Forum Discussion

wmcole's avatar
wmcole
New Contributor

Cox Pass-through of DoS attacks?

Connecting to a web page often requires two or three attempts.  HTML email often doesn't render without going back and forth between them several times.  When this is occurring I found the following (or similar) in the router log:

[DoS Attack: RST Scan] from source: 45.232.131.151, port 16187, Monday, January 31,2022 15:52:29
[DoS Attack: RST Scan] from source: 45.232.128.54, port 1121, Monday, January 31,2022 15:40:17
[DoS Attack: RST Scan] from source: 45.232.130.47, port 25736, Monday, January 31,2022 15:25:31
[DoS Attack: ACK Scan] from source: 45.61.142.182, port 10668, Monday, January 31,2022 14:41:49

In this particular instance, the first three IPs trace to cert.br / registgro.br, servers that refuse to expose all the IPs they control and that appear to be set up for spammers, scammers and dark web use.  Therefore COX security should block all communications that originate from IPs belonging to the users of these domains.

The latter one was from a server in San Francisco and so COX should be able to prosecute them under state and federal anti-hacking laws.  WHY DON"T THEY? After all COX IS scanning all our OUTGOING web traffic so they can throttle-down the responses from competing streaming services and those who don't pay the fare for favorable treatment when routing through COX servers.  Seems like they could easily throttle a DOS attack to 0.

2 Replies

  • Bruce's avatar
    Bruce
    Honored Contributor III
    RST Scan

    It looks okay and not malicious or an attack.

    RST Scan is a type of port scan and port scans are as old as the Internet.  Port scans aren't malicious per se but instead could be reconnaissance before an actual DoS.  Port scans are like walking down the street and looking into car windows.  It looks suspicious but you're not doing anything wrong other than looking suspicious.

    RST means the ports are closed and your router is doing its job…especially after 2-3 attempts.  However, if it's happening on 1 website, the website is probably trying to sync with these ports at 1 time and some routers will get confused and log as a DoS attack.  It's not an attack because the port was reset.

    As long as you're seeing these "RST Scan" entries, you're good to go.

  • CrystalS's avatar
    CrystalS
    Former Moderator
    Hello @Wmcole,

    I am so very sorry to learn of your Internet troubles and I'd like to help. Thank you for the feedback. We are always looking for ways to better serve our customers. Please scan your device with virus removal software. Then change your network password. This should resolve your issue.

    Crystal S.
    Cox Support Forum Moderator