[Cialug] Router log issue

Matt matt at itwannabe.com
Thu Dec 29 17:39:08 CST 2016


Howdy Tom,

These "attacks" seem to be a router firmware issue in many cases.  See: 
Dos attack - NETGEAR Communities 
<https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwi3xvDTp5rRAhUENSYKHeRvD68QFgg9MAA&url=https%3A%2F%2Fcommunity.netgear.com%2Ft5%2FWired-Routers%2FDos-attack%2Ftd-p%2F423857&usg=AFQjCNHgFfbhRVUCWMgvTTPouOAsztKlxg&sig2=EUIShAVhafi4GT5Bqkq5Ew>

However, according to the MaxMind GeopIP database, your attacker is an 
IP in Fuzhou, Fujian, China with the ISP "China Telecom." Generally when 
people complain about dropped connections and these ACK scan log 
entries, it comes from a server that they were trying to access when the 
connection was dropped... things like Amazon, Apple (iTunes), or 
DropBox.  Unless you are trying to access Chinese websites this may be 
some method for breaking into some specific brand of router (or 
"Internet of Things" device) to create a new dumb password test 
drone/botnet node.

I have an iptables shortcut script named after a colorful four-letter 
[f-]word that takes an IP address as an argument and adds a rule for 
dropping all packets from any bots who scan or try to log into my 
VPSes.  Whenever I look through my logs (or see a large number of 
attempts in one of my daily log digests) I just add the IP to the rule 
list.  Of course, my server gets hit by dozens to hundreds of these bots 
a day, so I've only been adding the particularly thorough attempts to 
the list.  Sadly, it appears that fail2ban doesn't notice login failures 
that fail because I have password login disabled for openssh.  Since 
they aren't connecting with a certificate for authorization, they just 
drop off and fail2ban misses them.

I would suggest something like fail2ban if you can make it work on your 
router.  I know you can use it as part of dd-wrt.  Are these entries 
actually causing you to lose your internet connection?

-- Matt (N0BOX)


On 12/29/2016 2:08 PM, Tom Sellers wrote:
> I have a netgear router and have noticed lately that I am seeing a number
> of entries in the log such as the ones below.
>
> [DoS attack: ACK Scan] attack packets in last 20 sec from ip
> [27.151.28.37], Wednesday, Dec 28,2016 21:11:29
> [DHCP IP: (192.168.1.78)] to MAC address B8:EE:65:AF:90:64, Wednesday, Dec
> 28,2016 21:07:33
> [DHCP IP: (192.168.1.78)] to MAC address B8:EE:65:AF:90:64, Wednesday, Dec
> 28,2016 21:07:12
> [DHCP IP: (192.168.1.78)] to MAC address B8:EE:65:AF:90:64, Wednesday, Dec
> 28,2016 21:06:36
> [DoS attack: ACK Scan] attack packets in last 20 sec from ip
> [27.151.28.37], Wednesday, Dec 28,2016 21:06:14
> [DoS attack: ACK Scan] attack packets in last 20 sec from ip
> [27.151.28.37], Wednesday, Dec 28,2016 21:05:53
> [DoS attack: ACK Scan] attack packets in last 20 sec from ip
> [27.151.28.37], Wednesday, Dec 28,2016 21:05:32
> [DoS attack: ACK Scan] attack packets in last 20 sec from ip
> [27.151.28.37], Wednesday, Dec 28,2016 21:05:10
> [DoS attack: ACK Scan] attack packets in last 20 sec from ip
> [27.151.28.37], Wednesday, Dec 28,2016 21:04:49
>
> Ignoring the DHCP updates, I am concerned about the many "Dos attack"
> messages in the log.  Does anyone have any advice/suggestions concerning
> whether or not this is a significant problem that i need to be concerned
> about?
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug



More information about the Cialug mailing list