[SOLVED] Am I under attack?

Post new topic   Reply to topic    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Author Message
Ivo_K
DD-WRT Novice


Joined: 12 Jan 2018
Posts: 37

PostPosted: Sat May 14, 2022 19:07    Post subject: [SOLVED] Am I under attack? Reply with quote
I have a Linksys WRT1200AC with DD-WRT v3.0-r48865 std. It's connected to the Internet through the ISP's modem in bridge mode.
My syslog reports continuously, many times per second stuff like this:
Code:
May 14 20:43:43 DD-WRT kern.warn kernel: [ 603.259609] DROP IN=eth0 OUT= MAC=cd:a4:21:a8:3b:a6:2c:0b:e9:15:a0:19:08:00 SRC=213.149.127.37 DST=10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=5 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=53314 SEQ=140
May 14 20:43:48 DD-WRT kern.warn kernel: [ 608.264083] DROP IN=eth0 OUT= MAC=cd:a4:21:a8:3b:a6:2c:0b:e9:15:a0:19:08:00 SRC=213.149.127.37 DST=10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=5 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=53314 SEQ=141
May 14 20:43:53 DD-WRT kern.warn kernel: [ 613.269790] DROP IN=eth0 OUT= MAC=cd:a4:21:a8:3b:a6:2c:0b:e9:15:a0:19:08:00 SRC=213.149.127.37 DST=10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=5 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=53314 SEQ=142
May 14 20:43:54 DD-WRT kern.warn kernel: [ 614.884510] DROP IN=eth0 OUT= MAC=cd:a4:21:a8:3b:a6:2c:0b:e9:15:a0:19:08:00 SRC=198.144.159.105 DST=188.252.228.66 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=19654 PROTO=TCP SPT=58611 DPT=6512 SEQ=1978249716 ACK=0 WINDOW=1024 RES=0
May 14 20:43:58 DD-WRT kern.warn kernel: [ 618.275330] DROP IN=eth0 OUT= MAC=cd:a4:21:a8:3b:a6:2c:0b:e9:15:a0:19:08:00 SRC=213.149.127.37 DST=10.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=5 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=53314 SEQ=143
May 14 20:44:00 DD-WRT kern.warn kernel: [ 620.350622] DROP IN=eth0 OUT= MAC=cd:a4:21:a8:3b:a6:2c:0b:e9:15:a0:19:08:00 SRC=37.139.12.101 DST=188.252.228.66 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=58304 PROTO=TCP SPT=53783 DPT=4499 SEQ=5576209 ACK=0 WINDOW=1024 RES=0x00 S

The first part of this long MAC address (cd:a4:21:a8:3b:a6) corresponds to my router, for the rest of it I have no clue. 10.0.0.1 is the router's LAN address and 198.144.159.105 is its public IP (was at the time of taking this snapshot - it's dynamic).

Can anybody help me understand what this is?
Sponsor
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Sat May 14, 2022 19:21    Post subject: Reply with quote
Check the source and destinations IPs @ https://iplocation.io/

Since you enabled The security tab logging options you have various levels to choose from LOW, MEDIUM and HIGH and logging of types of Dropped, Rejected and Accepted connections.

So depending on your settings you get more or less log noise. So adjust to suit your OCD.

If you dont recognize those source or destinations IP's then could be worth exploring.

By the looks of it its seems its your machine cd:a4:21:a8:3b:a6 in all those entries so its something you're doing not being done to you, assuming the source IP's and Destinations IPs match legit traffic.

You can search the web on how to understand iptables logs entries, no point duplicating existing information.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Sat May 14, 2022 22:17    Post subject: Reply with quote
ICMP TYPE 8 is ECHO request. Pretty sure this is the block anonymous WAN requests (PING) in the firewall logging dropped packets.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum