Intermittant internet drops brought WANATTACK to my attention.

esperologist
Grasshopper

For the past few days, I noticed our internet kicking out for about 10 minutes at a time. (Actually, kicks for a few seconds, then a few seconds later it kicks for a couple minutes, then a minute after getting on again, it kicks for a few minutes again.)

After a few times, I dove into the 'gateway' and poked around. Finding the logs, I checked and found that the initial moment of kick out was also when WANATTACK was logged. Looking it up, this is basically someone trying to brute force hack in. Well, each time internet dropped I would check again to confirm it lined up with a WANATTACK.

Well, just now I decided to check how long it has been happening and checked the firewall log for the longest period available (90 days). Looks like it has actually been happening several times a day all along.

Two most recent:

Spoiler

FW.IPv6 INPUT drop
, 672
Attempts, 2022/3/26 18:35:31 Firewall Blocked

FW.WANATTACK DROP
, 62
Attempts, 2022/3/26 18:35:31 Firewall Blocked

FW.IPv6 FORWARD drop
, 217
Attempts, 2022/3/26 18:35:31 Firewall Blocked

FW.IPv6 INPUT drop
, 3998
Attempts, 2022/3/26 14:17:03 Firewall Blocked

FW.IPv6 FORWARD drop
, 3623
Attempts, 2022/3/26 14:17:03 Firewall Blocked

FW.WANATTACK DROP
, 191
Attempts, 2022/3/26 14:13:52 Firewall Blocked

And the two oldest:

Spoiler

FW.IPv6 FORWARD drop
, 7764
Attempts, 2021/12/28 18:26:57 Firewall Blocked

FW.WANATTACK DROP
, 4
Attempts, 2021/12/28 18:26:57 Firewall Blocked

FW.IPv6 INPUT drop
, 1297
Attempts, 2021/12/28 18:26:57 Firewall Blocked

FW.IPv6 FORWARD drop
, 6261
Attempts, 2021/12/27 18:26:57 Firewall Blocked

FW.WANATTACK DROP
, 38
Attempts, 2021/12/27 18:26:57 Firewall Blocked

FW.IPv6 INPUT drop
, 1237
Attempts, 2021/12/27 18:26:57 Firewall Blocked

So basically, this attack is apparently normal... and just happens to line up with my connection dropping. This means I don't know what is actually causing connection drops... or didn't notice them before. Just wish it would also log events that cause failure to connect to the internet. (The event logs have nothing that lines up with the drops.)

Additional Note : the LAN still works perfectly fine during these drops. I can even log into the 'gateway'. I just lose internet connection.

 

Labels (1)
5 Replies

-- So basically, this attack is apparently normal... I w...

mdk
Legendary Grand Master

@esperologist -- So basically, this attack is apparently normal...

I would say "common", but not "normal".

> it happens to line up with my connection dropping. This means I don't know what is actually causing connection drops

If the cable-modem is "too-busy" recording each attack, it may be "too-busy" to handle your "normal" traffic on the Internet.

How many attacks per second are showing-up in your log-files? Tens? Hundreds? Thousands?

 

0 Kudos
Reply
Loading...

From what the log gives me, it occurs 2-5 days per week,...

esperologist
Grasshopper

From what the log gives me, it occurs 2-5 days per week, generally shortly after 4am (in the gateway's log) - though some also occur afternoon/evening. Those occurring afternoon/evening lined up with the time when our internet would cut out for several minutes.
About half of them are under 100 (mostly under 50, many under 20), and about half are between 100-200.

The logs also have daily (all 7 days) ipv6 input and ipv6 forward drops. I didn't parse those records as well, but generally they range about 500-8000... with most being in the 1000-3000 range. However, our internet drops were not as common as those entries.

Currently, we are not experiencing (notable) internet drops... though we still get occasional wi-fi drops. (My computer is wired to the gateway, so wi-fi drops don't impact me... just my family.)

Bonus Note : The gateway output puts the oldest entry at the bottom... EXCEPT, it seems to sort the months alphabetically. (Not intuitive to read.)
My original 90-day log output : December, February, January, March.
My update of last month : April, March.
Testing 90-day log output : April, February, January, March

0 Kudos
Reply
Loading...

Hi, having the same issue very recently but I've been see...

joshbwiseman
Grasshopper

Hi, having the same issue very recently but I've been seeing 50,000 - 90,000 hits with the same network drops. Do you find a solution.

0 Kudos
Reply
Loading...

-- at what time of day (night?) do your log-files show th...

mdk
Legendary Grand Master

@joshbwiseman -- at what time of day (night?) do your log-files show the activity?

Shaw has "maintenance windows" overnight that can cause a short outage. Perhaps, your log-files are showing events when your cable-modem cannot connect, or when the maintenance has ended, and Shaw's infrastructure is trying to connect to your cable-modem.

Tough question: has the IP-address that Shaw assigned to your cable-modem before the events changed to a different IP-address during/after the events?

 

0 Kudos
Reply
Loading...

Hi, 8am, 1PM and 4PM have had network disruptions with hi...

joshbwiseman
Grasshopper

Hi,

8am, 1PM and 4PM have had network disruptions with high activity at the same time.

No, I've been watching that and it has not changed.

Josh

0 Kudos
Reply
Loading...