icmp redirect attack in Zyxcel DX3101-B0

Options
Jediu
Jediu Posts: 2
Friend Collector First Comment
edited December 2023 in Home Router

Hello

A few days ago i got ICMP REDIRECT ATTACK logs in my Security Log.

kern.alert kernel: ICMP REDIRECT ATTACK:IN=ppp2.3 OUT= MAC= SRC=160.202.128.1 DST= my IP!! LEN=80 TOS=0x00 PREC=0x00 TTL=49 ID=52625 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=160.202.128.0 [SRC= my IP!! DST= 103.195.100.121 LEN=52 TOS=0x00 PREC=0x00 TTL=129 ID=47039 PROTO=TCP SPT=46676 DPT=25565 WINDOW=0 RES=0x00 SYN URGP=1280 ] MARK=0x8000000 

After this message i did a factory-Reset

1 Day Later i got the same reports

What is this ?

Is everything fine with my Advice ?

Does the Firewall BLOCK this Redirect Attack, if its logged here ?

I am From Austria an use A1 as ISP

I found the same Problem from an Odido User in the Netherlands

https://community.odido.nl/bekabeld-internet-492/what-is-happening-securitylog-heeft-entry-met-onbekende-gateway-gevolgt-door-mijn-adres-als-source-359490

The IP Adress 160.202.128.1 is listed in the abuseipdb

https://www.abuseipdb.com/check/160.202.128.1

Theres also an User from Italy who report "icmp redirect attack"

Can u help me to find out why this happends to me, what it is, and why it doesnt stop after factory-Reset

Thanks

Jediu

( and sorry for my bad English )

All Replies

  • smb_corp_user
    smb_corp_user Posts: 161  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2023
    Options

    Unwanted ICMP traffic can be a symptom indicating either that your external IP is visible to the world, or that your own DNS or ICMP signals are not shielded from someone looking for vulnerable nodes to probe further for weakness.

    Usually it should be enough add a firewall block of any traffic from that IP, and other IP addresses if you get warnings from a different address.

    See also: https://scamalytics.com/ip/160.202.128.1 (scamalytics.com)

    edit: You may also want to search the net and read about "How to hide my public IP" from sites like https://www.grc.com/x/ne.dll?bh0bkyd2 (ShieldsUP!), to test your own exposure and read tips on how to reduce your risk.

  • Jediu
    Jediu Posts: 2
    Friend Collector First Comment
    Options

    thanks for your answer

    i dont have a static IP.

    My ISP Community thinks that These are more Like Scans than direct attacks

    They give me also the Tip to Block that ip

    The sayd that the Traffic was Blocked from the Firewall, cause the Attac ist Seen in the Security log. Do you think that too ?

    Sg Jediu

  • tonygibbs16
    tonygibbs16 Posts: 841  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2023
    Options

    Hello @Jediu

    Welcome to the forum.

    My reading of the log message you posted is that the firewall in your Zyxel DX3101-B0 device blocked the attack.

    The log message shows an incoming interface ppp2.3 but a blank against the outgoing interface.

    - see below.

    - This means that the firewall blocked the attack, and then told you that it did so.

     ICMP REDIRECT ATTACK:IN=ppp2.3 OUT= 

    Yes, your public IP address is visible to the rest of the world, but it needs to be in order for you to be able to access the Internet.

    - So this is not an item to be very concerned about.

    - You can use a VPN such as Nord VPN if you would like to hide your public IP address.

    - see https://nordvpn.com/blog/what-can-someone-do-with-your-ip-address/#:~:text=Every%20time%20you%20visit%20a,security%20and%20spam%20prevention%20purposes.

    I hope that this is helpful. Gross Gott.

    Kind regards,

    Tony

  • smb_corp_user
    smb_corp_user Posts: 161  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Very good. Thank you for your follow-up, @tonygibbs16 . That is very useful and helpful.

Consumer Product Help Center