# ATT Pace 5268 Crashing?



## magnethead (Mar 18, 2006)

Have been having this issue for a while, but ATT says it is on my side of the gateway, not the gateway itself. 

Randomly, usually 2-3 times a day, the internet completely drops out for Ethernet, 2.4, and 5gig wireless. 

Everytime this happens and I check the modem log, the most recent entry is about a voice registrant IP address error. We don't have voice, only internet and uVerse TV. The TV stays working when the internet drops out. 

Can somebody look at my attachments and tell me if anything is screaming out in error?

Thank you


----------



## The_Con-Sept (Feb 28, 2009)

Sounds like an isolated case.

If at&t say they are not getting reports of outages in your area, like a line going down, or servers going offline on their end then it may be your direct connection to your house.

The first thing I would try is moving your modem to another room. Or connect it to another cable, or phone line jack to see if it is a wire in your house that has gone, or is going bad.

Doing so c an help diagnose the frequent disconnects.

You may need to leave your modem in the other room for a week to see if this problem vanishes and before you purchase any new modem.

If the problem persists then it could be your modem going bad. How old is that modem and is it a rental? If it is a rental just ask at&t to send you a new one. Might cost you a bit of money but at least you can mitigate this problem before the entire modem dies.

BUT. Yes a but. It could also mean the wires connecting your modem to the wall are going bad. Which again if you have a rented modem just ask at&t to send you a new coaxial or phone dsl cable. Or you can purchase one yourself from any home improvement store.

If it persists even changing out cables and different rooms, and you got a new rental modem? Then it is the wiring from the walls in your house to the cable or dsl box on the outside of your home. They may be going bad.

Usually they can send a tech out to see if it is getting a strong enough signal and they can easily repair it with a splice.

But if the cable is not repairable from splicing, then they will need to rewire your house which can be costly.

To me this issue sounds like wiring.

So try what I said above before moving forward or paying too much for repairs.


----------



## magnethead (Mar 18, 2006)

This house did not have any trustable copper wiring in it from the dmarc, when we had the uVerse put in the tech ran a dedicated service line from the dmarc to the modem (used 2 of 8 conductors) and unhooked the old antique analog phone line from the dmarc completely. There was no round coax either, everything was 300 ohm for TV.... We only have 2 TV's so one is direct off the modem and the other is a wireless receiver. 

I've attached some more error logs. 

All Ethernet cabling I did myself. 

What throws me off is that the modem detects the full service bandwidth, but randomly admits itself with a 1.5 second ping time. 

There is no consistency or rational as to when the apparent 'loss of internet's occurs. No time of day reference, no weather reference. Usually lasts 2-5 minutes then corrects itself.

I do know that from the house dmarc to the local node is a bonded pair cable, because the tech could not get a very good signal on a single pair when service was installed. And at some point the line was damaged and repaired thereafter when the modem lost full broadband connection.


----------



## magnethead (Mar 18, 2006)

Also, here are two more logs that have captured my attention. I don't have any port forwarding enabled in the modem. Do these look like some sort of attack/ddos queries trying to access a VNC remote or RDP remote session on my public IP? That is what I see. And there is a truckload of them in the logs.


----------



## JimE (Apr 16, 2009)

Aside from pouring through logs, it will likely be easier to see where the traffic is dying.

Are you able to ping from the router/gateway out during the outage (assuming that hardware provides that option)? Barring that, are you able to ping the router/gateway during the issue? Have you tried running a traceroute during the issue?

So if you can ping the router/gateway during the outage, you are proving connectivity to the router/gateway. If you can't ping through the router/gateway, or can't ping out from the router/gateway during the issue, then the problem is the router/gateway or it's connectivity to the ISP.

I would suspect a router/gateway issue or an ISP issue. Keep calling and reporting the issue (no matter how frustrating it gets). At some point, it will get the attention of someone that actually cares about their job (may take longer than usual, we are talking about AT&T). At a minimum, I would expect a truck roll to at least check signals and swap their hardware.


----------



## magnethead (Mar 18, 2006)

JimE said:


> Aside from pouring through logs, it will likely be easier to see where the traffic is dying.
> 
> Are you able to ping from the router/gateway out during the outage (assuming that hardware provides that option)? Barring that, are you able to ping the router/gateway during the issue? Have you tried running a traceroute during the issue?
> 
> ...


I am able to get into the modem, yes. If I run a ping (see OP), the ping times to Google exceed 1.5 seconds. I haven't done a traceroute. 

Also, on my most recent reply, I'd appreciate another set of eyes on those firewall logs because it seems like somebody is hammering the modem firewall on the RDP and VNC ports. But I'd like confirmation from another eyeball.


----------



## magnethead (Mar 18, 2006)

It just happened again, and traceroute to Google came back clean albeit it around 300ms total.

The firewall log has over 1800 entries in it since midnight this morning (about 100 entries per hour). I'm going to see if I can get ATT to change my public IP (it's static and I get no option to change it). 



> traceroute Google with: 64 bytes of data
> 
> 1: 76.225.140.1(76-225-140-1.lightspeed.rcsntx.sbcglobal.net), time=24 ms
> 2: 71.155.70.189(71.155.70.189), time=22 ms
> ...





> notice	Aug 3 19:39:43
> IN=br1 MAC=e0:22:02::grin: SRC=134.209.31.121 DST= TTL=48 PROTO=TCP DPT=5900 Drop Unknown Incoming Packet
> 
> notice	Aug 3 19:41:25
> ...


----------



## The_Con-Sept (Feb 28, 2009)

Ok.... Sorry for taking a while to reply.

DDOS attacks only happen if the person sending you the DDOS attack knows your ip address specifically; or a website. You don't perhaps have a website running on your computer at home using your modem/router with Dynamic Hosting do you? If so then a DDoS attack is plausible.

If you are not using a website then you can simply perform the ritual of getting a new IP address.

Oh wait. you said your ip address is static? How? IP addresses change all of the time. Changing your ip address is as simple as making up an IP address you want to use on your computer and then resetting it back to default automatic DHCP configuration. The only reason to have a static IP address is if you are running a website from your computer.

And it also sounds like the Primary and Secondary DNS might be having an issue if your ping time is offset by more than a few seconds. You may want to try configuring the modem to connect to a different DNS gateway. Google has a free one and I would use it as either the primary or secondary whilst still keeping one of the DNS gateways from AT&T intact. All the DNS settings do is route you to different hubs to get to the main lines of the rest of the world. Using different DNS gateways isn't at all a bad thing to do but be careful as some DNS gateways are monitored and combed by who knows what type of person.

Choose your DNS server wisely.

If the problem is not someone local, such as room mate, neighbor, and whom ever you may let connect to your wifi network. Then it may be something else.

I would still try to get a new ip address. Which shouyld not require you to call AT&T to do.

Simply accessing your computer's IP settings on windows 10:
Click on windows icon, hit settings, select network and internet, in "status" tab look for "Change adapter Options." Look for Ethernet connection and right click- Select Properties. Find Internet Protocol Version 6, and version 4. Editing one at a time by hitting "properties" on both it will bring up a window. In it is two options with a block dot marking which one is selected. Just select "Use the following IPV6(or IPV4) address. Make up a bunch of random three digit numbers between 0 and 124. Make subnet Mask 255.255.255.0 or Prefix length any random number. Use any random ip number for your default DNS settings. Hit apply. Wait like 3 seconds. Go right back into its properties and reset them back to "obtain IPv6(or IPV4) address automatically. Wait about 3 seconds. Watch as your computer goes back online. Go to googles home page to ensure the connection has been re-established. And you should have a brand new IP address.

Or you can call AT&T and hope to god they don't charge you for this.

Also the logs you have sent us are from your phone. You may want to be doing this using a computer as a cell phone does not have the ability to reset an ip address.

Also noticed Lookout running.


----------



## magnethead (Mar 18, 2006)

I have had the same public IP address across 2 residential gateways over the last 4 years. ATT claims it is dynamic, but never changes. 

https://forums.att.com/t5/2014-Archive/Been-getting-DDoSed-how-do-i-change-my-ip/td-p/3565127

https://forums.att.com/t5/AT-T-Fibe...ge-Public-IP-address-on-AT-amp-T/td-p/5403449



> There is no way to get your IP changed. You can buy a static IP if you want to have a different IP to use, but that's not going to change the dynamic IP


https://forums.att.com/t5/AT-T-Fiber-Equipment/Can-at-amp-t-change-my-ip/td-p/5405352



> No, you can't get the IP changed. And no, the IP doesn't change if you get a new RG, it can change when you do, but 90% of the time no, it wont


I do not have DDNS or any public-facing hosting running. I do have FTP going to my DiskStation so i can access my NAS remotely...and just noticed in the logs that an IP did find that out and got through this morning...

As far as DNS, I do not have a way to change where the modem points. I much prefer to use Google DNS....



> *Internet Connection Type*
> Broadband Link	Built in modem - ADSL/VDSL
> IP Connection	Direct IP (DHCP or Static)
> 
> ...


----------



## magnethead (Mar 18, 2006)

From 5AM to 11AM this morning, I have almost 1800 entries in the firewall log alone. That's 300 entries per hour or 5 entries per minute.

These IP's are just from the first 15 minutes, doing a document-find to get entry numbers. 31 unique IP's in 15 minutes of log.

I turned off all port forwarding now. (FTP to my NAS was the only one enabled before)


```
42.188.86.230 - 1 entry Kuala Lumpor
45.32.118.90 - 33 entries Australia
52.7.200.96 - 7 entries USA
54.164.96.143 - 5 entries USA
77.247.108.160 - 2 entries India
78.129.132.154 - 3 entries UK
89.248.174.201 - 5 entries Seychelles
94.102.49.190 - 2 entries
94.102.51.34 - 2 entries Seychelles
94.102.53.10 - 5 entries Seychelles
104.8.210.5 - 13 entries USA
107.170.196.102 - 1 entry
108.62.202.220 - 20 entries USA
112.80.159.216 - 1 entry
113.200.88.211 - 5 entries China
122.228.19.80 - 9 entries China
125.64.94.211 - 2 entries
125.64.94.220 - 3 entries China
134.209.31.121- 300 entries (hammering port 5900) Not Owned
172.217.9.170 - 2 entries
180.246.148.23 - 1 entry
182.114.75.174 - 1 entry China
184.105.247.216 - 1 entry
185.94.111.1 - 2 entries
185.143.221.62 - 2 entries Russia
185.175.93.21 - 2 entries
185.209.0.17 - 2 entries
185.209.0.143 - 8 entries Latvia
185.244.25.151 - 9 entries Netherland
208.100.26.228 - 4 entries
216.243.31.2 - 1 entry
```


----------



## The_Con-Sept (Feb 28, 2009)

This is definitely above normal activity. It is starting to sound like an illegal operation is happening with your computer. Do you have anti virus software running on your computer('s) at home? And if you do are they up to date and uncompromised? 

Because this is beginning to sound a lot like an illegal porn hack.

Had a teacher in mid school suffer an attack similar to this. He had no idea this was happening. You can't even find the files in one piece on a single machine. Ip traffic was odd. The only thing that did him in was his ip address.

With that much traffic you may have been exposed to code that installed a bit of a bit torrent client running on your system..

I am not saying g this is indeed what is going on, but it sure does seem like it is.

At least I have not encountered something like this for a while. And AT&T can shove their forums up their own @**. I'd cancel services with them and go with a competitor.

What ever those ip addresses are accessing they are getting from your connection.

You don't have any one else connected to your router? No other computers? No one else besides you accessing the Internet?

Because if you are the only person using it then it sounds like a hack. But someone could be using something like bit torrent or u torrent on their machine. With ip traffic working like that it sounds like they are getting at least so ething from your machines.


----------



## magnethead (Mar 18, 2006)

I am on a Mac (El Capitan), and dad's computer is on Windows 7 with active AV. His computer has never had port forwarding enabled (has never needed it). I used to have VNC PF'd to my mac and FTP to my NAS, but i turned the VNC after i saw all the port hammering, and just turned the FTP off now that I saw that pinhole access yesterday. I was previously using a dell server as a NAS and had RDP and FTP PF'd to it, but i replaced it with a synology box in MArch or April.

ATT is the only provider where I am. We'd love to be on another carrier.


----------



## Corday (Mar 3, 2010)

We recommend that you read this article…
https://www.techsupportforum.com/forums/f50/new-instructions-read-this-before-posting-for-malware-removal-help-305963.html
follow the instructions very carefully; then, post all the requested logs and information; as instructed, in the https://www.techsupportforum.com/forums/f50/ section of the forum.
(Simply, click on the colored links to be re-directed.)

Please ensure that you create a new thread in the https://www.techsupportforum.com/forums/f50/Forum; not back here in this one.

When carrying out The Malware Removal Steps, if you cannot complete any of them for whatever reason, just continue on with the next one until they are all completed. 
However,it is extremely important to make mention of the fact that you could not complete any of the steps in your post to the https://www.techsupportforum.com/forums/f50/ Forum; where an Analyst will assist you with other workarounds.

Once done, please be patient, as the Security Team Analysts are usually very busy; one of them will answer your request as soon as they can.


----------



## djbillyd (Jul 25, 2010)

magnethead said:


> I am on a Mac (El Capitan), and dad's computer is on Windows 7 with active AV. His computer has never had port forwarding enabled (has never needed it). I used to have VNC PF'd to my mac and FTP to my NAS, but i turned the VNC after i saw all the port hammering, and just turned the FTP off now that I saw that pinhole access yesterday. I was previously using a dell server as a NAS and had RDP and FTP PF'd to it, but i replaced it with a synology box in MArch or April.
> 
> ATT is the only provider where I am. We'd love to be on another carrier.


Dude, your problem is AT&T. They will blow smoke up your can from 12 different directions, and it will ALWAYS be on your side of the DMarc. That's just what they do. And being the only carrier where you are, have you asked any neighbors if they are having the ATT shuffle issue too. I got Uverse a couple of months ago..., in May, and they have had to come back 4 times. They have replaced every device I have, at least once. And I have another option. Problem is, they wear a mask when they figure your bill, and rob you without a gun!


----------



## magnethead (Mar 18, 2006)

Corday said:


> We recommend that you read this article…
> https://www.techsupportforum.com/forums/f50/new-instructions-read-this-before-posting-for-malware-removal-help-305963.html
> follow the instructions very carefully; then, post all the requested logs and information; as instructed, in the https://www.techsupportforum.com/forums/f50/ section of the forum.
> (Simply, click on the colored links to be re-directed.)
> ...


I am on a mac, so your instructions here are not exactly valid?


----------



## magnethead (Mar 18, 2006)

djbillyd said:


> Dude, your problem is AT&T. They will blow smoke up your can from 12 different directions, and it will ALWAYS be on your side of the DMarc. That's just what they do. And being the only carrier where you are, have you asked any neighbors if they are having the ATT shuffle issue too. I got Uverse a couple of months ago..., in May, and they have had to come back 4 times. They have replaced every device I have, at least once. And I have another option. Problem is, they wear a mask when they figure your bill, and rob you without a gun!


I think everybody else here is on DSL and DirecTV. We're the only house on the street within distance of the uVerse hub, and I'm on a bonded pair just to make that connection (single pair was too much latency). They've had to move pairs for me once when a cable got water-shorted...luckily I figured that one out and was able to explain it to the truck tech after complaining to india.

At least the Firewall/modem is denying the packets.


----------



## djbillyd (Jul 25, 2010)

magnethead said:


> I think everybody else here is on DSL and DirecTV. We're the only house on the street within distance of the uVerse hub, and I'm on a bonded pair just to make that connection (single pair was too much latency). They've had to move pairs for me once when a cable got water-shorted...luckily I figured that one out and was able to explain it to the truck tech after complaining to india.
> 
> At least the Firewall/modem is denying the packets.


Wow! You really got the shaft end of that stick! And they tell you the problem is on YOUR side? They have water boxes, and they say it's your problem? Dude, that's just totally unfair. I'm a network tech too, and pouring over your logs tells me that nothing is wrong from the DMarc to you. The problem is, like I said, AT&T. And they will NEVER admit it. Just make them send techs out every time. If you try to talk to them on the phone, they only have script readers. Not a tech in the center. Make 'em send you a tech every day, if need be. Man, that sucks!!!!


----------



## djbillyd (Jul 25, 2010)

You're over 900' from the hub! They need to run you a distribution cable, and put a closer hub, and them crabs are gonna avoid that as long as they can.


----------



## magnethead (Mar 18, 2006)

djbillyd said:


> You're over 900' from the hub! They need to run you a distribution cable, and put a closer hub, and them crabs are gonna avoid that as long as they can.


The nearest hub that I know of is a little over 2,800 feet away. There might be one I don't know of 1000 feet away where another street splits off the highway, though. That would make their leg 1,800 and my leg 1,000.


----------



## djbillyd (Jul 25, 2010)

magnethead said:


> The nearest hub that I know of is a little over 2,800 feet away. There might be one I don't know of 1000 feet away where another street splits off the highway, though. That would make their leg 1,800 and my leg 1,000.


Wow, that's a mess. But yeah, they need to design a distribution leg, and try to fix your issues. But they will blow smoke as long as you let 'em. 

A tech a day....


----------



## magnethead (Mar 18, 2006)

djbillyd said:


> Wow, that's a mess. But yeah, they need to design a distribution leg, and try to fix your issues. But they will blow smoke as long as you let 'em.
> 
> A tech a day....


That was from Street View dated 2 months ago, too...


----------



## djbillyd (Jul 25, 2010)

magnethead said:


> That was from Street View dated 2 months ago, too...


And believe it, or not, AT&T used to be the "gold" standard of telecommunications. That was because they were the ONLY telecom provider. They now could care less. They find the lowest standard and try to be a cut above that. That's ridiculous!


----------

