Devices show external ip instead of the dhcp ip address

[florsca]

We are having issues with slow pages (sometimes not coming in at all),
Looking at the logs, I am showing a lot of DOS attacks from source of 2.1.120.48 to target: misc. other websites. Usually one website is shown for 5-6 times then it goes on to another website address. Some are ping of death, some are teardrop.

When I look at the list of attached devices, I see 192.168.0.10 for one device, 192.168.0.12 for another, etc and then when we are getting the dos attacks then one of the devices will have the internal ip of 2.1.120.48. When the dos attacks are not occuring then that device will go back the the regular dhcp address and show 192.168.0.15. The address change does not happen to one device only. But it might take over the address for one phone at lunchtime and then in the evening it might be someone else's phone or an ipad, etc.

I have reset the modem/router to factory default, the admin password has been changed, remote management is disabled, Comcast provisioned the modem, etc.
I have tried to block that ip address, but the router says that it's not an internal ip address so it won't allow the block.

Any suggestions?
Thanks

 

[kanewolf]

Have you confirmed on the device that the IP you think it has is actually the IP address it has? Maybe this is just a reporting error in the tool.

 

[florsca]

Checked on one of the devices - the router showed the ip as 2.1.120.48 but the device showed the ip as 192.168.0.15.

I don't think it is just a report error unless it is just the router falling apart. When this "rogue" ip address takes over the ip address for a device, then I start to show logs with DOS teardrop or DOS ping of death (appears to be against another website, though) and internet pages slow down and then the log shows a SYN Flood.

 

[florsca]

I'll add one more thing, Comcast appears to be trying to send in a firmware update but the update is failing prior to download.

 

[bill001g]

Before you worry too much these should not cause much impact to you. The router is blocking them...which is why you see a log and they are generally single packet attacks. You are getting them minutes apart so it extremely low bandwidth. The only one that sends a little more data is the port scan.

It really depends how big your internet connection is but it appears that have a cable modem so likely this is not enough traffic to matter.

I can't see how this would slow your connection. It is unlikely it causes the router itself to overload. It does take some overhead to create the log entry but again it is only a couple every few minutes. It is not like you are seeing 1000 in a second.

You may have been getting these all the time and now that your are experiencing issues you just happened to see this log and blame these attacks.

 

[florsca]

Ok. My guess is that you're right that these logs might have always happened and I just never looked at them til we started having issues.

Does anyone know, though, why one of our devices would get assigned to that weird IP address and then the logs fill up with issues from that weird IP address? Is there any way for some rogue computer to take over an IP address on the router and make a dos attack onto someone else? It's not just one device, it is the same ip which takes over a phone one time and an iPad another time and maybe a different phone the next time.

Currently my iPad is showing the 2.1.120.48 address on the router (but my iPad shows it has 192.168.0.15 as its ip address). The logs show that my iPad is then trying to contact a hospital in another state (showing as a dos ping attack). It is my weird ip showing as the source, not the target.

I did reset to factory defaults in case there was something strange going on in my router and I think I've done most of the security settings (remote management off, UPnP off, etc)

Am I just being paranoid or does this seem plausible?
Thanks