[Cialug] Router log issue

Sean Flattery sean.r.flattery at gmail.com
Fri Dec 30 12:46:16 CST 2016


Interesting.  That rule is named a little wonky, DoS attacks and scans tend
to be two different things.  This is probably just a port scan.  If you can
grab a pcap of network traffic between your router and the modem, we could
take a look at what's going on and know for sure.

Matt's suggestion of Fail2Ban is seconded, if these logs turn out to
indicate an attack.  The nice thing about Fail2Ban is that you can create
custom regex rules on any log file.  Here's the section of their manual
detailing how to do it.
http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#General_settings


Thanks,
Sean

PS I'm on the CIALUG digest, so if you want me to see your email quickly
just CC me on the reply.



> Date: Thu, 29 Dec 2016 13:08:16 -0600
> From: Tom Sellers <tsellers2009 at gmail.com>
> To: Central Iowa Linux Users Group <cialug at cialug.org>
> Subject: [Cialug] Router log issue
> Message-ID:
>         <CAGMb6GRk=ovKQxW+FgeiW6h0SGU9yiAeNis7MUUUFxCr8d
> eeeg at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> I have a netgear router and have noticed lately that I am seeing a number
> of entries in the log such as the ones below.
>
> [DoS attack: ACK Scan] attack packets in last 20 sec from ip
> [27.151.28.37], Wednesday, Dec 28,2016 21:11:29
> [DHCP IP: (192.168.1.78)] to MAC address B8:EE:65:AF:90:64, Wednesday, Dec
> 28,2016 21:07:33
> [DHCP IP: (192.168.1.78)] to MAC address B8:EE:65:AF:90:64, Wednesday, Dec
> 28,2016 21:07:12
> [DHCP IP: (192.168.1.78)] to MAC address B8:EE:65:AF:90:64, Wednesday, Dec
> 28,2016 21:06:36
> [DoS attack: ACK Scan] attack packets in last 20 sec from ip
> [27.151.28.37], Wednesday, Dec 28,2016 21:06:14
> [DoS attack: ACK Scan] attack packets in last 20 sec from ip
> [27.151.28.37], Wednesday, Dec 28,2016 21:05:53
> [DoS attack: ACK Scan] attack packets in last 20 sec from ip
> [27.151.28.37], Wednesday, Dec 28,2016 21:05:32
> [DoS attack: ACK Scan] attack packets in last 20 sec from ip
> [27.151.28.37], Wednesday, Dec 28,2016 21:05:10
> [DoS attack: ACK Scan] attack packets in last 20 sec from ip
> [27.151.28.37], Wednesday, Dec 28,2016 21:04:49
>
> Ignoring the DHCP updates, I am concerned about the many "Dos attack"
> messages in the log.  Does anyone have any advice/suggestions concerning
> whether or not this is a significant problem that i need to be concerned
> about?
>
>


More information about the Cialug mailing list