@Unst-Shetland Looking at those extracts, yes, they are port scans, which unfortunately everyone suffers, but, as I read them, they haven't found any open ports.

PN will not have 'given permission' - no sane ISP would do that. How would PN be aware - they do not routinely monitor your connection?

Plusnet would not block an IP unless it was causing severe damage to a large number of their customers and 'updating the firmware' would not prevent this type of intrusion - numerous bad actors try this from many, many different source IPs.

Sight of your full log would possibly help knowledgable members to offer advice.

Thanks for your reply. Apologies, I missed off the more complete log extract in my previous post. I feel the log extract is a bit long to add directly to the forum so here's a link to it in Pastebin:

Router Log File 


What is happening is not a matter of a simple port scan and nor are open ports being found of concern here. As you can see from the context in the log extract on Pastebin, each "DoS" line in the log correlates closely with a drop of connection.

What is happening appears in fact to be a crafted attack designed to exploit a vulnerability in some routers. It would seem that shadowserver.org is sending out these attacks (and other scans of course) on a large scale and my router, supplied by Plusnet, just happens to be vulnerable.

Did you read the link I provided?

This one: https://www.shadowserver.org/what-we-do/network-reporting/high-loop-dos-report/ 


In part it reads:

---
    This report contains information about hosts that can be abused in a novel type of Denial-of-Service (DoS) attacks: application-layer loop DoS. Such loop DoS attacks become possible if two network services indefinitely respond to each other’s messages. The hosts contained in this file have been found to cause such endless loop patterns. If you receive this report for your network or experience abuse of such hosts, consult the advisory on how to mitigate the resulting attacks.
---

It is well worth reading the information at the link as well as the "advisory on how to mitigate the resulting attacks" that it further links to.

The router logs I have do not provide enough information to be certain but it does appear that there is a similar (or perhaps the same) UDP-based DoS attack ongoing.

>    How would PN be aware - they do not routinely monitor your connection?

Running a large network is complex and in fact both ISPs and corporate networks commonly do run a range of intrusion detection and performance monitoring tools, packet shapers, etc. An ISP definitely should be aware when its supplied CPE is going down repeatedly and what the logs indicate about that.

This is not the same as monitoring the private details of one's connection but they do (or should) monitor connections and large scale trends across their network.

>    'updating the firmware' would not prevent this type of intrusion

As you can see from the link I provided, updating router firmware most certainly can provide protection from crafted attacks of this sort. The attack (either the one described in the link I provided or a similar one) is specifically crafted to exploit vulnerable network firmware.

@Unst-Shetland If you take a look here : https://www.abuseipdb.com   you'll see what others are reporting.

@Unst-Shetland 

For completeness can you post the exported .CSV event log, there are some many missing messages in what you have provided. This is best done using a browser on a PC rather than a smart device

Use the paper clip icon found below the reply window. 

These events do not usually cause the connection to drop.

---

@Dan_the_Van wrote:

 

These events do not usually cause the connection to drop.

 

---

My thoughts exactly - which is why I requested the full log earlier. 

@Unst-Shetland Sorry, for some reason, I missed your post timed at 11.47. That Pastebin report is not really helpful, as it is too 'expanded' - a simple attachment to a post is much easier to read and more helpful - if you could oblige, please.

EDIT: IF this was true - the HUB2 being vulnerable - we would have seen more reports similar to yours - we haven't.

@Unst-Shetland 

A nmap UDP port check using the IP Address in your first post reveals this for port 19

PORT   STATE         SERVICE
19/udp open|filtered chargen

Importantly; when I have previously used the Hub two on FTTC and FTTP I received a succession of the following messages

DoS(UDP Loopback), DoS(Spoofing) and DoS(Port Scanning), these DoS messages would usually occur at the start of an hour.

None were associated with a preceding Link Down messages, so may be in your case it is a coincidence.

I do note

17:00:03, 02 Oct. DoS(UDP Loopback): IN=ppp0 OUT= MAC= src=64.62.197.43 DST=146.199.152.193 LEN=51 TOS=0x00 PREC=0x00 TTL=52 ID=57820 DF PROTO=UDP SPT=9225 DPT=7 LEN=31 MARK=0x8000000

Link down messages start at 18:17

This will be the likely cause of your disconnects

18:17:24, 02 Oct. WAN connection WAN1_INTERNET_ETH disconnected.[ERROR_NO_CARRIER]

ERROR_NO_CARRIER can be caused by a poorly secured Hub WAN port to ONT LAN port, this would result in a flashing orange light on the Hub

or

A disconnect between the Hub and the upstream PPPoE  server this would result in the Hub light be a solid orange colour

A previous request for the full event log would be helpful. 

Log file as requested.

@Dan_the_Van Interesting error log, but a very full one. I can't see too much I can safely comment on - never really seen a Hub2 log on FTTP, so I'll leave it to you as you have had more experience.

There's a significant number of 'error_no_carrier' logs which on an FTTP (Full Fibre) broadband service indicate a disconnect between the router and the Openreach network. They seem to last only for about 6 or 7 seconds.

They could be caused by :-

1) An intermittent fault e.g bad connection in the Fibre network

2) A faulty ONT

3) Bad cable or connection (as @Dan_the_Van suggested earlier ) between the router and ONT

4) Faulty router or WAN port

@Unst-Shetland 

1) would almost certainly show as a change in the lights on the ONT (either LOS red or PON flashing) , do you notice any change when the drops happen ?

3) could be eliminated by confirming both ends of the cable are properly locked and, if so, then a possible change in cable

@MisterW 

thanks, you've saved me some typing 🙂

@Unst-Shetland 

To me it looks like you upgraded to Full Fibre at 09:27:48, 09 Sep. WAN Auto-sensing detected port Ethernet WAN

Also keep an eye on the Hub's light, flashing or solid orange.

Had no internet for a couple of hours yesterday, so was able to check a few things:

---
A disconnect between the Hub and the upstream PPPoE  server this would result in the Hub light be a solid orange colour
---

Yes, it was a solid orange colour.

Turning the router on and off again did not change this.

---
1) would almost certainly show as a change in the lights on the ONT (either LOS red or PON flashing) , do you notice any change when the drops happen ?
---

No change, all 4 lights still green.

Would this issue be detectable by Plusnet further upstream, eg. would it show in their ISP/etc. logs ?

@Unst-Shetland 

plusnet do not proactively monitor connections, the solid orange light would indicate an upstream issue.

There is a possibility of an openreach infrastructure issues. The logs show many disconnect since you went live with Full Fibre

I would suggest reporting the issue to plusnet; follow the instructions here https://www.plus.net/help/report-a-problem/ 

Have replaced the network cable between the router and the box on the wall, I'll see if that makes any difference.

Then I'll try a different router.

Then I'll try this route:

---

I would suggest reporting the issue to plusnet; follow the instructions here https://www.plus.net/help/report-a-problem/ 

---