Dos attack from 198.18.10.205 with 2Degrees

Forums › 2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus) › Dos attack from 198.18.10.205 with 2Degrees

yeaaaaaahh

15 posts

Geek

#302517 28-Nov-2022 20:19

Hey team,

I've been receiving constant "Dos attack" warnings on my Netgear R8500 from the same IP address.
The same thing happened 6 months ago with the same address - eventually went away

2Degrees told me it's my router that is the problem (because it's not their standard POS).

[DoS attack: STORM] (386) attack packets in last 20 sec from ip [198.18.10.205], Monday, Nov 28,2022 20:10:49
[DoS attack: STORM] (589) attack packets in last 20 sec from ip [198.18.10.205], Monday, Nov 28,2022 20:10:04
[DoS attack: STORM] (290) attack packets in last 20 sec from ip [198.18.10.205], Monday, Nov 28,2022 20:09:44
[DoS attack: STORM] (649) attack packets in last 20 sec from ip [198.18.10.205], Monday, Nov 28,2022 20:09:03
[DoS attack: STORM] (1192) attack packets in last 20 sec from ip [198.18.10.205], Monday, Nov 28,2022 20:07:58
[DoS attack: STORM] (706) attack packets in last 20 sec from ip [198.18.10.205], Monday, Nov 28,2022 20:07:37
[DoS attack: STORM] (1238) attack packets in last 20 sec from ip [198.18.10.205], Monday, Nov 28,2022 20:07:04
[DoS attack: STORM] (809) attack packets in last 20 sec from ip [198.18.10.205], Monday, Nov 28,2022 20:06:44
[DoS attack: STORM] (838) attack packets in last 20 sec from ip [198.18.10.205], Monday, Nov 28,2022 20:06:00
[DoS attack: STORM] (40) attack packets in last 20 sec from ip [198.18.10.205], Monday, Nov 28,2022 20:05:40

One thing I did find is that 198.18.0.0 is a IPv4 Bogon range for Network interconnect device benchmark testing.

Linux

11435 posts

Uber Geek

Trusted

Lifetime subscriber

#3002803 28-Nov-2022 20:39

Are you sure this is DDOS attack?

yeaaaaaahh

15 posts

Geek

#3002806 28-Nov-2022 20:45

Not at all, I suspect it is something 2degrees is doing on their end.

allan

2044 posts

Uber Geek

ID Verified

Lifetime subscriber

#3002824 28-Nov-2022 22:07

who.is reports the following for that IP address range:

NetRange: 198.18.0.0 - 198.19.255.255
CIDR: 198.18.0.0/15
NetName: SPECIAL-IPV4-BENCHMARK-TESTING-IANA-RESERVED
NetHandle: NET-198-18-0-0-1
Parent: NET198 (NET-198-0-0-0-0)
NetType: IANA Special Use
OriginAS:
Organization: Internet Assigned Numbers Authority (IANA)
RegDate: 1992-11-23
Updated: 2013-08-30
Comment: Addresses starting with "198.18." or "198.19." are set aside for use in isolated laboratory networks used for benchmarking and performance testing. They should never appear on the Internet and if you see Internet traffic using these addresses, they are being used without permission.
Comment:
Comment: This assignment was made by the IETF, the organization that develops Internet protocols, in RFC 2544, which can be found at:
Comment: http://datatracker.ietf.org/doc/rfc2544
Ref: https://rdap.arin.net/registry/ip/198.18.0.0

yitz

2083 posts

Uber Geek

#3002826 28-Nov-2022 22:14

It's the range they use for their CG-NAT boxes if you do a traceroute. So something not quite transparent going on? Reminds me of the transparent web caching proxy days when you get random packets from the cache farm IPs.

If your Netgear is running strict/symmetric NAT on the IPv4 WAN interface then a change to 3-tuple full cone NAT then those entries might disappear.

xpd

Geek @ Coastguard NZ
13771 posts

Uber Geek

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#3002943 29-Nov-2022 08:42

Is it causing network/connectivity problems for you ? If not, dont worry about it.... be like the good old Zonealarm days on dialup.... people blocking their ISP DNS servers because they were being "attacked" by it, then ringing the helpdesk to say their connection had been "hacked"...

Dont read too much into it.

Gavin / xpd / FastRaccoon / Geek of Coastguard New Zealand

LinkTree

yeaaaaaahh

15 posts

Geek

#3002944 29-Nov-2022 08:47

xpd:

Is it causing network/connectivity problems for you ? If not, dont worry about it.... be like the good old Zonealarm days on dialup.... people blocking their ISP DNS servers because they were being "attacked" by it, then ringing the helpdesk to say their connection had been "hacked"...

Dont read too much into it.

Yes causing complete outage :(

yeaaaaaahh

15 posts

Geek

#3002946 29-Nov-2022 08:50

yitz:

It's the range they use for their CG-NAT boxes if you do a traceroute. So something not quite transparent going on? Reminds me of the transparent web caching proxy days when you get random packets from the cache farm IPs.

If your Netgear is running strict/symmetric NAT on the IPv4 WAN interface then a change to 3-tuple full cone NAT then those entries might disappear.

Router doesn't provide much/any config like this.

I did also try Disabling port scan and DoS Protection, which didn't resolve the outages

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

michaelmurfy

meow
13274 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#3002955 29-Nov-2022 09:13

Why not just use the Fritz!Box that 2degrees provide? It works and very well at that and is also better than your current router.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

robjg63

4100 posts

Uber Geek

Subscriber

#3002972 29-Nov-2022 09:50

Is your router running the latest firmware? Looks like maybe there was an update in May this year?

https://kb.netgear.com/000065097/R8500-Firmware-Version-1-0-2-160

I see a few posts online complaining that the Netgear routers are a bit trigger happy with perceived DDOS attacks....

Nothing is impossible for the man who doesn't have to do it himself - A. H. Weiler

xpd

Geek @ Coastguard NZ
13771 posts

Uber Geek

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#3002975 29-Nov-2022 10:04

Plug in the Fritzbox, if problems go away, then confirmed its the other router.

Up to you then if you want to persist with fixing your own router yourself, but 2D wont be able to assist as the connection itself is working as it should.

What do you consider "POS" about the Fritz ? I've found it to be one of the most reliable units I've ever had an ISP supply me with, including the Zyxel's that Voyager used to supply. Its accepted every change I've given it for NAT without hassle, run my VoIP etc etc. Things uptime outdoes my home server uptime :D

Gavin / xpd / FastRaccoon / Geek of Coastguard New Zealand

LinkTree

Lias

5590 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#3002997 29-Nov-2022 11:10

yeaaaaaahh:

... Netgear ...

I found the problem.

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup.

yeaaaaaahh

15 posts

Geek

#3003213 29-Nov-2022 17:31

2Degrees originally gave me one of those Huawei hunks of junk (i returned it), which I replaced with the R8500 - which while being Netgear, is a beast.

It's running the latest firmware also.

The "attacks" have stopped since last night, if they flare up again I'll see if 2Degrees can send me a fritz!box so I can work out if it is my current router or not.

Thanks for the input all!

michaelmurfy

meow
13274 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#3003295 29-Nov-2022 19:03

2degrees never used Huawei. They’ve always used Fritz!Box on xDSL and Fibre. But even the Huawei is actually not a “hunk of junk” and is still a capable router.

It’s been years now since providers have actually given people ewaste.