[SOLVED] Should I Block These IP's?

chrison600

Honorable
Sep 30, 2013
8
0
10,510
Hello,

With two people now working from home, I have noticed some unusual behaviors/slowdowns in browser response. I'm just learning the basics as far as diagnosing what might be improved and looked into the log on board my Netgear AX12. It shows a lot of "DoS Attack: ARP Attack" and "DoS Attack: TCP/UDP Echo" and "DoS Attack: SYN/ACK Scan". I can see the IP addresses associated with these attacks. I'm trying to figure out if these attacks might be the reasons for the change in performance/behavior on my network and what to do to protect against/reduce/prevent them.

Is the first/basic step to block the source IP's?

If so, how do I do that?

Thank you.
 
Solution
It would be extremely hard to use 300mbps doing normal internet activities. Large downloads could stall it but i would assume this is a rare thing. It would be more likely that you could exceed upload but again that is not common. Even video conference does not use that much bandwidth.

If your router has the ability to watch the bandwidth see if you see any problems. Since the router can run speedtest it appears see if the router get different results when you see the problem on your pc. This would indicate some issue between the 2 pc rather than some issue with the connection or router.

I would also leave a constant ping run to your router IP. Problems at the lan level would show issues in the ping. You could also...

USAFRet

Titan
Moderator
Those are almost certainly typical scans. Everyone gets those, all the time.
Nefarious entities stroll through the entirety of IP space, looking for something open.

Unless you see a LOT...like thousands and thousands an hour, there is no issue. Your roter is doing its job, and simply tossing them out.
 
Those are almost certainly typical scans. Everyone gets those, all the time.
Nefarious entities stroll through the entirety of IP space, looking for something open.
Yep, and it's sad that the whole country doesn't just block whole IP spaces (like Russia and China) who have no business knocking on everyone's door trying to scam. There are actually websites that help you get lists of whole country/continent IP spaces to program them into enterprise routers that can do that sort of thing. But there's even limits on what the hardware can handle as I found out recently when I wanted to block the whole world except the US and Canada.
 

USAFRet

Titan
Moderator
Yep, and it's sad that the whole country doesn't just block whole IP spaces (like Russia and China) who have no business knocking on everyone's door trying to scam. There are actually websites that help you get lists of whole country/continent IP spaces to program them into enterprise routers that can do that sort of thing. But there's even limits on what the hardware can handle as I found out recently when I wanted to block the whole world except the US and Canada.
When I had my NAS box open for outside access, continual scans.

The majority of the IP's were from Russia/China, but many, many from elsewhere.
Portugal, Switzerland, Ohio, Spain, etc, etc.

Can't block out the whole internet.
 

chrison600

Honorable
Sep 30, 2013
8
0
10,510
Thank you for the responses. If you don't mind I'd like to share a description of the behavior I'm seeing and ask for advice on that basis...

Most of our home network/computer products are Apple (iMac, MacBook Pro, iPad, iPhone). The router is the Netgear AX12, which has seemed to be fine (much better than the previous Gryphon then eero implementations). The new system that seems to be creating a challenge is my wife's work computer, a Lenovo laptop running Windows. Her company has an internal IT department that requires a VPN and they have remote access to her system for needs of support. Her laptop connects to a dock that is hard wired to the same switch as my iMac (5 port TP-Link Gigabit), which then connects via in-wall wiring to a 24 port TP-Link Gigabit switch, wired to the router, wired to the modem.

I've worked from home for years and never noticed any dips or drops in performance while here alone, but since her computer has been added to the mix, I've experienced service slowdowns and stoppages, on my iMac as well as iPad and iPhone. She experiences issues as well, but we work around those via scheduling and rebooting the router.

Some descriptions of what I experience are total drops in service while her system is booting (say in the morning once she walks into the office to boot up and I've been working for a while). Then when we are working side by side, I might see a behavior change like the following: I'll be working in eBay and PayPal; I need to view the PayPal transaction for a sale; I click on the link in eBay to invoke the PayPal page; the new tab opens but nothing appears- the tab is stalled; yet at the same time I can still refresh or view a new eBay page and/or refresh or view a new PayPal page. Also, I might try to refresh my email console (GoDaddy Workspace) and it gives me a "site insecure" warning which I can clear by simply refreshing the page again.

It "feels" to me that her system is commanding a lot of bandwidth such that other network requests are overwhelmed and you just have to keep repeating the request until it passes through. Rebooting the router has recovered good services a few times, but the service quality seems to degrade again if we are both using the network simultaneously. Today her service level has been good, but that's likely because most of my work was physical (shipping/transporting) rather than online.

I'd like to be able to diagnose/improve things, but I'm a newbie and need help getting up to speed. I have downloaded Wireshark and had a look at network tap hardware, but I'd like some guidance.

Thanks.
 
Thank you for the responses. If you don't mind I'd like to share a description of the behavior I'm seeing and ask for advice on that basis...

Most of our home network/computer products are Apple (iMac, MacBook Pro, iPad, iPhone). The router is the Netgear AX12, which has seemed to be fine (much better than the previous Gryphon then eero implementations). The new system that seems to be creating a challenge is my wife's work computer, a Lenovo laptop running Windows. Her company has an internal IT department that requires a VPN and they have remote access to her system for needs of support. Her laptop connects to a dock that is hard wired to the same switch as my iMac (5 port TP-Link Gigabit), which then connects via in-wall wiring to a 24 port TP-Link Gigabit switch, wired to the router, wired to the modem.

I've worked from home for years and never noticed any dips or drops in performance while here alone, but since her computer has been added to the mix, I've experienced service slowdowns and stoppages, on my iMac as well as iPad and iPhone. She experiences issues as well, but we work around those via scheduling and rebooting the router.

Some descriptions of what I experience are total drops in service while her system is booting (say in the morning once she walks into the office to boot up and I've been working for a while). Then when we are working side by side, I might see a behavior change like the following: I'll be working in eBay and PayPal; I need to view the PayPal transaction for a sale; I click on the link in eBay to invoke the PayPal page; the new tab opens but nothing appears- the tab is stalled; yet at the same time I can still refresh or view a new eBay page and/or refresh or view a new PayPal page. Also, I might try to refresh my email console (GoDaddy Workspace) and it gives me a "site insecure" warning which I can clear by simply refreshing the page again.

It "feels" to me that her system is commanding a lot of bandwidth such that other network requests are overwhelmed and you just have to keep repeating the request until it passes through. Rebooting the router has recovered good services a few times, but the service quality seems to degrade again if we are both using the network simultaneously. Today her service level has been good, but that's likely because most of my work was physical (shipping/transporting) rather than online.

I'd like to be able to diagnose/improve things, but I'm a newbie and need help getting up to speed. I have downloaded Wireshark and had a look at network tap hardware, but I'd like some guidance.

Thanks.
Thank you for the detailed description of the problem as it gives a much better idea of what could be going on. A couple of questions:
  • What is your service speed up and down?
  • What is her work client? Ipsec? SSL? and is it a full tunnel or split tunnel?
  • What is she doing with her system? Is she doing work locally using remote files? Or is she remoting into her desktop at work? etc.
  • What is your network logical structure? VLANs? Additional subnets? Port forwards?
This information should allow me to develop some theories. :)
 

chrison600

Honorable
Sep 30, 2013
8
0
10,510
The product her company uses is Pulse Secure. I did a cursory look at their VPN product technical specs and it appears to use the SSL protocol and is a split tunnel.

We "officially" are on a service tier of 300mbps down/20mbps up, but testing (on router or from client) shows around 350 down and 25 up.

She is remoting into her work environment, but the PC she is using here is the same PC she would be using at her office. The difference is she is not required to use the VPN when connected to the dock at her office.

Not sure on the logical network structure, but it's just a single router, a few switches, and wired/wireless clients. No heavy configuration changes on the router.
 
Thank you very much for the additional details.

So looking at your original post, try turning off the DoS attack setting in the netgear and see what happens. If it fixes the issue, it may be that the router was thinking certain packets were an attack so it would 'pause' the connection (my rv016 used to do that).

The other things I would check is if you have any ipsec or ssl passthrough options and if they are on.

The other thing I was thinking that you could try would be to simply put your wife on another vlan and see what that does. If it fixes the problem, then great.

Let me know if any of this helps.
 

chrison600

Honorable
Sep 30, 2013
8
0
10,510
It looks like I can disable logging of suspected DoS attacks, but I'm hesitant to do that because I'd like to collect all the information I can regarding this issue.

I do not find any indication of IPSEC or SSL passthrough options.

The router does have the ability to configure a VLAN "bridge" but it is discussed only in regard to "IPTV" devices. You can enable a VLAN bridge and select a physical Ethernet port (or ports) or WiFi frequency/frequencies to include in the VLAN configuration. That indicates to me that 1) If I select the 2.4 and/or 5 GHz range(s) on the WiFi side, all devices using that option would be included in the VLAN; 2) Since my wife's PC is not wired directly to the router, if I select to enable the VLAN for the connected port, all wired devices would effectively be included in the VLAN as all are connected via one port on the router due to the network architecture.
 
It would be extremely hard to use 300mbps doing normal internet activities. Large downloads could stall it but i would assume this is a rare thing. It would be more likely that you could exceed upload but again that is not common. Even video conference does not use that much bandwidth.

If your router has the ability to watch the bandwidth see if you see any problems. Since the router can run speedtest it appears see if the router get different results when you see the problem on your pc. This would indicate some issue between the 2 pc rather than some issue with the connection or router.

I would also leave a constant ping run to your router IP. Problems at the lan level would show issues in the ping. You could also leave a ping run to say 8.8.8.8 to see if there is much impact, if you are getting loss or your are getting delays. If both these are good I would suspect something like DNS even though I can't see how since the vpn should not use your local dns.

It would be strange for a vpn to have any effect on your other machines the vpn is designed to isolate the machine from the internet as well as all your local machines. It should talk to only a single IP address and nothing else. If you were to look at it the session likely appears to not be much different than someone on any other encrypted web site.


Watch the cpu usage on your router if it has that. Disabling the logging would reduce the cpu if you have a issue.

In general it would in some ways be better if routers did not put out messages about this and just quietly block it. People get too concerned over it. You can do nothing to stop it. The IP are likely machines that have been compromised so tracking them will not find a person. Blocking them or some other range of addresses is like putting a bag over your head. The traffic will still come to your house and use up bandwidth. They can not get past the NAT in the router and will be dropped no matter if you put in a rule or not.
 
Solution

chrison600

Honorable
Sep 30, 2013
8
0
10,510
Thank you bill001g. I don't think it's an issue with the bandwidth available from our provider. I agree with you that it feels like the new PC is somehow introducing "noise" or "interference" on to the network that causes my system (and other clients such as iPad) to have issues (my wife's system will also have issues time to time such that she reboots).

When the slowdowns occur I launch speed tests from my computer and they time out. I can't initiate a speed test on the router in those moments because I can't reach it to trigger the test.

What tool should I use to launch the pings? I could run one in Terminal, but is there a neat program that can run them and log the results? I have Wireshark. Can it be configured to run/log pings?

The router does have a CPU load indicator in advanced status, but I don't think it logs it. I can glance at it when we have a service issue (if I can load the page).
 
You can just use the -t option on the ping command.

If you can not get into the router that is very telling. First make sure you have a IP address assigned on your pc , see the IPCONFIG.
Next make sure the gateway is the router and the dhcp server is the router.

Next use the ARP -a command to see if the mac address of the router is mapped to the IP address you think is the router.

Clear the ARP table and then ping the router. Even if it does not respond your goal is to see if the ARP entry gets repopulated. If ARP does not respond then things are really broken.

Since it appears to be in the lan I would most suspect either a duplicate IP or something hijacking the ip of the router. It could also be some form of arp poison. This would be where some machine causes false arp entries to be stored in the router. So the router for example send traffic that is for you IP to a different mac address. Arp poison is just a name it can be caused by a bug or misconfigured system. Since it started with the machine running the vpn it could be that.

If you are going to run wireshark I would run it on the machine running vpn. What you want to see is if any traffic is not being sent via the vpn. A capture filter that excludes traffic to the remote vpn ip should greatly reduce what you see on the screen.
 
Last edited:
It looks like I can disable logging of suspected DoS attacks, but I'm hesitant to do that because I'd like to collect all the information I can regarding this issue.

I do not find any indication of IPSEC or SSL passthrough options.

The router does have the ability to configure a VLAN "bridge" but it is discussed only in regard to "IPTV" devices. You can enable a VLAN bridge and select a physical Ethernet port (or ports) or WiFi frequency/frequencies to include in the VLAN configuration. That indicates to me that 1) If I select the 2.4 and/or 5 GHz range(s) on the WiFi side, all devices using that option would be included in the VLAN; 2) Since my wife's PC is not wired directly to the router, if I select to enable the VLAN for the connected port, all wired devices would effectively be included in the VLAN as all are connected via one port on the router due to the network architecture.
Just disable it as a test. If you really want logging, you should set up a syslog or use an enterprise grade router. Then you get to see stuff like this to your heart's content:
2020-03-23 03:32:39 Deny 192.168.1.82 70.148.54.17 http/tcp 46383 80 1-Trusted 6-500x50 blocked sites 60 63 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 10 S 767461827 win 5840"
2020-03-23 03:32:51 Deny 10.172.128.1 224.0.0.1 igmp 6-500x50 Firebox Denied 32 1 (Unhandled External Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148"
2020-03-23 03:32:55 Deny 141.98.80.204 69.73.103.3 6380/tcp 50711 6380 6-500x50 Firebox blocked sites 40 240 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 S 1457222061 win 1024"
2020-03-23 03:33:25 Deny 119.206.216.20 75.137.136.110 81/tcp 41320 81 0-External Firebox Denied 40 234 (Unhandled External Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 S 4060637067 win 14600"
2020-03-23 03:33:25 firewall Temporarily blocking host 119.206.216.20 id="3001-1001"
2020-03-23 03:33:37 Deny 185.156.73.38 69.73.103.3 6262/tcp 56440 6262 6-500x50 Firebox blocked sites 40 240 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 S 2358830386 win 1024"
2020-03-23 03:33:56 Deny 192.168.1.82 70.148.54.17 http/tcp 46388 80 1-Trusted 6-500x50 blocked sites 60 63 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 10 S 831074095 win 5840"
2020-03-23 03:34:01 Deny 86.126.153.146 69.73.103.3 60001/tcp 54977 60001 6-500x50 Firebox Denied 40 52 (Unhandled External Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 S 1162438403 win 10785"
2020-03-23 03:34:01 firewall Temporarily blocking host 86.126.153.146 id="3001-1001"
2020-03-23 03:34:04 Deny 172.105.96.23 75.137.136.110 1900/tcp 58157 1900 0-External Firebox blocked ports 40 237 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 S 508322957 win 65535"
2020-03-23 03:34:04 firewall Temporarily blocking host 172.105.96.23 id="3001-1001"
2020-03-23 03:34:14 Deny 185.176.27.166 75.137.136.110 55110/tcp 57740 55110 0-External Firebox blocked sites 40 239 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 S 3878824989 win 1024"
2020-03-23 03:34:19 Deny 5.135.253.172 75.137.136.110 17932/tcp 58985 17932 0-External Firebox Denied 40 236 (Unhandled External Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 S 2941461744 win 1024"
2020-03-23 03:34:19 firewall Temporarily blocking host 5.135.253.172 id="3001-1001"
2020-03-23 03:34:19 Deny 182.140.138.98 69.73.103.3 ms-sql-s/tcp 44149 1433 6-500x50 Firebox Denied 40 233 (Unhandled External Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 S 4063934877 win 1024"
2020-03-23 03:34:19 firewall Temporarily blocking host 182.140.138.98 id="3001-1001"
I didn't think you'd run into anything about SSL passthrough, but I'm surprised there wasn't one for IPsec.

This is just a hunch based off of something else I once saw go crazy, but if you've got some spare equipment swap your 5-port switch there to another unit, different brand and see if anything changes.