Netgear time-g.netgear.com + time-f.netgear.com - flooding....
Jeroen Massar
jeroen at massar.ch
Thu Nov 5 15:50:53 UTC 2020
TLDR:
- bug from before 2013 it seems, not a malicious takeover fortunately
- there is/was a software update
- best to tell customers to update gear.... (but not everybody has proper wifi toys in house or cash... :( )
Off-list I got a few response from Jack who did some great googling, thanks Jack!:
>From 8 years ago (2013) where Comcast had similar issues but with time-a.netgear.com + time-b.netgear.com
https://web.archive.org/web/20130608120955/http://dns.comcast.net/index.php/entry/some-netgear-routers-causing-flood-of-dns-queries
according to that there is a software update that could potentially.
There was apparently a forum thread at http://forum1.netgear.com/showthread.php?t=74665 also referencing the same 32769 port number.
and there was a nanog thread from 2012 here:
https://marc.info/?l=nanog&m=134706378618540&w=2
Other threads mentioning the problem:
https://community.netgear.com/t5/General-WiFi-Routers-Non/Weird-WNDR3700-DNS-problem/td-p/509370
https://community.netgear.com/t5/General-WiFi-Routers-Non/Thousands-of-DNS-Requests-Per-Second/td-p/414710
So, as it is netgear, I can only appropriately quote:
https://www.youtube.com/watch?v=xhtrmebhqfw "I Am Jack's Complete Lack of Surprise"
Time to tell those people to replace those "things that do wifi", an actual quote of a customer; yes, our helpdesk guys get fun stuff, hi five to them too, shout out to Dennis for doing the actually calling and dealing with people!
Greets,
Jeroen
--
> On 20201105, at 15:51, sthaug at nethelp.no wrote:
>
>> <many more, see attached log>
>> 14:23:58.147601 IP customer.32769 > 212.60.63.246.53: 17710+ A? time-g.netgear.com. (36)
>> 14:23:58.147603 IP customer.32769 > 212.60.61.246.53: 17710+ A? time-g.netgear.com. (36)
>> 14:23:58.147613 IP customer.32769 > 212.60.63.246.53: 17710+ A? time-g.netgear.com. (36)
>> 14:23:58.147613 IP customer.32769 > 212.60.61.246.53: 17710+ A? time-g.netgear.com. (36)
>> 14:23:58.147616 IP customer.32769 > 212.60.63.246.53: 17710+ A? time-g.netgear.com. (36)
>> 14:23:58.147617 IP customer.32769 > 212.60.61.246.53: 17710+ A? time-g.netgear.com. (36)
>> 14:23:58.147618 IP customer.32769 > 212.60.63.246.53: 17710+ A? time-g.netgear.com. (36)
>> <many more>
> ...
>> * Has anybody seen similar situations in their recursives? (and what could you do about it)
>
> We've seen it many times. Haven't normally followed up with customer
> (not enough of a problem to be worth while).
>
>> * Is this a on-device (netgear) issue or is this part of some kind of DoS attempt?
>
> For us it looks like a Netgear issue, not an organized DoS attempt.
>
> Steinar Haug, AS2116
More information about the dns-operations
mailing list