syslog watcher and attacks on my router

StrawDog

Forum Supporter
I wonder if any one can help with what looks like attacks on my router?

I have a server and on it i have "syslog watcher" that captures all my data that's going back and forth....I have a RTN 66U black night router which is flashed with tomato and all working fine except for some of the attacks.

this is the strange thing....the attacks used to be aimed at my IP address rather than my router, so with virmin here and that's running in modem mode, so my router takes care of everything.

the attacks would look something like this

DROP IN=vlan2 OUT= MACSRC=04:2a:e2:c6:a0:1a MACDST=XX:XX:XX:XX:XX:XX MACPROTO=0800 SRC=207.226.141.42 DST=MODEM IP ADDRESS LEN=34 TOS=0x00 PREC=0x00 TTL=50 ID=17007 PROTO=ICMP TYPE=8 CODE=0 ID=17007 SEQ=0

So i wasn't really that bothered as it's probably just random scans coming from abroad etc.

Thing that's started worrying me now is they say the following...

DROP IN=vlan2 OUT= MACSRC=04:2a:e2:c6:a0:1a MACDST=xx:xx:xx:xx:xx:xx MACPROTO=0800 SRC=207.226.141.42 DST=192.168.1.1 LEN=34 TOS=0x00 PREC=0x00 TTL=50 ID=17007 PROTO=ICMP TYPE=8 CODE=0 ID=17007 SEQ=0

as you can see they are actually at my router rather than the modem.....

I have limited the connection attempts down to 3xSSH and 3x TELNET attempts too 3600 seconds and have also enabled Ignore DHCP requests from unknown devices.....so anything that's not under DHCP won't get an IP address.....

also of course changed router user name and password....just bothering me that they are still coming through the modem and reaching my router.

they are from random IP addresses from all over the world, china of course being one of them....

I have run shields up and that tells me that all ports are stealth or closed....

Any ideas?

thanks
 
Top