputation of having over-sensitive logs.

The 192.168.100.11 is a bit weird though, especially if that 70.190 address is your public interface. That might indicate some sort of IP conflict or routing problem...

What IP range are you using internally?

I have it set to DHCP from 192.168.1.15 through .25. The NetGear logs have thrown out errors saying my Note 8 tablet is DOSing network . . . I doubt that thing can put out enough traffic to overwhelm my cable modem.

The log is meaningless to solve a problem like yours.

First step you have to ascertain whether it is a Modem Problem or a Router problem.

A way to try is to disconnect the Router and use a single computer single computer connected directly to the Modem.

If problem persists call your ISP.

Since its been so intermittent and returns so quickly, I haven't called to speak with a CSR yet. Just gone through Cox Comm's automated tool. Not sure exactly what they do on their end, but on my end its just a router/modem reboot.

 

[SecurityTheatre]

I have it set to DHCP from 192.168.1.15 through .25. The NetGear logs have thrown out errors saying my Note 8 tablet is DOSing network . . . I doubt that thing can put out enough traffic to overwhelm my cable modem.

Especially noting that it's a tablet, it's probably just initiating a few dozen connections at one time, or probing for an open port (Skype can do this) or something else that's not unusual, but the router seems to think it should tell you about in breathless, worrying language. ZOMG DOS!



Your 192.168.100.11 address in the logs is very unusual and is either due to a second DHCP server on the LAN, or a weird configuration. It may not be causing outages, but it may cause the router to take longer than necessary to come back from a brief outage, which is maybe why you're noticing them now, when you didn't before.

Do you have any other routing devices on the LAN? Are there any server devices that may be trying to serve up an IP? Do you see 192.168.100.x in any configs of any of these devices?

 

[JackMDS]

Your Modem is a Modem, or a Modem/Router?

 

[Bateluer]

Your Modem is a Modem, or a Modem/Router?

Its just a modem. Router is a separate piece of hardware.


[DoS attack: FIN Scan] attack packets in last 20 sec from ip [184.180.124.105], Thursday, Dec 05,2013 10:31:07

 

[seepy83]

I agree, none of this looks all that strange other than the logs reporting on a device that doesn't match your LAN subnet. Even that may not really be anything to worry about...could just be a bad static IP on your LAN (if your router's interface is a /48 instead of a /24, your devices wouldn't need to be on 192.168.1.x to get internet access...just 192.168.x.x).

But all the DoS attacks (blocking FIN Scans, ICMP, SYN scans, etc)...that's all normal and it's the reason why we use firewalls. (edit: I should say it's some of the reason why we use firewalls)