topic Re: Possible DoS attack from shadowserver.org in Full Fibre

Possible DoS attack from shadowserver.org

Unst-Shetland — Fri, 03 Oct 2025 04:39:56 GMT

Hello. I am suffering repeated connection drops on my new full fibre/FTTP connection.

I have looked at the router logs (I am using your supplied Plusnet Hub Two router) and it would seem that the router is dropping connection due to a DoS attack. Here is a relevant log extract containing the relevant lines as well as context.

Specifically you will see that the router logs show apparent DoS attacks at:

19:00:01, 02 Oct.
DoS(UDP Loopback): IN=ppp0 OUT= MAC= src=65.49.1.69 DST=146.199.152.235 LEN=29 TOS=0x00 PREC=0x00 TTL=52 ID=9922 DF PROTO=UDP SPT=26948 DPT=19 LEN=9 MARK=0x8000000
(Connection dropped just after this line)

18:44:12, 02 Oct.
DoS(UDP Loopback): IN=ppp0 OUT= MAC= src=65.49.1.72 DST=146.199.152.139 LEN=29 TOS=0x00 PREC=0x00 TTL=52 ID=18983 DF PROTO=UDP SPT=19512 DPT=19 LEN=9 MARK=0x8000000
(Seemingly connection went down just before this line)

17:00:03, 02 Oct.
DoS(UDP Loopback): IN=ppp0 OUT= MAC= src=64.62.197.43 DST=146.199.152.193 LEN=51 TOS=0x00 PREC=0x00 TTL=52 ID=57820 DF PROTO=UDP SPT=9225 DPT=7 LEN=31 MARK=0x8000000
(Connection dropped just after this line)

The source IP addresses for each of these lines are 65.49.1.69, 65.49.1.72 and 64.62.197.43. In all cases, these IPs point back to shadowserver.org (a customer of Hurricane Electric).

Looking at shadowserver.org's website, it seems their speciality is port scanning and identification of exploitable hosts. In fact, this document on their website from 2024 appears to directly correlate with the nature of the above log events: https://www.shadowserver.org/what-we-do/network-reporting/high-loop-dos-report/

In summary, it would seem that shadowserver.org is DoSing my router and causing repeated connection drops.

Are you aware of this?

Despite their claim on their FAQ page that port scanning is legal under US federal law, their actions are very likely illegal in UK law if done without permission.

Have you given them permission to scan and test exploits on your customers' routers?

Can you block their IP range so that they do not reach your customers' routers?

Can you update the router firmware so as not to be vulnerable to this exploit?

Or is there some other process ongoing?

Thank for your help on this.

Post released from Spam Filter.

Re: Possible DoS attack from shadowserver.org

jab1 — Fri, 03 Oct 2025 06:11:53 GMT

@Unst-Shetland Looking at those extracts, yes, they are port scans, which unfortunately everyone suffers, but, as I read them, they haven't found any open ports.

PN will not have 'given permission' - no sane ISP would do that. How would PN be aware - they do not routinely monitor your connection?

Plusnet would not block an IP unless it was causing severe damage to a large number of their customers and 'updating the firmware' would not prevent this type of intrusion - numerous bad actors try this from many, many different source IPs.

Sight of your full log would possibly help knowledgable members to offer advice.

Re: Possible DoS attack from shadowserver.org

Unst-Shetland — Fri, 03 Oct 2025 10:47:21 GMT

Thanks for your reply. Apologies, I missed off the more complete log extract in my previous post. I feel the log extract is a bit long to add directly to the forum so here's a link to it in Pastebin:

Router Log File

What is happening is not a matter of a simple port scan and nor are open ports being found of concern here. As you can see from the context in the log extract on Pastebin, each "DoS" line in the log correlates closely with a drop of connection.

What is happening appears in fact to be a crafted attack designed to exploit a vulnerability in some routers. It would seem that shadowserver.org is sending out these attacks (and other scans of course) on a large scale and my router, supplied by Plusnet, just happens to be vulnerable.

Did you read the link I provided?

This one: https://www.shadowserver.org/what-we-do/network-reporting/high-loop-dos-report/

In part it reads:

---
This report contains information about hosts that can be abused in a novel type of Denial-of-Service (DoS) attacks: application-layer loop DoS. Such loop DoS attacks become possible if two network services indefinitely respond to each other’s messages. The hosts contained in this file have been found to cause such endless loop patterns. If you receive this report for your network or experience abuse of such hosts, consult the advisory on how to mitigate the resulting attacks.
---

It is well worth reading the information at the link as well as the "advisory on how to mitigate the resulting attacks" that it further links to.

The router logs I have do not provide enough information to be certain but it does appear that there is a similar (or perhaps the same) UDP-based DoS attack ongoing.

> How would PN be aware - they do not routinely monitor your connection?

Running a large network is complex and in fact both ISPs and corporate networks commonly do run a range of intrusion detection and performance monitoring tools, packet shapers, etc. An ISP definitely should be aware when its supplied CPE is going down repeatedly and what the logs indicate about that.

This is not the same as monitoring the private details of one's connection but they do (or should) monitor connections and large scale trends across their network.

> 'updating the firmware' would not prevent this type of intrusion

As you can see from the link I provided, updating router firmware most certainly can provide protection from crafted attacks of this sort. The attack (either the one described in the link I provided or a similar one) is specifically crafted to exploit vulnerable network firmware.

Re: Possible DoS attack from shadowserver.org

Champnet — Fri, 03 Oct 2025 11:05:31 GMT

@Unst-Shetland If you take a look here : https://www.abuseipdb.com you'll see what others are reporting.

Re: Possible DoS attack from shadowserver.org

Dan_the_Van — Fri, 03 Oct 2025 12:02:48 GMT

@Unst-Shetland

For completeness can you post the exported .CSV event log, there are some many missing messages in what you have provided. This is best done using a browser on a PC rather than a smart device

Use the paper clip icon found below the reply window.

These events do not usually cause the connection to drop.

Re: Possible DoS attack from shadowserver.org

jab1 — Fri, 03 Oct 2025 12:06:19 GMT

@Dan_the_Van wrote:

These events do not usually cause the connection to drop.

My thoughts exactly - which is why I requested the full log earlier.

Re: Possible DoS attack from shadowserver.org

jab1 — Fri, 03 Oct 2025 19:39:21 GMT

@Unst-Shetland Sorry, for some reason, I missed your post timed at 11.47. That Pastebin report is not really helpful, as it is too 'expanded' - a simple attachment to a post is much easier to read and more helpful - if you could oblige, please.

EDIT: IF this was true - the HUB2 being vulnerable - we would have seen more reports similar to yours - we haven't.

Re: Possible DoS attack from shadowserver.org

Dan_the_Van — Sat, 04 Oct 2025 07:30:16 GMT

@Unst-Shetland

A nmap UDP port check using the IP Address in your first post reveals this for port 19

PORT STATE SERVICE 19/udp open|filtered chargen

Importantly; when I have previously used the Hub two on FTTC and FTTP I received a succession of the following messages

DoS(UDP Loopback), DoS(Spoofing) and DoS(Port Scanning), these DoS messages would usually occur at the start of an hour.

None were associated with a preceding Link Down messages, so may be in your case it is a coincidence.

I do note

17:00:03, 02 Oct. DoS(UDP Loopback): IN=ppp0 OUT= MAC= src=64.62.197.43 DST=146.199.152.193 LEN=51 TOS=0x00 PREC=0x00 TTL=52 ID=57820 DF PROTO=UDP SPT=9225 DPT=7 LEN=31 MARK=0x8000000

Link down messages start at 18:17

This will be the likely cause of your disconnects

18:17:24, 02 Oct. WAN connection WAN1_INTERNET_ETH disconnected.[ERROR_NO_CARRIER]

ERROR_NO_CARRIER can be caused by a poorly secured Hub WAN port to ONT LAN port, this would result in a flashing orange light on the Hub

A disconnect between the Hub and the upstream PPPoE server this would result in the Hub light be a solid orange colour

A previous request for the full event log would be helpful.

Re: Possible DoS attack from shadowserver.org

Unst-Shetland — Sun, 05 Oct 2025 10:40:37 GMT

Log file as requested.

Re: Possible DoS attack from shadowserver.org

jab1 — Sun, 05 Oct 2025 11:10:30 GMT

@Dan_the_Van Interesting error log, but a very full one. I can't see too much I can safely comment on - never really seen a Hub2 log on FTTP, so I'll leave it to you as you have had more experience.

Re: Possible DoS attack from shadowserver.org

MisterW — Sun, 05 Oct 2025 11:39:30 GMT

There's a significant number of 'error_no_carrier' logs which on an FTTP (Full Fibre) broadband service indicate a disconnect between the router and the Openreach network. They seem to last only for about 6 or 7 seconds.

They could be caused by :-

1) An intermittent fault e.g bad connection in the Fibre network

2) A faulty ONT

3) Bad cable or connection (as @Dan_the_Van suggested earlier ) between the router and ONT

4) Faulty router or WAN port

@Unst-Shetland

1) would almost certainly show as a change in the lights on the ONT (either LOS red or PON flashing) , do you notice any change when the drops happen ?

3) could be eliminated by confirming both ends of the cable are properly locked and, if so, then a possible change in cable

Re: Possible DoS attack from shadowserver.org

Dan_the_Van — Sun, 05 Oct 2025 11:48:01 GMT

@MisterW

thanks, you've saved me some typing 🙂

@Unst-Shetland

To me it looks like you upgraded to Full Fibre at 09:27:48, 09 Sep. WAN Auto-sensing detected port Ethernet WAN

Also keep an eye on the Hub's light, flashing or solid orange.

Re: Possible DoS attack from shadowserver.org

Unst-Shetland — Tue, 07 Oct 2025 08:57:37 GMT

Had no internet for a couple of hours yesterday, so was able to check a few things:

---
A disconnect between the Hub and the upstream PPPoE server this would result in the Hub light be a solid orange colour
---

Yes, it was a solid orange colour.

Turning the router on and off again did not change this.

---
1) would almost certainly show as a change in the lights on the ONT (either LOS red or PON flashing) , do you notice any change when the drops happen ?
---

No change, all 4 lights still green.

Would this issue be detectable by Plusnet further upstream, eg. would it show in their ISP/etc. logs ?

Re: Possible DoS attack from shadowserver.org

Dan_the_Van — Tue, 07 Oct 2025 11:14:50 GMT

@Unst-Shetland

plusnet do not proactively monitor connections, the solid orange light would indicate an upstream issue.

There is a possibility of an openreach infrastructure issues. The logs show many disconnect since you went live with Full Fibre

I would suggest reporting the issue to plusnet; follow the instructions here https://www.plus.net/help/report-a-problem/

Re: Possible DoS attack from shadowserver.org

Unst-Shetland — Tue, 07 Oct 2025 13:01:44 GMT

Have replaced the network cable between the router and the box on the wall, I'll see if that makes any difference.

Then I'll try a different router.

Then I'll try this route:

---

I would suggest reporting the issue to plusnet; follow the instructions here https://www.plus.net/help/report-a-problem/

---

Re: Possible DoS attack from shadowserver.org

jab1 — Tue, 07 Oct 2025 13:06:00 GMT

@Unst-Shetland If the fault is upstream of you, you are wasting your time with those proposals - they will achieve nothing.

Report your problem now - not in three months time.

Re: Possible DoS attack from shadowserver.org

Unst-Shetland — Fri, 10 Oct 2025 22:06:09 GMT

---
Report your problem now - not in three months time.
---

Should I wait until the internet is actually not working, and its between 8am and 7.30pm when Plusnet support is open, or just report it any time during those working hours ?

Replacement cable appears not to have made any difference, see last day logfile:

9 * WAN connection WAN1_INTERNET_ETH disconnected.[ERROR_NO_CARRIER] since 7th October 2025.

Oh and the Plusnet router has a bug in its log display, it misses a line on the page at the top or bottom, I can't remember which.

I noticed when I compared the downloaded log to the displayed one in the router, since it was missing a [ERROR_NO_CARRIER] which I had seen earlier and suddenly wasn't visible, except in the downloaded copy.

Re: Possible DoS attack from shadowserver.org

jab1 — Sat, 11 Oct 2025 06:10:54 GMT

Should I wait until the internet is actually not working, and its between 8am and 7.30pm when Plusnet support is open, or just report it any time during those working hours ?

No - use the bot to report it - even if it is 'working' - the automated testing doesn't just look at the current state.

Re: Possible DoS attack from shadowserver.org

jab1 — Sat, 11 Oct 2025 06:38:15 GMT

@Dan_the_Van / @MisterW I think I'll leave this to you. No expert, but those numerous PADI/PADO/PADS entries seem suspicious?

Re: Possible DoS attack from shadowserver.org

MisterW — Sat, 11 Oct 2025 06:57:19 GMT

@jab1 they're just another consequence of what seems to be an intermittent WAN connection.

In previous logs , the WAN connection was lost, fairly quickly came back and the PPPoE session was restored within a few seconds.

What seems to be happening now is that the PPPoE session is struggling to reestablish.

It sends the PADI, sometimes it gets the PADO reply, other times it doesnt and continues with PADI. Having got a PADO, it sends PADR expecting a PADS, to then go on complete the PPPoE setup. For many times in the log , it doesnt get the PADS, so times out and goes back to sending PADI. Eventually, it gets the PADS and goes on to setup the PPPoE connection.

Its all consistent with an intermittent connection somewhere between the router and the head-end.

As you said previously, @Unst-Shetland should report a fault now as whatever the problem was, it seems to be getting worse