Solved How Common are DoS attack SYN/ACK Scan found on router logs

August 12, 2017 at 21:15:38
Specs: Netgear Router
Got flooded today by DoS attacks, here's just a sample.[DoS Attack: SYN/ACK Scan] from source: 46.105.88.239, port 80, Saturday, August 12, 2017 08:42:30
[DoS Attack: SYN/ACK Scan] from source: 91.134.231.76, port 80, Saturday, August 12, 2017 08:42:30
[DoS Attack: SYN/ACK Scan] from source: 87.98.158.113, port 80, Saturday, August 12, 2017 08:42:30
[DoS Attack: SYN/ACK Scan] from source: 91.134.231.75, port 80, Saturday, August 12, 2017 08:42:30
[DoS Attack: SYN/ACK Scan] from source: 198.27.126.53, port 80, Saturday, August 12, 2017 08:42:30
[DoS Attack: SYN/ACK Scan] from source: 167.114.41.148, port 80, Saturday, August 12, 2017 08:42:30
[DoS Attack: SYN/ACK Scan] from source: 167.114.41.149, port 80, Saturday, August 12, 2017 08:42:30
[DoS Attack: SYN/ACK Scan] from source: 149.56.154.194, port 80, Saturday, August 12, 2017 08:42:30
[DoS Attack: SYN/ACK Scan] from source: 149.56.180.255, port 80, Saturday, August 12, 2017 08:42:30
[DoS Attack: SYN/ACK Scan] from source: 188.165.86.68, port 13600, Saturday, August 12, 2017 08:38:09

See More: How Common are DoS attack SYN/ACK Scan found on router logs

Reply ↓  Report •

✔ Best Answer
August 14, 2017 at 08:47:51
You're reading too much into the log. The firewall's blocking connections as normal, and if it happens to block too much over a period of time, it'll claim there's a DoS attack. The problem is that threshold is set too low.

It's also unrelated to the OP's new problem, which is phantom devices with Apple MACs showing up as wired connections, and that sounds like more of a physical security issue or some strange quirk of the router to me.

How To Ask Questions The Smart Way



#1
August 13, 2017 at 02:49:23
They are very common.

As long as your router's firewall is blocking them just ignore.


Reply ↓  Report •

#2
August 13, 2017 at 11:39:12
Thanks for reply. I was just curious if they are common at this rate in one day? This is only about a 1/4th or even less of how many I received that day, and I check my logs often. I usually don't even see a third of what's above in denial of service attacks in on day, let alone some were strings of attacks that occurred simultaneously or within seconds. From all over the world.

Reply ↓  Report •

#3
August 13, 2017 at 11:54:47
Nine port scans over a second isn't anything, much less a DoS. Ask yourself, if you didn't see the log, would you have noticed? If not, then your services weren't denied.

How To Ask Questions The Smart Way


Reply ↓  Report •

Related Solutions

#4
August 13, 2017 at 14:15:48
Ok thank you for advice. I first started doing more frequent scans because one of my Sony smart tv's has slower connection for apps then all other devices, and is same age (1yr old or newer) as other devices. I wasn't able to copy and paste all the Denial of service that occurred from 11am until 9pm some had a string of 15-20 in same time stamp from two ports, 80 and 1653? I did the scan because I've been having a wired connection come up then dissapear this same day. I deny it's access then two more pop up. Then no more yesterday. Then today another wired connection pops up and I block it again, but does not show in blocked list. I then manually entered info Mac is 70:56:81:EA:1C:7B, IP unknown and rest unknown. It drops off the list of connected devices but still does not show up on blocked list. Then it connects again and shows blocked in connection list but still not on my blocked list. I'm a bit perplexed. I'm usually not concerned with DoS's being it's a netgear router and never as frequent. But the recent uptick in DoS and random wired connections(which I have none, except from modem to router, which I unplugged Ethernet and rescanned connections, still there) so worried I may have either a real inhouse threat that is being masked or a jumped connection from outside. I'm familiar but not well versed. Any reason for concern or can this all be explained rationally? I have a friend who does high level security that is going to come do diagnostics soon, but is out of the country and will be a few weeks. For now I've blocked any new connections and keep checking for unusual traffic or packets, but just looking for peace of mind. Also rebooted router and then the wired connection shows back up, then after a rescan(about 5min ltr) it disappeared) everyone of the wired connects they only have a MAC address and unknown in all other fields. Thank anyone for their patience in reading this. I hope I'm explaining well enough. The MaC addresses keep changing on the wired connection but no other info. Sorry for long reply, just want to explain in detail to hopefully get an understanding of my issue, and concern.

Reply ↓  Report •

#5
August 13, 2017 at 22:06:57
Ok I finally had time to look up all the MAC address's of the wired connections. They are all apple product based equipment. I do not have any apple equipment that is Ethernet connected to my system. I run a Cisco modem and netgear router, and I do own apple products and have a total of about 10 various devices active or passively connected both android and apple or PC at any give time. So my real question now(I figured the tv situation through adjusting my QoS setup prefs) is can these "wired" connections be phantom or masked as wired from devices not connected now but previously? Thank you to any response in advance, just can't rest until I know my system is secure. Just moved and using new providers etc. and recently had CC fraud so on high alert.

Reply ↓  Report •

#6
August 14, 2017 at 07:48:37
Razor,

I know almost nothing about this, so my understanding may be
completely wrong. . . But . . . .

I presume that if a connection attempt was marked in a router log
as a denial of service attack, there is something about that attempted
connection that made it look to the router like a denial of service
attack, and that the attack was not against the poster's system, but
some other system, and the poster's system was only going to be
recruited as a vector to help spam the intended target. So it is not
the poster's system that would be hit by a large number (thousands
or millions) of attempted connections. His system only needs to be
infected by one successful connection.

Isn't that more how it works?

I am surprised, though, that the router can identify the attempted
connections as denial of service, unless they contained specifically
identifiable virus code which is commonly used in DoS attacks.

-- Jeff, in Minneapolis


Reply ↓  Report •

#7
August 14, 2017 at 08:47:51
✔ Best Answer
You're reading too much into the log. The firewall's blocking connections as normal, and if it happens to block too much over a period of time, it'll claim there's a DoS attack. The problem is that threshold is set too low.

It's also unrelated to the OP's new problem, which is phantom devices with Apple MACs showing up as wired connections, and that sounds like more of a physical security issue or some strange quirk of the router to me.

How To Ask Questions The Smart Way


Reply ↓  Report •

#8
August 14, 2017 at 11:16:22
Thank you Jeff and Razor,
I'm a little less concerned with the DoS reports, I know they can be frequent and notoriously redundant on netgear routers. I've also looked into several of the IP's and they seem to be common DoS's with similar origins just multiple IP's. The wired connections still have me stumped, I've checked all my devices and the MACs do not match any that I currently have and router, SP, even the house is new to me having moved here only 4mo ago. I'm hoping it's a router flaw as stated by razor. Contacted SP and they are going to come inspect my connection and setup. Thank you all for the advice!

Reply ↓  Report •

Ask Question