Question Should I do something about this?

[Shadow0201]

I logged into my router to update the firmware about a week ago and I noticed in the logs that I keep getting ARP attacks from my gateway ip address. I have been monitoring the logs for about a week already and I keep getting these logged attempts. I know that all these logs mean that they are failed attack attempts but I am worried for the security of my network. My router is a Netgear Nighthawk XR450 and the firmware version is 2.3.2.134 .

 

[bill001g]

Hard to say exactly what these message means, be better if the document them better.

This has to be something inside your house generally unless you mean the "gateway" ip on the wan port.

ARP can not leave the subnet so it has to be one of you machines. You might have something configured with the same IP as the lan port on your router.

I would think that the message also has a mac address. That should give you a idea which device it actually is.

Mostly a ARP attack would be used by someone trying to intercept traffic BUT it has to be a device inside your house already so it is much more likely it is something misconfigure.......assuming it is real in the first place and the router is telling some kind of lie.

 

[Shadow0201]

I believe it would be the gateway ip on the wan port because the ip address matches the numbers of my assigned ip address its just the last number is different.

 

[bill001g]

That is kinda strange. ARP is mostly a ethernet concept. Most ISP do not use ethernet on the WAN they use something like Docsis or gpon since the cable that comes into your house is something like coax or maybe fiber.
There is something similar to ARP being used but the modem changes the actual ARP commands to this other protocol. You technically can't get a ARP attack over say docsis because it doesn't use ARP.

Now sure this has to be something strange about how your ISP has configured stuff. It likely is some kind of false message from the router but it is hard to say. The standard solution to a ARP attack is to put a fix arp entry in for the ip. So you would manually key in the gateway ip and its real mac address. This would prevent anyone from being able to change it with a ARP attack. Problem is most routers do not let you set stuff like that......and you really should never need to. Maybe call your ISP and ask but unless you get lucky they won't have a clue what you are talking about.

 

[Shadow0201]

I also would like to mention that I also ocassionally get TCP/UDP Chargen attempt logs on the router from the dns server I use which is cloudflare but I'm unsure how significant that is.

 

[bill001g]

Not sure what that one means, either it is something new since I retired or netgear is using a different name.

In many ways it would be better if the router manufactures did not log stuff like this. The router has blocked whatever it is already. There is nothing you can actually do to stop the attack, by the time your router gets the packet the bandwidth is already used up and it can just discard it. There is nothing it can do to prevent the attack machine from sending more traffic.

So you have a issue that is already fixed as much as it can be and there is nothing more you can do so all the messages do is make you worry about them. If this was something that was easy you wouldn't have the idiots who can denial of service attack a large game company. Even with the help of a large ISP it is almost impossible to stop real attacks.

More than likely it is just the constant bot scans you see on the internet. Just having a router even with no special feature protects most people. The risk you would take is if you plugged your machine directly into the modem. A computer has lots more code that might have bugs unlike a router that unless you have port forwarding drops all incoming traffic from the internet.

 

[Alabalcho]

What connection do you have to your ISP - cable, fibre, Ethernet? Can you post first two or three groups of your WAN IP address?

@bill001g - in some markets a lot of small ISPs provide Internet access thru an Ethernet connection, especially in multi-unit dwellings where a dumb switch connects several customers before going to upper level.

 

[Shadow0201]

I have cable internet. It goes into an Arris SB6190 Modem. I have an ethernet cable connnected from that modem to a Netgear Nighthawk X450 router. I am not sure I feel comfortable sharing my WAN IP, I am already pretty concerned about what might going on towards my network

 

[Shadow0201]

I know that nothing has happened but I would just like to understand what may be happening. So I do appriciate the information that was given.

 

[Shadow0201]

The only thing I really changed was that I port forwarded my PC from the router so that I could host a Minecraft server to play with friends who I know well and can trust and I gave the same PC a static internal IP address to avoid having to change the port forward all the time. I closed the port forward once I discovered the logs. Keep in mind I did this a year ago and nothing bad really happened.

 

[bill001g]

Maybe someone else here you has recent cable experience can comment but on cable systems the end users can not actually send layer 2 traffic between each other.

More or less it works a encrypted tunnel between the ISP equipment and each modem. The traffic between these tunnels must pass through the ISP router. It is a layer 3, ip, interface. No traffic like ARP or broadcast etc can pass. It is almost treated as a bunch of point to point networks.

A ARP is only used to find the mac address being used for a IP address. There should only be 2 devices on this network, your router and the ISP gateway device.

This is where the vendor needs to document more precisely what that message means. I have seen similar things before on a router that was public source and the users laughed at the dev in the forums for how badly he implemented it.

 

[Shadow0201]

Hello, I am back with an update

I was checking my network for all the devices in my house and I have 3 that do not belong to any of my family members. I checked every device in my house to see if they matched the MAC addresses that were on the network and I did not find any that matched. So I blocked them from passing any traffic.

I also did some research about the constant ARP attacks from my router's public ip gateway address and the only thing I could find is the possibility of ip spoof attempts from a device that might be hidden on my network, but as far I believe this is just speculation that I have based on my research. What I do not understand is why it was not logged before and why it is from my public address's gateway if arp is used for DHCP, it should not be seen as a threat.

I also re-enabled port forwarding of 25565 for my server and I am getting logs of lan access from my friend from different ports and log of lan access from ip address that I do not know from other ports as well although I do not really know too much about how ports work so I am not sure if should close my port forward. I have had upnp on all the time since I had the router but I only get lan access logs when port forwarding.

The only weird thing that is happening is that my Eufy Homebase keeps disconnecting from LAN very frequently. It has the lastest software updates and the cable is good. It also happened to my PC for two days but then it stopped. It could be the device itself but I am just pointing that out just in case it means anything important

One other thing that may be unrelated to this is that I see constant T3 timeouts to my modem from a mac address that is owned by Arris which may indicate something wrong with my physical wiring but I will have to check that later.

 

[bill001g]

I would check the levels on your modem that is a better indicator of cabling issues. T3 errors can be cause by many things and if you get lots of them I would see if the ISP can fix them.

Not likely causing the ARP issue but I bet it is causing packet loss.