U

Friday, March 28th, 2025 7:39 PM

Connectivity Drops due to "DoS Attack: ACK scan"

I am hoping someone can help. My Xfinity internet intermittently completely drops out, on both ethernet connections and Wifi, on avg, about 2-3 times per hour. However it will sometimes go a few hours without it happening at all. When it is stable, it works great (great down/up speeds, ping time, no latency, no packet loss). But when it drops, it completely drops. I am typically alerted due to either being on a zoom call and it losing connection or my nest game will send an alert that it lost connection. Once connection is lost, it reconnects almost immediately.

I have done all of the following troubleshooting. I am using a  Netgear Nighthawk CAX80 Modem/Router with my main computer directly wired to the modem. 

1) Replaced Modem with a new modem

2) Replaced all ethernet cables

3) Replaced access points (2) 

4) Tried on multiple computers

5) Replaced cable that goes from Xfinity box on side of my house to the Modem 

6) Ensured modem firmware was up to date

I have run a network stability monitor to track stability over time and it identified the spikes with the internet outages.  I have reviewed the Modem logs and I have identified a pattern where the modem logs a "(DOS attack) ACK scan" every time an outage occurs (see screenshot below for correlation), with the inbound IP address changing fairly frequently (not coming from the same IP every time). I have researched that specific log entry and the consensus is, if it were a typical DOS attack, it wouldnt say "scan" and it would be ongoing, not just once every 30 minutes. In addition, all the Nighthawk forums say they are more than likely "false positives" where the modem identifies certain activity as a DOS, when it really is normal activity from certain websites or services. 

I am completely out of ideas on how to resolve, any other thoughts or direction would be greatly appreciated. Thanks 

6 Messages

5 days ago

Also, I looked up the IP addresses that are triggering the "DOS attack" and they are coming from Microsoft, Apple and Amazon...which leads me to believe it might be normal traffic that is somehow triggering this. 

Contributor

 • 

20 Messages

5 days ago

Have you tried (temporarily?) turning off DOS protection in the router's WAN settings?

6 Messages

Good question, yes, I have tried that, logging stopped capturing the DoS events but I still experienced the intermittent outages.

6 Messages

5 days ago

Cable Diagnostic

Status: Good

Action: Your setup looks fine. If you are still experience an internet issue, the Netgear Cable Knowledge Base can provide additional troubleshooting info.

Internet Access: Good

Downstream Status: Good

    Downstream Power Level: Good

    Downstream SNR: Good

Upstream Status:  Good

    Upstream Power Level: Good


Current time: Sat Mar 29 09:00:14 2025

Startup Procedure
Acquire Downstream Channel: 633 MHz   Locked
Connectivity State:          OK       Operational
Boot State:                  OK       Operational
Security:                   Enabled   BPI+


Downstream Bonded Channels
Channel LockedStatus Modulation ChannelID  Frequency        Power       SNR   Correctables Uncorrectables     
      1     Locked     256 QAM     44     633000000 Hz     3.8 dBmV     43.6 dB     31652     21438
      2     Locked     256 QAM     13     447000000 Hz     2.4 dBmV     44.1 dB     156484     81036
      3     Locked     256 QAM     14     453000000 Hz     2.7 dBmV     44.3 dB     149464     77173
      4     Locked     256 QAM     15     459000000 Hz     2.7 dBmV     44.2 dB     26315     24247
      5     Locked     256 QAM     16     465000000 Hz     2.5 dBmV     44.2 dB     118484     59779
      6     Locked     256 QAM     17     471000000 Hz     2.6 dBmV     44.2 dB     137857     68397
      7     Locked     256 QAM     18     477000000 Hz     3 dBmV     44.3 dB     23004     26414
      8     Locked     256 QAM     19     483000000 Hz     2.8 dBmV     44.2 dB     95427     47202
      9     Locked     256 QAM     20     489000000 Hz     2.6 dBmV     42.4 dB     143699     69906
     10     Locked     256 QAM     21     495000000 Hz     2.9 dBmV     43.3 dB     26343     27645
     11     Locked     256 QAM     22     501000000 Hz     3.1 dBmV     43.5 dB     74228     36064
     12     Locked     256 QAM     23     507000000 Hz     3.1 dBmV     44.3 dB     123159     60284
     13     Locked     256 QAM     24     513000000 Hz     3 dBmV     44.1 dB     21856     28163
     14     Locked     256 QAM     25     519000000 Hz     3 dBmV     44.2 dB     53168     28292
     15     Locked     256 QAM     26     525000000 Hz     3.1 dBmV     44.2 dB     115963     54521
     16     Locked     256 QAM     27     531000000 Hz     3.4 dBmV     44.3 dB     20371     30229
     17     Locked     256 QAM     28     537000000 Hz     3 dBmV     44.1 dB     44660     24731
     18     Locked     256 QAM     29     543000000 Hz     2.8 dBmV     44 dB     102511     49273
     19     Locked     256 QAM     30     549000000 Hz     3 dBmV     44 dB     21450     33431
     20     Locked     256 QAM     31     555000000 Hz     3.2 dBmV     43.8 dB     31245     19114
     21     Locked     256 QAM     32     561000000 Hz     3.2 dBmV     37.5 dB     111695     49469
     22     Locked     256 QAM     33     567000000 Hz     3.3 dBmV     42.7 dB     21194     32170
     23     Locked     256 QAM     34     573000000 Hz     3.7 dBmV     43.7 dB     21380     15821
     24     Locked     256 QAM     35     579000000 Hz     3.6 dBmV     44 dB     65180     35476
     25     Locked     256 QAM     36     585000000 Hz     3.8 dBmV     44.2 dB     17499     32356
     26     Locked     256 QAM     37     591000000 Hz     3.9 dBmV     43.1 dB     16525     14687
     27     Locked     256 QAM     38     597000000 Hz     3.9 dBmV     43 dB     50139     28697
     28     Locked     256 QAM     39     603000000 Hz     3.8 dBmV     43.8 dB     17863     31323
     29     Locked     256 QAM     40     609000000 Hz     3.9 dBmV     43.8 dB     14280     14009
     30     Locked     256 QAM     41     615000000 Hz     3.5 dBmV     44 dB     41092     25871
     31     Locked     256 QAM     42     621000000 Hz     3.8 dBmV     44 dB     16672     28831
     32     Locked     256 QAM     43     627000000 Hz     4.1 dBmV     44.1 dB     11521     12755


Upstream Bonded Channels
Channel   LockedStatus  ChannelType ChannelID   SymbolRate        Frequency       Power     
      1       Locked       ATDMA     20       5120 Ksym/sec       35600000 Hz       40.0 dBmV
      2       Locked       ATDMA     18       5120 Ksym/sec       22800000 Hz       40.3 dBmV
      3       Locked       ATDMA     19       5120 Ksym/sec       29200000 Hz       39.8 dBmV
      4       Locked       ATDMA     17       5120 Ksym/sec       16400000 Hz       40.3 dBmV
      5       Not Locked       Unknown      0       0       0       0.0
      6       Not Locked       Unknown      0       0       0       0.0
      7       Not Locked       Unknown      0       0       0       0.0
      8       Not Locked       Unknown      0       0       0       0.0


Downstream OFDM Channels
Channel   LockedStatus  ProfileID  ChannelID    Frequency       Power       SNR/MER    ActiveSubcarrier    Unerror    Correctable   Uncorrectable
      1     Locked     0 ,1 ,2 ,3     193     722000000 Hz     5.08 dBmV     43.9 dB     328 ~ 3767     2622306594     632358127     467554
      2     Locked     0 ,1 ,2 ,3     194     957000000 Hz     5.58 dBmV     43.6 dB     148 ~ 3947     2678112195     452753168     145379


Upstream OFDMA Channels
Channel   LockedStatus    ProfileID    ChannelID    Frequency       Power
      1     Not Locked     0      0     0 Hz     0 dBmV
      2     Not Locked     0      0     0 Hz     0 dBmV

6 Messages

5 days ago

Below is the Cable Diagnostic info with Mac addresses removed: 

Event Log
         Time               Priority     Description
Sat Mar 29 08:53:22 2025     Notice     CM-STATUS message sent. Event Type Code: 16; Chan ID: 194; DSID: N/A; MAC Addr: N/A; OFDM/OFDMA Profile ID: 1.;
Sat Mar 29 08:02:52 2025     Notice     CM-STATUS message sent. Event Type Code: 24; Chan ID: 193 194; DSID: N/A; MAC Addr: N/A; OFDM/OFDMA Profile ID: 
Sat Mar 29 07:58:37 2025     Warning     Dynamic Range Window violation
Sat Mar 29 07:58:37 2025     Warning     RNG-RSP CCAP Commanded Power Exceeds Value Corresponding to the Top of the DRW;CM-MAC=
Sat Mar 29 07:58:03 2025     Notice     CM-STATUS message sent. Event Type Code: 16; Chan ID: 193 194; DSID: N/A; MAC Addr: N/A; OFDM/OFDMA Profile ID: 2 3.;CM-MAC=
Sat Mar 29 07:56:43 2025     Notice     CM-STATUS message sent. Event Type Code: 16; Chan ID: 193 194; DSID: N/A; MAC Addr: N/A; OFDM/OFDMA Profile ID: 3.;CM-MAC=
Sat Mar 29 07:45:17 2025     Notice     CM-STATUS message sent. Event Type Code: 24; Chan ID: 193 194; DSID: N/A; MAC Addr: N/A; OFDM/OFDMA Profile ID: 2 3.;CM-MAC=
Sat Mar 29 07:42:47 2025     Notice     CM-STATUS message sent. Event Type Code: 16; Chan ID: 193 194; DSID: N/A; MAC Addr: N/A; OFDM/OFDMA Profile ID: 2 3.;CM-MAC=
Sat Mar 29 04:55:11 2025     Notice     CM-STATUS message sent. Event Type Code: 24; Chan ID: 193 194; DSID: N/A; MAC Addr: N/A; OFDM/OFDMA Profile ID: 3.;CM-MAC=
Sat Mar 29 04:50:28 2025     Notice     CM-STATUS message sent. Event Type Code: 16; Chan ID: 193 194; DSID: N/A; MAC Addr: N/A; OFDM/OFDMA Profile ID: 3.;CM-MAC=
Sat Mar 29 04:37:45 2025     Notice     CM-STATUS message sent. Event Type Code: 24; Chan ID: 193 194; DSID: N/A; MAC Addr: N/A; OFDM/OFDMA Profile ID: 3.;CM-MAC=
Sat Mar 29 04:36:22 2025     Warning     Dynamic Range Window violation
Sat Mar 29 04:36:22 2025     Warning     RNG-RSP CCAP Commanded Power Exceeds Value Corresponding to the Top of the DRW;CM-MAC=;CMTS-MAC=
Sat Mar 29 04:36:06 2025     Critical     Started Unicast Maintenance Ranging - No Response received - T3 time-out;CM-MAC=;CMTS-MAC=
Sat Mar 29 04:36:05 2025     Notice     CM-STATUS message sent. Event Type Code: 16; Chan ID: 193 194; DSID: N/A; MAC Addr: N/A; OFDM/OFDMA Profile ID: 3.;CM-MAC=5;CMTS-MAC=
Sat Mar 29 04:36:03 2025     Critical     Started Unicast Maintenance Ranging - No Response received - T3 time-out;CM-MAC=;CMTS-MAC=
Sat Mar 29 03:37:26 2025     Notice     CM-STATUS message sent. Event Type Code: 24; Chan ID: 193 194; DSID: N/A; MAC Addr: N/A; OFDM/OFDMA Profile ID: 3.;CM-MAC=;CMTS-MAC=
Sat Mar 29 03:36:22 2025     Warning     Dynamic Range Window violation
Sat Mar 29 03:36:22 2025     Warning     RNG-RSP CCAP Commanded Power Exceeds Value Corresponding to the Top of the DRW;CM-MAC=;CMTS-MAC=
Sat Mar 29 03:36:15 2025     Notice     CM-STATUS message sent. Event Type Code: 16; Chan ID: 193 194; DSID: N/A; MAC Addr: N/A; OFDM/OFDMA Profile ID: 3.;CM-MAC=CMTS-MAC=
Sat Mar 29 03:36:06 2025     Critical     Started Unicast Maintenance Ranging - No Response received - T3 time-out;CM-MAC=-MAC=
Sat Mar 29 03:34:37 2025     Notice     CM-STATUS message sent. Event Type Code: 24; Chan ID: 193 194; DSID: N/A; MAC Addr: N/A; OFDM/OFDMA Profile ID: 3.;CM-MAC=
Sat Mar 29 03:33:26 2025     Notice     CM-STATUS message sent. Event Type Code: 16; Chan ID: 193 194; DSID: N/A; MAC Addr: N/A; OFDM/OFDMA Profile ID: 3.;CM-MAC=
Sat Mar 29 03:33:20 2025     Notice     CM-STATUS message sent. Event Type Code: 16; Chan ID: 193; DSID: N/A; MAC Addr: N/A; OFDM/OFDMA Profile ID: 3.;CM-MAC=
Sat Mar 29 03:31:25 2025     Notice     CM-STATUS message sent. Event Type Code: 24; Chan ID: 193 194; DSID: N/A; MAC Addr: N/A; OFDM/OFDMA Profile ID: 3.;CM-MAC=
Sat Mar 29 03:28:24 2025     Notice     CM-STATUS message sent. Event Type Code: 16; Chan ID: 193 194; DSID: N/A; MAC Addr: N/A; OFDM/OFDMA Profile ID: 3.;CM-MAC=
Sat Mar 29 03:28:21 2025     Critical     Started Unicast Maintenance Ranging - No Response received - T3 time-out;CM-MAC=54:07:7d:c6:8d:78;CMTS-MAC=
Sat Mar 29 03:27:18 2025     Critical     UCD invalid or channel unusable;CM-MAC=;CMTS-MAC=;CM-QOS=1.1;CM-VER=3.1;
Sat Mar 29 03:27:18 2025     Notice     DS profile assignment change. DS Chan ID: 33; Previous Profile: ; New Profile: 1 2 3.;CM-MAC=;CMTS-MAC=
Sat Mar 29 03:07:18 2025     Notice     CM-STATUS message sent. Event Type Code: 1; Chan ID: 194; DSID: N/A; MAC Addr: N/A; OFDM/OFDMA Profile ID: N/A.;CM-MAC=;CMTS-MAC=
Sat Mar 29 03:07:13 2025     Warning     MDD message timeout;CM-MAC=;CMTS-MAC=;CM-QOS=1.1;CM-VER=3.1;
Sat Mar 29 01:18:05 2025     Notice     CM-STATUS message sent. Event Type Code: 24; Chan ID: 193 194; DSID: N/A; MAC Addr: N/A; OFDM/OFDMA Profile ID: 1 2 3.;CM-MAC=;CMTS-MAC=
Sat Mar 29 01:12:47 2025     Warning     Dynamic Range Window violation
Sat Mar 29 01:12:47 2025     Warning     RNG-RSP CCAP Commanded Power Exceeds Value Corresponding to the Top of the DRW;CM-MAC=;CMTS-MAC=
Sat Mar 29 01:12:45 2025     Warning     Dynamic Range Window violation
Sat Mar 29 01:12:45 2025     Warning     RNG-RSP CCAP Commanded Power Exceeds Value Corresponding to the Top of the DRW;CM-MAC=;CMTS-MAC=
Sat Mar 29 01:12:45 2025     Warning     Dynamic Range Window violation
Sat Mar 29 01:12:45 2025     Warning     RNG-RSP CCAP Commanded Power Exceeds Value Corresponding to the Top of the DRW;CM-MAC=8;CMTS-MAC=
Sat Mar 29 01:12:34 2025     Notice     CM-STATUS message sent. Event Type Code: 16; Chan ID: 193 194; DSID: N/A; MAC Addr: N/A; OFDM/OFDMA Profile ID: 2 3.;CM-MAC=;CMTS-MAC=

Official Employee

 • 

3.1K Messages

3 days ago

@user_bqimni Thank you for reaching out. Have you had a technician to your home? You stated you replaced the coax cable from your home to the box, and I was wondering if that was personally completed by you or a professional? 

6 Messages

Yes, I had an Xfinity tech come out and all he did was a splitter to the line (keep in mind the only Xfinity/Coax service I have is one line to my modem), and he said that would solve the problem. It didnt. So I paid $500 for a company to replace the line from the box to my modem, just so I could ensure that the issue was not with anything I am responsible for. 

More Info: I opened a ticket with NetGear (Modem provider) and they diagnosed the following from the Modem logs. Based on this, I am almost convinced the issue has to do with the Xfinity service itself or physical line from Xfinity to my house. 

    • Your power levels are spot on, but there's a ton of errors in the line. 
    • You’re having t3 and t4 errors and range window violations, so there are connection issues
    • T3 and T4 errors indicate signal loss or degradation or poor cable quality
    • Usually, an indicator of faulty or aging cabling
    • Range window violations occur when the commanded power level for an upstream channel exceeds the acceptable range
    • This will cause “intermittent connectivity issues or a complete loss of internet service”
    • He said this an indicator of issues with the cable modem, loose or damaged cables, or issues with the CMTS (cable modem termination system)
    • He said this is a device used by Xfinity to manage and terminate the signals from the cable modems to the subscribers end, enabling internet access.

     

    Official Employee

     • 

    3K Messages

    Thanks for that information, user_bqimni. We would be happy to take a look at your signals on our end especially if you are still having issues and T3 timeouts. We are here to help! If you can please send us a Direct Message with your full name and your full address.

     

    To send a "Direct Message" to Xfinity Support:
    Click "Sign In" if necessary
    Click the "Direct Messaging" icon or  https://forums.xfinity.com/direct-messaging
    Click the "New message" (pencil and paper) icon
    The "To:" line prompts you to "Type the name of a person". Instead, type "Xfinity Support" there
    - As you are typing a drop-down list appears. Select "Xfinity Support" from that list
    - An "Xfinity Support" graphic replaces the "To:" line
    Type your message in the text area near the bottom of the window
    Press Enter to send it.

     

    I am an Official Xfinity Employee.
    Official Employees are from multiple teams within Xfinity: CARE, Product, Leadership.
    We ask that you post publicly so people with similar questions may benefit from the conversation.
    Was your question answered? Please, mark a reply as the Accepted Answer.tick
    forum icon

    New to the Community?

    Start Here