Constant DOS attacks in netgear log

daivdm_fox

Honorable
Jan 6, 2013
16
0
10,510
Hi. My internet has repetedly been going slow or "shutting off" for small periods every now and then. I then looked into my router log and found that i'm getting constant DOS attacks.



[DoS Attack: ACK Scan] from source: 104.64.19.125, port 80, Monday, December 22, 2014 22:04:17
[DoS Attack: ACK Scan] from source: 104.64.19.125, port 80, Monday, December 22, 2014 22:03:28
[DoS Attack: ACK Scan] from source: 104.64.19.125, port 80, Monday, December 22, 2014 22:02:17
[DoS Attack: ACK Scan] from source: 104.64.19.125, port 80, Monday, December 22, 2014 22:01:28
[DoS Attack: ACK Scan] from source: 104.64.19.125, port 80, Monday, December 22, 2014 22:00:16
[DoS Attack: ACK Scan] from source: 104.64.19.125, port 80, Monday, December 22, 2014 21:59:35
[DoS Attack: ACK Scan] from source: 104.64.19.125, port 80, Monday, December 22, 2014 21:59:27
[DoS Attack: ACK Scan] from source: 104.64.19.125, port 80, Monday, December 22, 2014 21:58:16
[DoS Attack: ACK Scan] from source: 104.64.19.125, port 80, Monday, December 22, 2014 21:57:27
[DoS Attack: ACK Scan] from source: 104.64.19.125, port 80, Monday, December 22, 2014 21:56:16
[DoS Attack: ACK Scan] from source: 104.64.19.125, port 80, Monday, December 22, 2014 21:55:27
[DoS Attack: ACK Scan] from source: 104.64.19.125, port 80, Monday, December 22, 2014 21:54:16
[DoS Attack: ACK Scan] from source: 208.117.252.74, port 443, Monday, December 22, 2014 21:54:08
[DoS Attack: ACK Scan] from source: 104.64.19.125, port 80, Monday, December 22, 2014 21:53:27
[DoS Attack: ACK Scan] from source: 208.117.252.74, port 443, Monday, December 22, 2014 21:52:38
[DoS Attack: ACK Scan] from source: 104.64.19.125, port 80, Monday, December 22, 2014 21:52:16
[DoS Attack: ACK Scan] from source: 208.117.252.74, port 443, Monday, December 22, 2014 21:51:38
[DoS Attack: ACK Scan] from source: 104.64.19.125, port 80, Monday, December 22, 2014 21:51:27
[DoS Attack: ACK Scan] from source: 208.117.252.74, port 443, Monday, December 22, 2014 21:51:08
[DoS Attack: ACK Scan] from source: 104.64.19.125, port 80, Monday, December 22, 2014 21:50:15
[DoS Attack: ACK Scan] from source: 208.117.252.74, port 443, Monday, December 22, 2014 21:50:11
[DoS Attack: ACK Scan] from source: 104.64.19.125, port 80, Monday, December 22, 2014 21:50:08
[DoS Attack: ACK Scan] from source: 104.64.19.125, port 80, Monday, December 22, 2014 21:50:01
[DoS Attack: ACK Scan] from source: 208.117.252.74, port 443, Monday, December 22, 2014 21:49:58
[DoS Attack: ACK Scan] from source: 104.64.19.125, port 80, Monday, December 22, 2014 21:49:42
[DoS Attack: ACK Scan] from source: 216.58.218.192, port 443, Monday, December 22, 2014 21:37:23
[DoS Attack: ACK Scan] from source: 216.58.218.192, port 443, Monday, December 22, 2014 21:36:03
[DoS Attack: ACK Scan] from source: 208.117.252.146, port 443, Monday, December 22, 2014 21:34:41
[DoS Attack: ACK Scan] from source: 208.117.252.146, port 443, Monday, December 22, 2014 21:33:53
[DoS Attack: ACK Scan] from source: 208.117.252.146, port 443, Monday, December 22, 2014 21:32:53
[DoS Attack: ACK Scan] from source: 208.117.252.146, port 443, Monday, December 22, 2014 21:32:42
[DoS Attack: ACK Scan] from source: 208.117.252.146, port 443, Monday, December 22, 2014 21:31:53
[DoS Attack: ACK Scan] from source: 208.117.252.146, port 443, Monday, December 22, 2014 21:30:17
[DoS Attack: ACK Scan] from source: 208.117.252.146, port 443, Monday, December 22, 2014 21:29:59
[DoS Attack: ACK Scan] from source: 54.244.255.234, port 443, Monday, December 22, 2014 21:29:34
[DoS Attack: ACK Scan] from source: 96.16.7.83, port 80, Monday, December 22, 2014 21:28:45
[DoS Attack: ACK Scan] from source: 96.16.7.83, port 80, Monday, December 22, 2014 21:26:44
[DoS Attack: ACK Scan] from source: 96.16.7.83, port 80, Monday, December 22, 2014 21:24:44
[DoS Attack: ACK Scan] from source: 96.16.7.83, port 80, Monday, December 22, 2014 21:22:44
[DoS Attack: ACK Scan] from source: 216.137.43.253, port 80, Monday, December 22, 2014 20:41:37
[DoS Attack: ACK Scan] from source: 216.137.43.253, port 80, Monday, December 22, 2014 20:39:36
[DoS Attack: ACK Scan] from source: 216.137.43.253, port 80, Monday, December 22, 2014 20:37:36
[DoS Attack: ACK Scan] from source: 216.137.43.253, port 80, Monday, December 22, 2014 20:36:30
[DoS Attack: ACK Scan] from source: 216.137.43.253, port 80, Monday, December 22, 2014 20:35:56
[DoS Attack: RST Scan] from source: 67.21.106.230, port 55108, Monday, December 22, 2014 20:14:36
[DoS Attack: ACK Scan] from source: 17.172.232.88, port 5223, Monday, December 22, 2014 19:18:45
[DoS Attack: ACK Scan] from source: 17.172.232.88, port 5223, Monday, December 22, 2014 19:16:15
[DoS Attack: ACK Scan] from source: 17.172.232.88, port 5223, Monday, December 22, 2014 19:15:00
[DoS Attack: ACK Scan] from source: 17.172.232.88, port 5223, Monday, December 22, 2014 19:12:30
[DoS Attack: ACK Scan] from source: 17.172.232.88, port 5223, Monday, December 22, 2014 19:10:00
[DoS Attack: RST Scan] from source: 109.148.28.32, port 49272, Monday, December 22, 2014 18:24:34
[DoS Attack: TCP/UDP Chargen] from source: 173.242.112.113, port 55074, Monday, December 22, 2014 18:00:00
[DoS Attack: ACK Scan] from source: 207.46.101.12, port 443, Monday, December 22, 2014 15:37:51
[DoS Attack: TCP/UDP Chargen] from source: 93.180.5.26, port 45764, Monday, December 22, 2014 12:58:57
[DoS Attack: ACK Scan] from source: 68.142.123.254, port 80, Monday, December 22, 2014 12:45:58
[DoS Attack: ACK Scan] from source: 173.252.103.16, port 443, Monday, December 22, 2014 11:56:59
[DoS Attack: ACK Scan] from source: 173.252.103.16, port 443, Monday, December 22, 2014 11:53:13
[DoS Attack: ACK Scan] from source: 17.110.229.214, port 5223, Monday, December 22, 2014 11:46:56
[DoS Attack: ACK Scan] from source: 192.35.249.124, port 80, Monday, December 22, 2014 11:18:13
[DoS Attack: ACK Scan] from source: 192.35.249.124, port 80, Monday, December 22, 2014 11:17:09
[DoS Attack: ACK Scan] from source: 173.241.242.219, port 80, Monday, December 22, 2014 11:16:39
[DoS Attack: ACK Scan] from source: 192.35.249.124, port 80, Monday, December 22, 2014 11:16:05
[DoS Attack: ACK Scan] from source: 173.241.242.219, port 80, Monday, December 22, 2014 11:15:50
[DoS Attack: ACK Scan] from source: 192.35.249.124, port 80, Monday, December 22, 2014 11:15:33
[DoS Attack: ACK Scan] from source: 173.241.242.219, port 80, Monday, December 22, 2014 11:15:25
[DoS Attack: ACK Scan] from source: 31.13.74.16, port 80, Monday, December 22, 2014 10:47:59
[DoS Attack: ACK Scan] from source: 23.72.137.27, port 80, Monday, December 22, 2014 10:47:12
[DoS Attack: ACK Scan] from source: 31.13.74.16, port 80, Monday, December 22, 2014 10:47:12
[DoS Attack: ACK Scan] from source: 31.13.66.131, port 80, Monday, December 22, 2014 10:46:54
[DoS Attack: ACK Scan] from source: 23.72.137.27, port 80, Monday, December 22, 2014 10:46:43
[DoS Attack: ACK Scan] from source: 31.13.66.131, port 80, Monday, December 22, 2014 10:46:23
[DoS Attack: TCP/UDP Chargen] from source: 212.38.166.128, port 47636, Monday, December 22, 2014 10:45:09
[DoS Attack: ACK Scan] from source: 199.96.60.1, port 443, Monday, December 22, 2014 09:58:09
[DoS Attack: ACK Scan] from source: 17.172.239.11, port 5223, Monday, December 22, 2014 09:46:08
[DoS Attack: RST Scan] from source: 72.26.216.251, port 22, Monday, December 22, 2014 09:11:54
[DoS Attack: ACK Scan] from source: 17.110.228.222, port 5223, Monday, December 22, 2014 07:45:13
[DoS Attack: TCP/UDP Chargen] from source: 212.38.166.128, port 42914, Monday, December 22, 2014 06:49:44
[DoS Attack: ACK Scan] from source: 207.46.101.12, port 443, Monday, December 22, 2014 05:46:44
[DoS Attack: ACK Scan] from source: 17.110.229.85, port 5223, Monday, December 22, 2014 05:44:21
[DoS Attack: ACK Scan] from source: 207.46.101.12, port 443, Monday, December 22, 2014 05:15:51
[DoS Attack: ACK Scan] from source: 207.46.101.12, port 443, Monday, December 22, 2014 04:39:46
[DoS Attack: ACK Scan] from source: 17.172.239.58, port 5223, Monday, December 22, 2014 03:43:30
[DoS Attack: ACK Scan] from source: 207.46.101.12, port 443, Monday, December 22, 2014 03:31:22
[DoS Attack: ACK Scan] from source: 207.46.101.12, port 443, Monday, December 22, 2014 02:03:10
[DoS Attack: ACK Scan] from source: 17.172.238.31, port 5223, Monday, December 22, 2014 01:42:38
[DoS Attack: ACK Scan] from source: 207.46.101.12, port 443, Monday, December 22, 2014 01:31:34
[DoS Attack: ACK Scan] from source: 17.172.239.117, port 5223, Sunday, December 21, 2014 23:42:26
[DoS Attack: TCP/UDP Chargen] from source: 74.82.47.5, port 55458, Sunday, December 21, 2014 21:37:12
[DoS Attack: ACK Scan] from source: 208.117.255.148, port 443, Sunday, December 21, 2014 21:05:58
[DoS Attack: ACK Scan] from source: 208.117.255.148, port 443, Sunday, December 21, 2014 21:05:28
[DoS Attack: ACK Scan] from source: 208.117.255.148, port 443, Sunday, December 21, 2014 21:04:58
[DoS Attack: ACK Scan] from source: 208.117.255.148, port 443, Sunday, December 21, 2014 21:03:58
[DoS Attack: ACK Scan] from source: 208.117.255.148, port 443, Sunday, December 21, 2014 21:03:28
[DoS Attack: ACK Scan] from source: 208.117.255.148, port 443, Sunday, December 21, 2014 21:02:28
[DoS Attack: ACK Scan] from source: 208.117.255.148, port 443, Sunday, December 21, 2014 21:01:59
[DoS Attack: ACK Scan] from source: 173.241.244.220, port 80, Sunday, December 21, 2014 19:47:31
[DoS Attack: ACK Scan] from source: 173.241.244.221, port 80, Sunday, December 21, 2014 19:47:09
[DoS Attack: ACK Scan] from source: 173.241.244.220, port 80, Sunday, December 21, 2014 19:47:00
[DoS Attack: ACK Scan] from source: 173.241.244.221, port 80, Sunday, December 21, 2014 19:46:31
[DoS Attack: ACK Scan] from source: 173.241.244.220, port 80, Sunday, December 21, 2014 19:45:11
[DoS Attack: ACK Scan] from source: 173.241.244.220, port 80, Sunday, December 21, 2014 19:44:20
[DoS Attack: ACK Scan] from source: 69.194.250.248, port 8000, Sunday, December 21, 2014 19:44:07
[DoS Attack: ACK Scan] from source: 173.241.244.220, port 80, Sunday, December 21, 2014 19:43:53
[DoS Attack: ACK Scan] from source: 69.194.250.248, port 8000, Sunday, December 21, 2014 19:43:19
[DoS Attack: ACK Scan] from source: 69.194.250.15, port 8000, Sunday, December 21, 2014 19:26:21
[DoS Attack: ACK Scan] from source: 69.194.250.157, port 8000, Sunday, December 21, 2014 19:23:55
[DoS Attack: ACK Scan] from source: 69.194.250.246, port 8000, Sunday, December 21, 2014 19:23:55
[DoS Attack: ACK Scan] from source: 69.194.250.157, port 8000, Sunday, December 21, 2014 19:23:30
[DoS Attack: ACK Scan] from source: 69.194.250.246, port 8000, Sunday, December 21, 2014 19:23:29
[DoS Attack: ACK Scan] from source: 69.194.250.157, port 8000, Sunday, December 21, 2014 19:23:17
[DoS Attack: ACK Scan] from source: 69.194.250.246, port 8000, Sunday, December 21, 2014 19:23:17
[DoS Attack: ACK Scan] from source: 69.194.250.157, port 8000, Sunday, December 21, 2014 19:23:10
[DoS Attack: ACK Scan] from source: 69.194.250.246, port 8000, Sunday, December 21, 2014 19:23:10
[DoS Attack: ACK Scan] from source: 69.194.250.157, port 8000, Sunday, December 21, 2014 19:23:07
[DoS Attack: ACK Scan] from source: 69.194.250.246, port 8000, Sunday, December 21, 2014 19:23:07
[DoS Attack: RST Scan] from source: 211.138.34.58, port 56377, Sunday, December 21, 2014 16:37:28
[DoS Attack: RST Scan] from source: 46.20.12.10, port 80, Sunday, December 21, 2014 13:42:30
[DoS Attack: ACK Scan] from source: 31.13.65.7, port 443, Sunday, December 21, 2014 13:13:33
[DoS Attack: ACK Scan] from source: 31.13.65.7, port 443, Sunday, December 21, 2014 13:11:50
[DoS Attack: RST Scan] from source: 37.247.104.186, port 80, Sunday, December 21, 2014 12:59:26
[DoS Attack: TCP/UDP Chargen] from source: 104.192.0.20, port 48478, Sunday, December 21, 2014 11:31:57
[DoS Attack: ACK Scan] from source: 207.46.101.12, port 443, Sunday, December 21, 2014 07:57:35
[DoS Attack: RST Scan] from source: 185.38.12.21, port 8501, Sunday, December 21, 2014 07:01:39
[DoS Attack: TCP/UDP Chargen] from source: 91.236.74.139, port 54365, Saturday, December 20, 2014 23:22:42
[DoS Attack: TCP/UDP Chargen] from source: 93.180.5.26, port 49564, Saturday, December 20, 2014 23:10:26
[DoS Attack: ACK Scan] from source: 207.46.101.12, port 443, Saturday, December 20, 2014 22:34:31
[DoS Attack: TCP/UDP Chargen] from source: 74.82.47.25, port 41696, Saturday, December 20, 2014 21:57:13
[DoS Attack: ACK Scan] from source: 54.230.7.230, port 80, Saturday, December 20, 2014 21:41:00
[DoS Attack: ACK Scan] from source: 185.60.216.7, port 443, Saturday, December 20, 2014 16:18:41
[DoS Attack: ACK Scan] from source: 185.60.216.7, port 443, Saturday, December 20, 2014 16:18:28
[DoS Attack: ACK Scan] from source: 185.60.216.7, port 443, Saturday, December 20, 2014 16:17:51
[DoS Attack: ACK Scan] from source: 68.232.35.82, port 80, Saturday, December 20, 2014 16:00:39
[DoS Attack: ACK Scan] from source: 68.232.35.82, port 80, Saturday, December 20, 2014 15:58:38
[DoS Attack: ACK Scan] from source: 68.232.35.82, port 80, Saturday, December 20, 2014 15:57:25
[DoS Attack: ACK Scan] from source: 68.232.35.82, port 80, Saturday, December 20, 2014 15:56:48
[DoS Attack: ACK Scan] from source: 72.21.91.113, port 80, Saturday, December 20, 2014 15:29:25
[DoS Attack: ACK Scan] from source: 72.21.91.113, port 80, Saturday, December 20, 2014 15:28:51
[DoS Attack: RST Scan] from source: 46.105.241.161, port 25565, Saturday, December 20, 2014 12:15:12
[DoS Attack: ACK Scan] from source: 54.192.7.12, port 80, Saturday, December 20, 2014 12:06:35
[DoS Attack: ACK Scan] from source: 23.75.217.231, port 80, Saturday, December 20, 2014 11:28:52
[DoS Attack: ACK Scan] from source: 198.54.12.96, port 80, Saturday, December 20, 2014 11:27:09
[DoS Attack: ACK Scan] from source: 23.75.217.231, port 80, Saturday, December 20, 2014 11:26:52
[DoS Attack: ACK Scan] from source: 31.13.70.17, port 443, Saturday, December 20, 2014 11:26:15
[DoS Attack: ACK Scan] from source: 198.45.55.191, port 80, Saturday, December 20, 2014 11:26:09
[DoS Attack: ACK Scan] from source: 198.54.12.96, port 80, Saturday, December 20, 2014 11:26:05
[DoS Attack: ACK Scan] from source: 198.45.55.191, port 80, Saturday, December 20, 2014 11:25:13
[DoS Attack: ACK Scan] from source: 23.75.217.231, port 80, Saturday, December 20, 2014 11:25:07
[DoS Attack: ACK Scan] from source: 198.45.55.191, port 80, Saturday, December 20, 2014
11:25:04
[DoS Attack: ACK Scan] from source: 198.54.12.96, port 80, Saturday, December 20, 2014 11:25:01
[DoS Attack: ACK Scan] from source: 198.45.55.191, port 80, Saturday, December 20, 2014 11:24:58
[DoS Attack: ACK Scan] from source: 69.172.216.56, port 80, Saturday, December 20, 2014 11:24:56


These periods of slow internet have been going on for about 3 days and it shows in the log. What are the proper steps i should take to fix this? I'm currently doing a malwarebytes scan and nothing is showing up.
 
Solution
Most of those IP are from services that you are actively using. You might just be noticing poor performance during the times of using those services, but the usage of those services spam your logs with this stuff, so you find it correlated.

What you'd need to do is not use any video services and then notice if these logs keep showing up when your network seems slow.

There could be something else going on, but this would be my first reaction, I have seen this stuff in the past.
You can do nothing your router is already protecting you and informing you of the problem. The bandwidth is gone as soon as the scan packet is sent down the connection to your house so there is nothing you can do on your end to get the used up bandwidth back.

Some how your ip got on a some list to be attacked. You can only try to get a different IP, which may be as simple as turning the modem/router off overnight or you may have to contact your ISP
 

daivdm_fox

Honorable
Jan 6, 2013
16
0
10,510


But there seems to be a correlation between the times that i have a slight loss of connection and the times of the "DOS attacks".

 

Kewlx25

Distinguished
Most of those IP are from services that you are actively using. You might just be noticing poor performance during the times of using those services, but the usage of those services spam your logs with this stuff, so you find it correlated.

What you'd need to do is not use any video services and then notice if these logs keep showing up when your network seems slow.

There could be something else going on, but this would be my first reaction, I have seen this stuff in the past.
 
Solution

sfinapex

Reputable
Jan 2, 2015
1
0
4,510
I have a similar issue which has been bugging me for a few months now. I've been trying to isolate the issue and finally made some progress.

I just replaced my 2-year old netgear router for a newer model netgear router and the issue came right back after 24 hours. However, I still believe its an issue with the wireless router. To troubleshoot, I blocked TCP port 443 traffic using the "Block Services" menu on the router and all off a sudden the DoS logs entries were replaced by service blocked entries:

[service blocked: TCP] from source 192.168.1.17, Friday, January 02, 2015 14:16:49
[service blocked: TCP] from source 192.168.1.4, Friday, January 02, 2015 14:16:48

...and instantly speedtest.net with TCP port 443 blocked went back to normal (15+ Mbps) from 0.5 Mbps!

I was proud of my success, till a secondary issue cropped up. I am not sure which sites/services using TCP 443, but some web pages do not work without TCP 443. www.google.com stopped working, but many other sites work.

I guess the root appears to be DoS settings on the router, which appears to be all or nothing. My old and new router only have a single checkbox to enable/disable DoS protection. It would be nice to have some detailed DoS configuration to exclude certain traffic (by IP or port) from DoS, while still leaving DoS active.
 

bobytox

Reputable
Jun 11, 2015
1
0
4,510


TCP port 443 is used by https for SSL and TLS (ie secure web communications). By blocking that you are decreasing you security as you are preventing websites from encrypting your communications.

This makes you highly vulnerable to man-in-the-middle style attacks by where you can have you logins and passwords stolen at the minimum
.
You should never block port 443 on a computer used to browse the internet..