Highlighted
Newcomer

Initial connection delays requiring retries

I have noticed over the last two weeks that initial connections over the Internet are failing and many times require retries/refreshes. Once the connections are made I get full bandwith. It seems to be worse at different times of the day. Usually mornings are when it is most prevalent. My father lives 11 blocks a way and is experiencing the same issue. When I do speed tests (Ookla) with it takes a very long time, usually about 10 seconds, to find a server to do the test with. With Spectrum's speed test (https://www.spectrum.com/internet/speed-test.html) I get "Could not connect to the test server. A firewall could be blocking the connection or the server might be having some issues. Please try again later." After a few taps of the RETRY button, the test runs at full bandwith.

I've been checking my modem/router logs and see a lot of DoS attack entries agains other IP address. I wonder if this is causing problems on Spectrum's network. Below are some of the log entries from today.

Description Count Last Occurrence Target Source
[DoS attack: Teardrop or derivative] from 122.133.109.0, port 0 1 Tue Nov 27 10:38:01 2018 36.238.74.32:0 122.133.109.0:0
[DoS attack: Ping Of Death] from 122.133.109.0, port 0 2 Tue Nov 27 10:38:01 2018 36.238.74.32:0 122.133.109.0:0
[DoS attack: Teardrop or derivative] from 122.133.109.0, port 0 15 Tue Nov 27 10:38:01 2018 36.238.74.32:0 122.133.109.0:0
[DoS attack: Illegal Fragments] from 122.133.109.0, port 0 3 Tue Nov 27 10:32:25 2018 36.238.74.32:0 122.133.109.0:0
[DoS attack: Teardrop or derivative] from 122.133.109.0, port 0 8 Tue Nov 27 10:32:10 2018 36.238.74.32:0 122.133.109.0:0
[DoS attack: Illegal Fragments] from 122.133.109.0, port 0 1 Tue Nov 27 10:32:10 2018 36.238.74.32:0 122.133.109.0:0
[DoS attack: Teardrop or derivative] from 122.133.109.0, port 0 4 Tue Nov 27 10:32:10 2018 36.238.74.32:0 122.133.109.0:0
[DoS attack: Ping Of Death] from 122.133.109.0, port 0 3 Tue Nov 27 10:30:29 2018 36.238.74.32:0 122.133.109.0:0
[DoS attack: Teardrop or derivative] from 122.133.109.0, port 0 1 Tue Nov 27 10:30:02 2018 36.238.74.32:0 122.133.109.0:0
[DoS attack: Illegal Fragments] from 122.133.109.0, port 0 1 Tue Nov 27 10:30:01 2018 36.238.74.32:0 122.133.109.0:0
[DoS attack: Teardrop or derivative] from 122.133.109.0, port 0 2 Tue Nov 27 10:30:01 2018 36.238.74.32:0 122.133.109.0:0
[DoS attack: Illegal Fragments] from 122.133.109.0, port 0 1 Tue Nov 27 10:30:01 2018 36.238.74.32:0 122.133.109.0:0
[DoS attack: Teardrop or derivative] from 122.133.109.0, port 0 1 Tue Nov 27 10:30:01 2018 36.238.74.32:0 122.133.109.0:0
[DoS attack: Illegal Fragments] from 122.133.109.0, port 0 1 Tue Nov 27 10:29:51 2018 36.238.74.32:0 122.133.109.0:0
[DoS attack: Teardrop or derivative] from 122.133.109.0, port 0 53 Tue Nov 27 10:29:49 2018 36.238.74.32:0 122.133.109.0:0
[DoS attack: Ping Of Death] from 122.133.109.0, port 0 4 Tue Nov 27 10:29:46 2018 36.238.74.32:0 122.133.109.0:0
[DoS attack: Illegal Fragments] from 122.133.109.0, port 0 1 Tue Nov 27 10:29:45 2018 36.238.74.32:0 122.133.109.0:0
[DoS attack: Ping Of Death] from 122.133.109.0, port 0 2 Tue Nov 27 10:29:45 2018 36.238.74.32:0 122.133.109.0:0
[DoS attack: Illegal Fragments] from 122.133.109.0, port 0 1 Tue Nov 27 10:29:45 2018 36.238.74.32:0 122.133.109.0:0
[DoS attack: Teardrop or derivative] from 122.133.109.0, port 0 8 Tue Nov 27 10:29:32 2018 36.238.74.32:0 122.133.109.0:0
[DoS attack: Teardrop or derivative] from 122.133.109.0, port 0 2 Tue Nov 27 10:26:47 2018 128.144.146.5:0 122.133.109.0:0
[DoS attack: Teardrop or derivative] from 122.133.109.0, port 0 1 Tue Nov 27 10:23:21 2018 184.209.235.216:0 122.133.109.0:0



3 REPLIES
Proven Sharer

Re: Initial connection delays requiring retries

Was that log file extracted from your modem, your router, or your computer? 

What is the model number of the modem and of the router?

What is your ZIP code (Tells us where in the USA you are located)?

The answers will make a huge difference in the work needed to reduce the number of valid DOS attacks.

Newcomer

Re: Initial connection delays requiring retries

The log is from my Netgear C7000-100NAS and my zip code is 45638.

Newcomer

Re: Initial connection delays requiring retries

I found out that these log entries are false positives caused by my Netgear C7000 firmware.

See this post from the Netgear site:

https://community.netgear.com/t5/Cable-Modems-Routers/DoS-attack-Teardrop-or-derivative-Ping-of-Deat...

"

ErnestTheGreat

 

 

NETGEAR Expert
Re: DoS attack, Teardrop or derivative, Ping of Death, strange non-DHCP IP address connected to wifi

As I mentioned before lot of these events are false positive events that generate these DoS attack, Teardrop or derivative and Ping of Death events in the event logs. As described by Netgear before devices like printers and etc. are generating discovery packets or fragmented multicast IPv6 packets which cause the Netgear Cable firewall to belive it is being DoS’d when in fact it isn’t.

 

Netgear has a firmware that fixes this issue but it will take time to roll it out as it has to go through certification with ISPs. So we just need to sit tight and wait for the ISPs to push the new firmware out to our devices.

 

As far as the iPhones and iDevices having strange non-DHCP IP address shown for them under the WiFi section on the C7000's "Attached Devices" page so looks like the issue here is related to IPv6 NAT64 feature which is a translation mechanism for algorithmically mapping IPv6 addresses to IPv4 addresses, and IPv4 addresses to IPv6 addresses. For more info on NAT64 feature you can check out RFC 6145 and 6146.

 

So basically what’s happening is that the IPv6 addresses associated with iPhone and other iDevices are benign translate to random IPv4 addresses as result of NAT64 feature and for some odd reason those addresses are being shown under attached devices leading us to belive that there is a non-DHCP address assigned to our device. Coincidently some of those IPs are valid addresses that show as being registered to valid 3rd parties and some are not.

 

So I do not think there is anything to worry about here just make sure that you go to your C7000 UI under Advanced --> Setup --> WAN Setup and uncheck Disable Port Scan and DoS Protection to enable the protection since by default it is disabled. "