topic Re: DOS Attack in Arlo

DOS Attack

Sa9aX11 — Wed, 28 Sep 2016 20:53:21 GMT

Is this normal coming from my R7000 router?

"[DoS attack: FIN Scan] attack packets in last 20 sec from ip [52.16.17.159]"

Sal.

Re: DOS Attack

jguerdat — Wed, 20 Jan 2016 12:53:26 GMT

Hard to say. Is there a reason you suspect Arlo?

Edit: A whois search shows me this:

http://whois.arin.net/rest/net/NET-52-0-0-0-1/pft?s=52.16.17.159

Re: DOS Attack

Hula_Rock — Wed, 20 Jan 2016 12:56:25 GMT

52.16.17.159 Netgear does use Amazons' servers, interesting ......

Re: DOS Attack

TomMac — Wed, 20 Jan 2016 14:32:32 GMT

Maybe an attack into Amazon's network more than yours

# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=52.16.17.159?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:       52.0.0.0 - 52.31.255.255
CIDR:           52.0.0.0/11
NetName:        AT-88-Z
NetHandle:      NET-52-0-0-0-1
Parent:         NET52 (NET-52-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       
Organization:   Amazon Technologies Inc. (AT-88-Z)
RegDate:        1991-12-19
Updated:        2015-03-20
Ref:            http://whois.arin.net/rest/net/NET-52-0-0-0-1

Re: DOS Attack

Hula_Rock — Wed, 20 Jan 2016 15:04:09 GMT

Sa9aX11 wrote:
Hi

Is this normal coming from my R7000 router?

"[DoS attack: FIN Scan] attack packets in last 20 sec from ip [52.16.17.159]"

Sal.

Turn on Port Scan on the R7000 and post some logs.

Re: DOS Attack

Sa9aX11 — Wed, 20 Jan 2016 22:17:46 GMT

I just placed the IP address 52.16.17.159 to my web browser and I got https://arlo.netgear.com/, Arlo Web Portal is doing a DOS Attack?

Sal

Re: DOS Attack

StuBee — Thu, 21 Jan 2016 04:44:46 GMT

Didn't netgear just release a new Firmware for your R7000. I believe it's so the R7000 can be used instead of the Arlo base-station.

So having said that...I bet it's some kind of bug that Arlo Portal is pinging R7000's and your router is thinking it's a DOS attack.

a) Are you using your R7000 as the Arlo base station?

b) What firmware version is on your R7000

You should probably open a case to Netgear.

Re: DOS Attack

Sa9aX11 — Thu, 21 Jan 2016 10:33:00 GMT

StuBee wrote:
Didn't netgear just release a new Firmware for your R7000. I believe it's so the R7000 can be used instead of the Arlo base-station.

So having said that...I bet it's some kind of bug that Arlo Portal is pinging R7000's and your router is thinking it's a DOS attack.

a) Are you using your R7000 as the Arlo base station?
b) What firmware version is on your R7000

You should probably open a case to Netgear.

To answer to your question:

a) Yes

b) V1.0.6.28_1.1.83 (Latest one)

Its probably nothing it does it when I reset the router.

Sal

Re: DOS Attack

jguerdat — Thu, 21 Jan 2016 14:05:11 GMT

I'd agree. Since the Q is constanly streaming, incoming packets will be required, too. Maybe whitelist arlo.netgear.com if that's possible?

Re: DOS Attack

Hula_Rock — Thu, 21 Jan 2016 14:24:07 GMT

After your Router is reset it loses its DHCP Binding. Sounds like false postives due to high thresholds set on the R7000. Basically it does not like to wait while setting up DHCP with the Netgear Servers.