My network has been running odd for the passed couple days. I would have to reboot my router which is a netgear ax80 and cable modem every morning around 8am. I checked my network logs on my netgear ax80 router and see many lines that read:
DoS attack: Fraggle Attack] from source 10.37.240.1,port 67 Tuesday, Aug 18,2020 08:01:39
My network IP addresses are 192.* . I’m not sure how I’m getting attacked by a 10.* ip Or maybe it’s just a false positive? What do you guys think?
That’s called a public IP address.
And yeah you could definitely be attacked.
There are loads of robots which do this world burning all the time.
Make sure your routers firmware is up to date.
Sometimes the 10.x.x.x is the IP range of the ISP node that is on WAN of your modem. Do a traceroute to determine that. ex: tracert google.com
It may be that the attackers are spoofing their IP address when they are sending the packets to your router hence the weird 10.x.x.x range. I thought most ISPs check for that sort of thing these days.
I checked my firmware and it is up to date. I also virus scanned every pc and device on my network. Bitdefender didnt find anything, but that doesnt mean anything.
Does anyone know of a way to mitigate against this kind of attack?
It is not really possible to do this yourself. By the time you have received the packets in a denial of service, they have already attacked you by sucking up your bandwidth.
If this is coming from a consistent range of IP addresses you may be able to get your ISP to help you with it. This all depends on how much they care. A simple firewall or routing rule on the ISP’s hardware can block those packets before they get sent over your link from the ISP, saving your bandwidth.
You should contact the ISP anyway. It’s possible that this “attack” is actually coming from their hardware either because of a hack or because something has broken down and gone screwy. A “DOS attack” might also just be broken hardware.
This is DHCP.
This is a nice round number, it’s probably the IP of your CMTS.
In general, your router should just ignore this junk traffic, I’d go and see if Netgear allows you to disable this kind of processing/detection. It’s generally not useful to log 10.* traffic on a docsis network.
I would say contact the ISP, and ask them, they might have a way to look at recent activity being sent OP’s way.
Unless OP is hosting any services, they might also issue a new IP address.
If it is a targeted attack, a new ip should at least pause the attack until attackers update? And then OP would have a before: and after: to measure?
These are usually broadcast traffic.
Well, it seems like my ISP doesn’t care too much. They said there isn’t a way for us to check if I’m getting attacked. I asked her if I can change my IP address. She stepped me through the ipconfig commands release and renew(forgot the order) I think that changed my external ip. I have my internal network setup as dhcp so I am not exactly sure if that changed my external ip or internal ip.
If you google “what is my ip” it usually has an info box with your external ip.
One used to have to actually load a site like www.whatismyip.com in the manner of a Neanderthal or something…
You changed your internal IP with those commands.
If you want to change your external IP, power off and unplug your modem for 15 minutes and connect it all back up.
I am required to email their abuse department. My IP will probably change by the time this issue gets resolved.
But like @risk mentioned, the flood of traffic might be broadcast, I.e. sent to a lot of addresses, not just targeting yours.
Even if it is just targeted at yourself, changing ip might only be a temporary reprieve?
Not trying to be negative, just curbing expectations.
Also, some ranges of ip addresses get a lot of investigative traffic, just sniffing for a way in, but that is probably more vps territory
I’m learning to expect the worst when it comes to networking lol.
But if you can use the net, it’s not a very good DOS, so I shouldn’t worry so much. If you are being Mossaded* upon, you have no chance anyway…
*insert regional equivalent