My Router Keeps Reporting an Attack by a Suspicious IP

Hey guys, I’m a bit confused and not sure what to do here. I have an Orbi router, and a few times a day, it reports something like:

“NETGEAR Armor detected that a suspicious location attempted a connection to [device here] and blocked that connection.”

So far it seems to attack my Intel laptop, my wife’s MacBook, and my AMD PC.

I’ve scanned for viruses and malware on both PCs and nothing. I’ve not scanned my wife’s Macbook because I wouldn’t even know how.

I reset my modem, as Spectrum recommended, to get a new external IP address. However, these attacks keep persisting.

Is there anything I can do to stop these attacks, or should I trust my router to continue to protect me?

Thanks for your help.

You can probably ignore it. Any internet facing IP is going to be constantly receiving connection attempts from various locations, and the devices holding these IP’s (if configured reasonably) are going to simply drop those requests on their own.

Good to know, thank you!


To expand a bit on my earlier answer, devices on a home network generally shouldn’t accept any incoming connections from outside the local network, as most applications a home user might use are based on connecting from the app to an outside server- partially to avoid this sort of issue. Home routers block incoming connections by default, so if someone decides they really need, for example, Remote Desktop to be open to any outside IP, they would need to make the router allow it.

It is a bit weird that the router is reporting specific devices being attacked, since they probably don’t have their own IP. I suspect the it’s just throwing in a device name at random, but you might want to check if you have any ports forwarded to internal devices and if so, whether you really need them open.

Got it, thank you!

Yeah I think this would only be the case if there’s port forwarding set up for specific services.

The IP address is owned by Fastly, which is a cloud computing service like CloudFare. It’s probably possible to contact their customer service about it.

So I used this tool:

To check my ports, and none of the common ones were open. I don’t have any open through my router either.

I’ll contact Fastly next. Thanks y’all!

My guess is your router runs some sort of IDS and took traffic from their CDN to be malicious as a false positive, assuming you don’t expose those hosts to the internet.

Well those certainly were words that meant things. ;) (Remember, I’m a moron.)

IDS stands for intrusion detection system, it inspects every packet to see if it matches a signature list like a virus scanner does on your PC. They often have false positives.

Ohhhhhhh I see. Thank you!

This may be my favorite response in the history of QT3…