UVerse Set top box - DoS Attack

You can factory reset the WAP as well.  

What model gateway you got there?

The WAP is a VEN501-AT, gateway is PACE 5268AC - so old one. 

Let's get this traffic under control, @SteveW!

Just as @gr8sho mentioned, we recommend that you restart your WAP as well. Once you do that, let us know if anything changes!

CalebP, AT&T Community Specialist 

I rebooted everything on the network. Unplugged the WAP. Once the wireless set top boxes come back online, my log starts showing [DoS Attack: Ping Sweep] and [DoS Attack: Ping Flood] entries. What is odd, they are showing a slightly different MAC address from what is indicated on the STB label. 

The AT&T gear has a tendency to do probes to detect the other members of the U-verse IPTV network (i.e. locate the DVR, mainly).  I wouldn't be surprised if that's what your security software is flagging.

As for the MAC address, I've seen them use multiple, adjacent, MACs.

I'm inclined to think what you are seeing is probably normal device behavior.

Just curious, is anything not working or some performance issue being observed?

Also, you should not be running any U-verse TV traffic  through a personal router. 

Also, you should not be running any U-verse TV traffic  through a personal router. 

I don't think he is.  If, like me, he has his U-verse gear connected to the Gateway LAN, and a router (with his regular network) also on that LAN, LAN traffic from the U-verse gear will be seen by the WAN interface of the router.

JefferMC is right, my ATT router is connected to the WAN side of my network. All the U-Verse traffic is directly connected to the ATT router, so it operates. Since my router unexpectedly rebooted kicking me out of a meeting, I started looking at the logs and saw the DoS coming from an IP address on the ATT router. Not sure if or why ATT would have their equipment do this, but that is a possibility. Based on the interval on the logs, it looked like a bot that kept trying. I assumed they had a malware infection since the mfg was showing as CyberTAN on the IP address. It looks like others have encountered that from CyberTAN products as well. One thing I did note, there were single line DoS pings from an Amazon Web Services (outside) address every so often. That made me think there was more to this as well.

That being said, looking at the logs this morning, I am not seeing any more DoS attacks as of last night. To me, it does seem too quick for ATT to push a fix, although I did power down the entire network from the point the fiber comes in the house. Maybe a little overkill to shut down everything and restart, but it can't hurt. I will keep an eye on things. Hopefully this is the last time it happens. 

Interesting insomuch as I’ve never experienced a router reboot when I had my personal router running in IP Passthrough mode.  I don’t run any complicated setup here and there isn’t any benefit to me to consider running two routers since you can’t bridge the gateway like you can with other ISPs such as  Comcast.   

Att should be monitoring their network and resolving DoS issues routinely.  

I have never experienced a router reboot either ... was a first for me. I was thinking it was a hardware issue at first. 

On a personal note, ever since I was with Charter/Spectrum, I keep my network behind a firewall from the ISP. Maybe that isn't necessary anymore, but anyone I knew that didn't do that with Charter ended up with infected computers. 

The ISP is interested in protecting its network from you, not the other way around.  It's never a bad idea to have a layer of isolation that protects you.

@SteveW 

Yes, I can understand why you would do that.  Att never gave us a stand-alone modem if you will. It was always tied in with a built in router.  I’m fairly certain the gateway is secure.  The integrated modem/router given by Comcast also looks decent from same perspective.  Where the gateway falls short for me is the WiFi section, and I’ve replaced that with my own mesh router which I run in access point mode.  

With the incorrect mac addresses, since so much of uverse equipment is refurbished I've had boxes where they swapped network interface card internally but don't bother to change stickers on outside of box.  Also if you plug a wireless stb in with a wire it will get a different ip and have a different mac address.  

Also I'm not saying anyone should do this, but.... ALL of the WAP's of each model ATT assigns the exact same publicly available on google admin password to them.  although someone would have to be already inside your network to initially access.  Also again I'm not saying you should do this but.... given that login you can access the wap interface and see the ssid and wifi password and connect any device you want to a relatively stable 5ghz network(limited to total of 100mbps though shared between wireless stbs and any other devices).  LOL

If someone had done that, than yes another device could be using the WAP to launch an attack.