High-end Netgear routers crash due to multiple ICMP requests

I have three Netgear Routers: WNDR3700, WNDR4000, and WNDR4500.

On the SAME wired network, the 3700 works great. But both the 4000 and 4500 exhibit the same symptom. They periodically drop WAN connections for a minute (almost exactly), then allow them for 5-20 seconds, drop them for another minute, etc. In the plots below, red in the time graphs means that traceroutes and pings are not getting returned by the affected hops along the path (top part of the plots).

Netgear WNDR4500

Existing connections (Netflix streaming) seem to not be affected. I see this periodic dropping clearly doing traceroutes or pings. Pingplotter is especially effective at showing this.

This is what a normal Pingplotter connection (on the WNDR3700) looks like:

It is normal for the destination (the Comcast nameserver) to refuse to answer some packets. The white area on each plot is the jitter, which increases up to a loss, and then drops.

What could be causing this?


Snoopytime on the Netgear Forum suggested:

Try going to Setup, then to WAN Setup . . then UNCHECK 'IGMP Proxy Disable'.

I am trying this. It did not work. After about an hour after a router reboot, the symptoms started again.
I tried reducing the MTU to 1340, and this made everything work badly. The wireless kept dropping and I could not get any proper internet connections.
The Nessoft people (makers of pingplotter) suggested that this might be due to an inability of the router to be able to handle multiply-qued ICMP requests. I have turned those off and am now testing...   http://www.pingplotter.com/netgear-rt314.html.

I think I figured it out. Pingplotter sends multiple ICMP requests. The router apparently has trouble dealing with these when queued up.
I modified Pingplotter to send them serially, and the problem went away.

So what is causing it? Well, someone on the forum said that what happens is that the router loses its DNS addresses. This would be consistent with my symptoms during the periodic outages: existing connections continue to work, new ones do not. The person suggested that I put in the fixed Comcast DNS addresses (75.75.75.75 and 75.75.76.76). But I also installed the latest Netgear beta firmware which he said supposedly fixed things. And it has been working using the unmodified Pingplotter for 14 hours now.

Seems to be fixed now

Unfortunately the WNDR4500 lost connection to the WAN overnight, and I had stopped runnin g Pingplotter. I rebooted the router, started Pingplotter again, and will leave it on for many days to see what is happening.
48-hour trace
The gray areas are times when the route had changed, and this ip address was not used. You can see that some bad things happened the night of 12/21, but I think it was Comcast because the route also changed. Note that at 1 am on 12/22, there was a drop to the first hop (not shown) and then the route changed. So this was definitely a Comcast issue. 
This problem started again, and I think I found the reason. Looking in the router log files, I get:
[DoS attack: STORM] attack packets in last 20 sec from ip [192.168.1.56], Saturday, Feb 04,2012 09:42:42
[DoS attack: STORM] attack packets in last 20 sec from ip [192.168.1.56], Saturday, Feb 04,2012 09:42:15
so apparently the router thinks it is being attacked and shuts down its connection to the Internet. In my opinion, I do not think it should be doing this for the internal ports, only the external ones, or else, there needs to be a way of specifying that this traffic is legitimate.
To fix this, in the Advanced tab, WAN setup, check Disable Port Scan  and DoS Protection.

Comments

Submitted by Wawan on Mon, 04/09/2012 - 20:04

Permalink

Hi, Jim !Your Easy guide is really very good. I tried to search for the answer on the Internet. I tried many websites but did not get proper answer. on other web sites, you will get only the information about the router but not the step by step resolution. I called the manufacturer of my router but they did not help me as my router was not in the warranty period. First I was thinking not to go for your Easy guide. I tried a lot on the web site but could not make it. Finally I tried your Guide and got it connected. There are many problems described in your program. Thanks for such a wonderful program. You saved my money.

Hi - in truth great site you have created. I enjoyed reading this posting. I did want to publish a remark to tell you that the design of this content is very aesthetically delightful. I used to be a graphic designer, now I am a copy editor. I have always enjoyed functioning with information processing systems and am trying to learn code in my free time.

Submitted by jarome on Tue, 07/10/2012 - 10:43

Permalink

Routers must be patched just like any other computer equipment!

http://www.darkreading.com/database-security/167901020/security/news/24…

"Low-priority databases containing temporary network workload information could be a perfect vector for simple SQL injection attacks, which can lead to outright domination of WiFi routers given the right chain of attack. So warns a Black Hat presenter who, in a few weeks, will show how he used SQL injection attacks to put together attacks that lead to remote takeovers of SOHO routers."

Linksys routers are vulnerable too:

http://www.net-security.org/secworld.php?id=14234

Submitted by jarome on Fri, 12/28/2012 - 13:30

Permalink

Be sure that you buy a new cable/dsl modem occasionally. For cable, you want one that supports Docis 3. This allows you to use channel bonding for higher speeds. I updated my old surfboard modem to a new Docis  3 model, and my speeds increased 50%

Add new comment

About text formats

Comment

  • No HTML tags allowed.
CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions. Image CAPTCHA
Enter the characters shown in the image.
Get new captcha!