. Why are there dos attacks on router?

2.0K    Asked by AndrewJenkins in Cyber Security , Asked on Sep 27, 2022

So I'm a noob here and have been doing some research on why my internet (cable modem) locks up about once or twice a week ever since installing a Netgear N900 router a few months ago. After asking around a bit someone recommended I look at my router logs. When I did that I noticed quite a bunch of DoS attacks, which may or may not be real, malicious attacks. Below is a snippet of my logs over the last 2 days.


[DoS Attack: SYN/ACK Scan] from source: 149.202.86.200, port 80, Thursday, August 25, 2016 20:41:23
[DoS Attack: SYN/ACK Scan] from source: 37.130.228.68, port 8080, Thursday, August 25, 2016 19:48:16
[DoS Attack: TCP/UDP Chargen] from source: 95.211.214.74, port 55113, Thursday, August 25, 2016 19:35:28
[DoS Attack: RST Scan] from source: 45.58.74.129, port 443, Thursday, August 25, 2016 17:49:08
[DoS Attack: TCP/UDP Echo] from source: 31.214.240.122, port 43395, Thursday, August 25, 2016 17:47:20
[DoS Attack: SYN/ACK Scan] from source: 76.74.255.69, port 80, Thursday, August 25, 2016 17:40:53
[DoS Attack: SYN/ACK Scan] from source: 149.56.115.186, port 44405, Thursday, August 25, 2016 17:32:49
[DoS Attack: SYN/ACK Scan] from source: 149.56.89.107, port 42324, Thursday, August 25, 2016 17:30:40
[DoS Attack: RST Scan] from source: 45.58.74.161, port 443, Thursday, August 25, 2016 17:23:43
[DoS Attack: RST Scan] from source: 108.160.172.193, port 443, Thursday, August 25, 2016 16:33:31
[DoS Attack: RST Scan] from source: 108.160.172.204, port 443, Thursday, August 25, 2016 15:47:23
[DoS Attack: TCP/UDP Chargen] from source: 179.43.144.17, port 42698, Thursday, August 25, 2016 12:57:00
[DoS Attack: SYN/ACK Scan] from source: 149.56.89.107, port 42324, Thursday, August 25, 2016 12:44:49
[DoS Attack: SYN/ACK Scan] from source: 141.101.121.251, port 80, Thursday, August 25, 2016 09:49:49
[DoS Attack: SYN/ACK Scan] from source: 151.80.111.125, port 12500, Thursday, August 25, 2016 09:39:44
[DoS Attack: RST Scan] from source: 46.174.48.4, port 80, Thursday, August 25, 2016 08:30:12
[DoS Attack: TCP/UDP Chargen] from source: 95.211.214.74, port 36643, Thursday, August 25, 2016 08:29:42
[DoS Attack: SYN/ACK Scan] from source: 77.87.229.22, port 443, Thursday, August 25, 2016 07:35:56
[DoS Attack: SYN/ACK Scan] from source: 52.220.81.105, port 52200, Thursday, August 25, 2016 07:23:51
[DoS Attack: SYN/ACK Scan] from source: 192.99.39.120, port 1634, Thursday, August 25, 2016 07:08:01
[DoS Attack: ACK Scan] from source: 49.199.13.51, port 22, Thursday, August 25, 2016 05:28:29
[DoS Attack: TCP/UDP Chargen] from source: 104.255.70.247, port 39382, Thursday, August 25, 2016 05:16:25
[DoS Attack: SYN/ACK Scan] from source: 46.105.200.74, port 80, Thursday, August 25, 2016 05:00:20
[DoS Attack: SYN/ACK Scan] from source: 162.144.140.49, port 80, Thursday, August 25, 2016 04:40:10
[DoS Attack: ACK Scan] from source: 208.59.216.16, port 80, Thursday, August 25, 2016 04:16:50
[DoS Attack: ACK Scan] from source: 69.168.97.78, port 110, Thursday, August 25, 2016 04:13:40
[DoS Attack: TCP/UDP Chargen] from source: 184.105.139.101, port 48327, Thursday, August 25, 2016 01:17:53
[DoS Attack: RST Scan] from source: 101.227.155.95, port 31414, Thursday, August 25, 2016 01:09:39
[DoS Attack: ACK Scan] from source: 173.203.153.81, port 80, Thursday, August 25, 2016 00:26:53
[DoS Attack: ACK Scan] from source: 173.203.153.81, port 80, Thursday, August 25, 2016 00:15:41
[DoS Attack: SYN/ACK Scan] from source: 77.87.229.22, port 80, Wednesday, August 24, 2016 22:55:06
[DoS Attack: SYN/ACK Scan] from source: 162.144.140.49, port 80, Wednesday, August 24, 2016 22:25:30
[DoS Attack: ACK Scan] from source: 212.4.153.171, port 443, Wednesday, August 24, 2016 22:15:19
[DoS Attack: ACK Scan] from source: 54.224.162.27, port 9543, Wednesday, August 24, 2016 22:13:52
[DoS Attack: ACK Scan] from source: 54.224.162.27, port 9543, Wednesday, August 24, 2016 22:03:41
[DoS Attack: ACK Scan] from source: 54.224.162.27, port 11095, Wednesday, August 24, 2016 22:02:32
[DoS Attack: ACK Scan] from source: 54.224.162.27, port 9543, Wednesday, August 24, 2016 22:01:41
[DoS Attack: ACK Scan] from source: 54.224.162.27, port 11095, Wednesday, August 24, 2016 22:00:31
[DoS Attack: ACK Scan] from source: 207.172.196.17, port 443, Wednesday, August 24, 2016 22:00:06
[DoS Attack: ACK Scan] from source: 31.13.71.1, port 443, Wednesday, August 24, 2016 22:00:02
[DoS Attack: ACK Scan] from source: 31.13.71.36, port 443, Wednesday, August 24, 2016 22:00:01
[DoS Attack: ACK Scan] from source: 54.224.162.27, port 9543, Wednesday, August 24, 2016 21:59:41
[DoS Attack: ACK Scan] from source: 207.172.196.17, port 443, Wednesday, August 24, 2016 21:59:17
[DoS Attack: ACK Scan] from source: 207.172.196.18, port 443, Wednesday, August 24, 2016 21:59:12
[DoS Attack: ACK Scan] from source: 31.13.71.3, port 443, Wednesday, August 24, 2016 21:59:02
[DoS Attack: ACK Scan] from source: 54.224.162.27, port 11095, Wednesday, August 24, 2016 21:58:31
[DoS Attack: SYN/ACK Scan] from source: 162.144.140.49, port 80, Wednesday, August 24, 2016 21:02:53
[DoS Attack: TCP/UDP Chargen] from source: 185.94.111.1, port 60830, Wednesday, August 24, 2016 20:09:49
[DoS Attack: RST Scan] from source: 192.162.101.60, port 80, Wednesday, August 24, 2016 19:09:09
[DoS Attack: SYN/ACK Scan] from source: 162.144.140.49, port 80, Wednesday, August 24, 2016 18:36:44
[DoS Attack: SYN/ACK Scan] from source: 85.193.69.29, port 80, Wednesday, August 24, 2016 18:33:23
[DoS Attack: SYN/ACK Scan] from source: 91.220.101.45, port 1723, Wednesday, August 24, 2016 18:28:47

After doing a quick google search on some of the IP's it looks like there are some Facebook and Dropbox IPs in the list. Many of the others seem to be located in Germany, UK, Canada, etc. Not sure what they are or if they are harmful, but I'm beginning to believe that the frequency of these "attacks" is what is causing my modem to lock up. Does anyone know if these are harmful attacks? How can I resolve these types of things from locking up my modem? There is a setting in the router to allow DoS but I'm extremely hesitant to do that, especially if someone is indeed trying to get on my network. FWIW I have about 30 wired and wireless devices on my network (a couple of laptops, smartphones, tablets, IP cameras, Sonos speakers, Amazon Echo's, Nest products, other smart home products, etc.). I'm really just trying to figure out why my modem keeps locking up ever since purchasing this new router. Thinking these DoS attacks might be the culprit.


Answered by Angela Baker

It is minutes and in some cases hours between all these entries, so will not qualify this as an attack and it should not have any impact on your router. It is normal to get some light scans looking for open ports, if you put up a web-server on port 80 you will probably get requests to wordpress phpmyadmin and other commonly used services after the scan of port 80 has shown it as open. In most cases it is kids having scripts running trying to find vulnerable servers to play with. If it were DOS attacks on the router, you would see hundreds of requests a second and if it was DDOS thousands of requests a second.


Your Answer

Interviews

Parent Categories