What's new

Netgear AC1900 or Modem (Motorola SB5100)?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Jon Woo

New Around Here
Hi guys,

I am trying to troubleshoot any issue in my apartment to distinguish whether I need to purchase a new Modem or there is something going that my ISP needs to look at. I recently purchased a Netgear AC1900 and its going well, i like that its has good wifi coverage. One thing that is bothering me though and my family is having to reboot the modem at least once a day.

We maybe have about 4 to 5 devices (mobile/ipad devices) connected sometimes not all the time, but potentially on the weekend at max. Recently, have an android box which we stream a lot of netflixs and tv shows on their which i think might be the offender but i could be wrong.

Should i be concerned about the DoS attack?

thanks
Jon

Here is our log: ( I have removed info on my IP Address and MAC address.)


[Admin login] from source 192.168.1.7, Sunday, Mar 05,2017 06:03:25

[DoS attack: FIN Scan] attack packets in last 20 sec from ip [], Sunday, Mar 05,2017 05:12:58
[DHCP IP: ()] to MAC address , Sunday, Mar 05,2017 05:11:16
[Time synchronized with NTP server] Sunday, Mar 05,2017 05:11:01
[Internet connected] IP address: , Sunday, Mar 05,2017 05:10:55
[Internet disconnected] Sunday, Mar 05,2017 05:10:35

[Time synchronized with NTP server] Sunday, Mar 05,2017 04:10:07

[Internet disconnected] Sunday, Mar 05,2017 04:09:12
[DHCP IP: ()] to MAC address EC:0E:C4:2E:EA:90, Sunday, Mar 05,2017 04:06:50
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [], Sunday, Mar 05,2017 04:02:15
[Time synchronized with NTP server] Sunday, Mar 05,2017 04:01:43
[Internet connected] IP address: , Sunday, Mar 05,2017 04:01:38
[Internet disconnected] Sunday, Mar 05,2017 04:01:20
[DHCP IP: ()] to MAC address , Sunday, Mar 05,2017 02:41:49
[Time synchronized with NTP server] Sunday, Mar 05,2017 02:41:16
[Internet connected] IP address: , Sunday, Mar 05,2017 02:41:11
[Internet disconnected] Sunday, Mar 05,2017 02:41:11
[Initialized, firmware version: V1.0.7.6] Sunday, Mar 05,2017 02:41:05
[DHCP IP: ()] to MAC address , Sunday, Mar 05,2017 02:40:58
 
Wath is you ISP speed?
Wath is the name of the modem from your ISP?
Is it a modem or a gateway, wifi or without wifi?
Is it a clean modem or a bridged Gateway?
Wath are the settings on the modem/gateway?
Wath are your settings on Netgear AC1900, "Router mode" or "AP mode"?
Where did you connect the cable in on the Router, WAN or LAN ports?
Version of the FW on the Netgear router?
 
Please see my thread on DDOS attacks https://www.snbforums.com/threads/ddos-attacks.37493/.
I am having a similar problem and have gone through numerous changes of equipment to try and fix this.
The attackers are able to take my internet connection down.
As a last resort I have switched back to my Asus router to see if the line gets disconnected.
So far! The Asus has been up for 6 hours without a disconnect.
I am still getting a $$$$-storm of drops in the logs, but no disconnects.

My assumption is they are attacking Netgear routers and successfully able to cause disconnects.
Time will tell!
If this is the case, we need to try to get Netgear Guy to get the Netgear techs on board to see if there is a flaw in the firewall or something to that affect.
I sure am glad you posted! I was beginning to think I was just a paranoiac, but now I don't feel so all alone!
 
Keep in mind that changing routers usually causes your IP to change as well. That might be why your would-be attackers aren't taking you down (yet).

If your router allows you do specify a different MAC on the WAN interface try changing that MAC by just two digits (i.e. 11:22:33:44:55:66 to 11:22:33:44:66:77), then turn off the modem for 10-20 minutes to reset the connection. You should be getting a new public IP once you reconnect, one which hopefully won't get targeted.
 
Wath is you ISP speed? 8Mbps
Wath is the name of the modem from your ISP? Motorola SB5100
Is it a modem or a gateway, wifi or without wifi? modem with out wifi
Is it a clean modem or a bridged Gateway? its clean
Wath are the settings on the modem/gateway? not sure . its default
Wath are your settings on Netgear AC1900, "Router mode" or "AP mode"? Router mode
Where did you connect the cable in on the Router, WAN or LAN ports? its mainly WIFI, with one LAN to an android box
Version of the FW on the Netgear router?


Firmware Version
V1.0.7.6_1.1.99
 
Please see my thread on DDOS attacks https://www.snbforums.com/threads/ddos-attacks.37493/.
I am having a similar problem and have gone through numerous changes of equipment to try and fix this.
The attackers are able to take my internet connection down.
As a last resort I have switched back to my Asus router to see if the line gets disconnected.
So far! The Asus has been up for 6 hours without a disconnect.
I am still getting a $$$$-storm of drops in the logs, but no disconnects.

My assumption is they are attacking Netgear routers and successfully able to cause disconnects.
Time will tell!
If this is the case, we need to try to get Netgear Guy to get the Netgear techs on board to see if there is a flaw in the firewall or something to that affect.
I sure am glad you posted! I was beginning to think I was just a paranoiac, but now I don't feel so all alone!

Thanks Csection for taking the time to reply. So the disconnects isn't because of our hardware, its because of attacks to the router? I only bought it last month! Before that as well, our internet was dropping so that is why i bought a new wifi router.
 
h
Keep in mind that changing routers usually causes your IP to change as well. That might be why your would-be attackers aren't taking you down (yet).

If your router allows you do specify a different MAC on the WAN interface try changing that MAC by just two digits (i.e. 11:22:33:44:55:66 to 11:22:33:44:66:77), then turn off the modem for 10-20 minutes to reset the connection. You should be getting a new public IP once you reconnect, one which hopefully won't get targeted.

Thanks RMerlin.

I havethe AC1900 netgear, can it be easily done to change the MAC address?

I am surprised that my wifi is being attacked so much. If i change ISP providers, will that also help?
 
1. Go to www.grc.com/shieldsup and click Proceed. Click on the yellow button GRC's Instant UPnP Exposure Test for a quick check. The test checks for UPnP (universal plug and play) is open to the Internet, which it should not be. Hopefully you get green results.

UPnP is simply put, a function that allows devices on your network itself make holes in the firewall when they need to.

2. Reverse the steps in the browser and click the Commonwealth Ports. Now, a search is made on the basis of a number of common ports to see if they answer the call. The results are presented in a list where the various ports should preferably be green (stealth). This means that they are completely invisible to the outside world.

Blue is a little less good, but the door appears closed, and red indicates an open port, which is often unsuitable. However, it may be because you are forwarding a port or use a service like this requires.

3. If you want, you can go ahead and test all ports by clicking the All Service Ports. This scans the first 1056 ports, and takes a little longer. If you wish you can click the User Specified Custom Port Probe to choose which ports to be scanned. These should then be listed on the line above.
Do any vulnerability, check why the door is open and if it really needs to be.
 
Keep in mind that changing routers usually causes your IP to change as well. That might be why your would-be attackers aren't taking you down (yet).

If your router allows you do specify a different MAC on the WAN interface try changing that MAC by just two digits (i.e. 11:22:33:44:55:66 to 11:22:33:44:66:77), then turn off the modem for 10-20 minutes to reset the connection. You should be getting a new public IP once you reconnect, one which hopefully won't get targeted.
I am not trying to steal this thread from OP just add what I have done so far to get a point across.

I have to this point done the following to no avail:
1) Called IPS to try to get them to change "WAN" ip = No success
2) Changed "MAC" to get a new "WAN" ip = This worked as far as changing "WAN" , but attacks still occur by same attackers.
3) Reverted back to ISP's modem = Still getting drops.
4) Changed "MAC" a few more times = Still got "Connection Restarts".
5) Purchased a Netgear modem to see if Arris was the problem = Still got "Connection Restarts", though not as many".

Through shear frustration I took my Netgear router down and replaced it with my Asus router running RMerlin 380.65 = 18 hours uptime in logs(Many "Drops" logged, but no disconnections or restarts.

So you tell me what is the common denominator here?
Not trying to be sarcastic, just pass info! I am FAR from being an expert here!

P.S. Attacking IP's have not really changed much mostly only third and fourth octet.
P.S.P.S. I hate long posts and apologies for this, but it was necessary to get the info I have gathered so far!
 
On my R7800 it can be changed under the Setup tab > Internet Setup. Choose "Use this MAC address". Try going up one on the sixth octet.
Not sure about your firmware though.
 
On my R7800 it can be changed under the Setup tab > Internet Setup. Choose "Use this MAC address". Try going up one on the sixth octet.
Not sure about your firmware though.

The last octet is often used for the LAN and wifi interfaces. That's why I recommend bumping both last octets to ensure a unique address.
 
The last octet is often used for the LAN and wifi interfaces. That's why I recommend bumping both last octets to ensure a unique address.
Ah! Ok! I see! I have not changed the fifth octet, but for the time being. I am using my RT-3100 which is not getting the disconnections that my R7800 was.
Voxel is looking into the problem at the moment, so I don't want to change back to the Netgear until he has investigated this more thoroughly(connection has stayed up for 24 hrs.). Do you think this is a "Bot-attack" or a few individuals? Reason I ask is no matter what I do, the attacking addresses are the same.
They seem to go after ports 80 and 443, but since I put the Netgear modem into the mix, Voxel stated that the attacks are not coming from the same ports.

P.S. These ports are stealthed with the scanners I have tested with. That is why I stated that I think it could be in the Netgear firewall.
 
Do you think this is a "Bot-attack" or a few individuals?

The only way to tell for sure is by capturing all WAN traffic for a period of time, and analyzing it.
 
I am trying to troubleshoot any issue in my apartment to distinguish whether I need to purchase a new Modem or there is something going that my ISP needs to look at. I recently purchased a Netgear AC1900 and its going well, i like that its has good wifi coverage. One thing that is bothering me though and my family is having to reboot the modem at least once a day.

We maybe have about 4 to 5 devices (mobile/ipad devices) connected sometimes not all the time, but potentially on the weekend at max. Recently, have an android box which we stream a lot of netflixs and tv shows on their which i think might be the offender but i could be wrong.

Should i be concerned about the DoS attack?

Swap out the modem - it's an older DOCSIS 2.0 modem, and it's an older model at that - could be the power adapter on the modem - check out the stats page at http://192.168.100.1 and check for T3/T4 issues and reboots on the modem itself.

Most home users don't need to worry about DOS/DDOS - some gamers might be worried about this (there are tools that can do this), but for most folks, again, not at issue there.

DOCSIS 3.0 - the Moto/Arris SB6141 is a good choice, and the SB6183 is a better choice for many... both are really solid modems there.
 
What should I look for?

That's something hard to explain over a forums... Need to have a good basic understanding on how TCP/IP works and how to analyze network traces unfortunately, not something I can explain in a few paragraphs.
 
That's something hard to explain over a forums... Need to have a good basic understanding on how TCP/IP works and how to analyze network traces unfortunately, not something I can explain in a few paragraphs.


Thanks guys. I looked at Shield up, and got the results.

THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!


Might be the modem that i need to replace. Hoepfully a new ISP will fix the drop of internet connection.
 
Thanks guys. I looked at Shield up, and got the results.

THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!


Might be the modem that i need to replace. Hoepfully a new ISP will fix the drop of internet connection.
I would suggest not getting an Arris 6141. That is what I had and where Voxel said my problem originated!
I currently have a Netgear CM-400 and it works better for me.
Not saying it will fix your problem. Just saying what I have gone through.
 
That's something hard to explain over a forums... Need to have a good basic understanding on how TCP/IP works and how to analyze network traces unfortunately, not something I can explain in a few paragraphs.
I have been looking at the logs on the RT-3100 as close as I can. So far, no lost connections. I am still working on the R7800 with voxel advising me, so I'll keep trying with it down the road. I may try putting the R7800 into bridge mode and see what happens.
The reason I haven't done that is because I have a lot of stuff set up in "Access Control" which I don't want to loose.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top