icmp redirect attack in Zyxcel DX3101-B0
Hello
A few days ago i got ICMP REDIRECT ATTACK logs in my Security Log.
kern.alert kernel: ICMP REDIRECT ATTACK:IN=ppp2.3 OUT= MAC= SRC=160.202.128.1 DST= my IP!! LEN=80 TOS=0x00 PREC=0x00 TTL=49 ID=52625 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=160.202.128.0 [SRC= my IP!! DST= 103.195.100.121 LEN=52 TOS=0x00 PREC=0x00 TTL=129 ID=47039 PROTO=TCP SPT=46676 DPT=25565 WINDOW=0 RES=0x00 SYN URGP=1280 ] MARK=0x8000000
After this message i did a factory-Reset
1 Day Later i got the same reports
What is this ?
Is everything fine with my Advice ?
Does the Firewall BLOCK this Redirect Attack, if its logged here ?
I am From Austria an use A1 as ISP
I found the same Problem from an Odido User in the Netherlands
The IP Adress 160.202.128.1 is listed in the abuseipdb
https://www.abuseipdb.com/check/160.202.128.1
Theres also an User from Italy who report "icmp redirect attack"
Can u help me to find out why this happends to me, what it is, and why it doesnt stop after factory-Reset
Thanks
Jediu
( and sorry for my bad English )
All Replies
-
Unwanted ICMP traffic can be a symptom indicating either that your external IP is visible to the world, or that your own DNS or ICMP signals are not shielded from someone looking for vulnerable nodes to probe further for weakness.
Usually it should be enough add a firewall block of any traffic from that IP, and other IP addresses if you get warnings from a different address.
See also:
(scamalytics.com)edit: You may also want to search the net and read about "How to hide my public IP" from sites like https://www.grc.com/x/ne.dll?bh0bkyd2 (ShieldsUP!), to test your own exposure and read tips on how to reduce your risk.
0 -
thanks for your answer
i dont have a static IP.
My ISP Community thinks that These are more Like Scans than direct attacks
They give me also the Tip to Block that ip
The sayd that the Traffic was Blocked from the Firewall, cause the Attac ist Seen in the Security log. Do you think that too ?
Sg Jediu
0 -
Hello @Jediu
Welcome to the forum.
My reading of the log message you posted is that the firewall in your Zyxel DX3101-B0 device blocked the attack.
The log message shows an incoming interface ppp2.3 but a blank against the outgoing interface.
- see below.
- This means that the firewall blocked the attack, and then told you that it did so.
ICMP REDIRECT ATTACK:IN=ppp2.3 OUT=
Yes, your public IP address is visible to the rest of the world, but it needs to be in order for you to be able to access the Internet.
- So this is not an item to be very concerned about.
- You can use a VPN such as Nord VPN if you would like to hide your public IP address.
I hope that this is helpful. Gross Gott.
Kind regards,
Tony
1 -
Very good. Thank you for your follow-up, @tonygibbs16 . That is very useful and helpful.
1
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight