Hi @Natty,
Having ICMP WAN based Ping makes you visible to attackers "Scanners" Maybe re-evaluate if this is sensible for your network?
By the sounds of this its some person(s) who are attempting to "Brute-force" their way into your switch/router, to allow them them to ultimately gain root. (or some dns-rebind attack or dns-hijacking attack or just use your network as part of a larger DDoS system)
I am unfamiliar with your specific device, However, I am very familiar with this issue and techniques employed to both exploit and mitigate against such attack..
You may want to decide if you wish to do IP-based rules Firewall blocking method. [See below IP-Based Method]
OR
You could do the <static routes> method.
The Medicine
1) If you can see multiple logins from the SRC=IP Address in your syslog make a note of that IP address.
2) Go do a online
whois lookup IP if you have IP address or Hostname if hostname of the offending IP address. You will see something like this
Example:
| Text |
1
23
45
67
89
1011
| Domain name:
atk_domain.tld Name servers:
ddns0.atk_domain.tld 127.0.0.1 2607:f740:ffff::1 ddns0.atk_domain.tld
ddns1.atk_domain.tld 127.0.0.2 2607:f740:ffff:4::1 ddns1.atk_domain.tld
dns0.atk_domain.tld 172.17.10.10 2620:ff:1000::1 dns0.atk_domain.tld
dns1.atk_domain.tld 172.17.10.11 2a00:eded:6259::1 dns1.atk_domain.tld |
Key parts are the nameserver address (for tracing the PTR records later)
The
[email protected] contact email address (you should email and provide AFXR file to hostmaster)
And obviously the IP address(es) linked to the record.
3) You may also want to interrogate the offending attacker's IP using a free to use too called DIG
Dig Download (Packaged with BIND9 *Nix DNS)
Here is
A Helpful Guide for Windows Dig
We can figure a lot of information out just by simply using the tool called DIG See below:
- PTR Records & Using DIG
4) Decide on method to employ. If the Static Route method would suit your needs better use that
OR if you think a simpler IP Based Blocking method would work better use that; or maybe you wish to use a combination of both IP and Static_routing to be absolutely certain it will stop the attacks.
Note on Static Route Method: -- (
README GUIDE - Spiceworks HERE )
Create a new false static route to falsely map Attacker_IP > <interface> <metric> except we give a high metric 99 but lower than other interface(es) which you want to be routable like: PPP or Br0 wlan0 lo0 etc. or something similar to that effect;
This Static route method in effect causes you router to behave as if the attackers IP is basically a node from within your own network which you then (basically) terminate traffic by giving it lower order of importance in your routing table based on the metric
int.
This will stop the Attacker from reaching you router and from your router from reaching them.
There are obvious pro's and cons using this method but as a quick measure to stop the active Bruteforce process is cool as it .. lets say that the attacker is hitting you from a IP range that you cannot block completely maybe as it sits inside of a popular CDN/AWS/Azure/Google Cloud IP range which effects some service(s) streaming or otherwise you can isolate the IP not the IP block/ IP range...
| Text |
1
23
45
6 | 192.168.1.1/24 <Block_IP Range>
192.168.1.5 <EViL AttackerIP> <Now Blocked>
192.168.1.12 <netflix_Service> <Now Blocked> <But may Need>
192.168.1.254 <WWW - You Visit lives here> <Now Blocked> |
You see the problem with a Blanket ban of IP Range
IP-Based Firewall Method
- PTR Records & Using DIG
Once you have the IP address you are now able to block either the single offending IP address OR as a more blunt hammer approach Block the complete IP subnet of the perpetrators origin IP address.
If the Attacker is targeting a specific port say tcp_443 or tcp_8443 etc maybe you could isolate it to a single IP and maybe if not stopping the attack you may need to block the whole IP_range/subnet (kind of a blunt hammer approach).
Often these types of attackers switch to a fresh IP after either a reset of their Dynamic-IP or to another server under their control after their previous IP gets blocked by a angry sysop/admin hence, why looking for all the PTR records associated with the IP can show all IP Addresses belonging to the attacker hostname Which you would then know!
This will allow you to be proactively ban/blacklist IP's ahead of any future attacks from this same attacker in the same process..
A PTR record is well-known as the reverse version of an A record. While A record maps the domain name to an IP address, the PTR record maps the IP address to a hostname. So, the PTR record ensures that your IP address officially connects to the host.
So its important to know if the attackers are coming in from a Residential IP range you would see this in the whois lookup or if you see any rdns hostmasks with *.dyn*.* included in it.
Grab all records for hostname:
| Text |
1
| $ dig [hostname] +short |
Trace the attackers nameserver
| Text |
1
| $ dig attacker_host.dom +trace |
and revers DNS lookup:
| Text |
1
| $ dig +answer -x 127.0.0.1 |
Once you grab the Attackers IP you get the IP Range then you get the Attackers Nameserver you can then write a script to recursively crawl through each of those IP's inside that range to see any active machines via the PTR records associated with the Hostname.
[.sh|.bat|.ps1 Script pastebin here]
LOOK HERE -
Script you may find useful
R&R - Reconnaissance / Research
If you wish to learn about what
your network looks like to a potential hacker you could download a tool called
netmap
(FYI: there is also a more simpler GUI version for windows users called (
Nmap - Zenmap GUI)
** Use this tool to carry out your own in-house Vulnerability scans /infosec monitoring on your own Network IP **
You can then do your own reconnaissance / research into closing these holes in security.
You can also dive into checking for the attackers ASN network number by checking in bgpview.io
Sorry not had time to clean this post up but HTH's
Pages in this thread: 
Print Thread
camieabz
