Help Interpreting Log Message
Freshman Member
Can someone help me interpret the following message which is being reported on the 5Ghz wireless segment of my Zyxel 3301 T-0
kernel: PING OF DEATH ATTACK:IN=br0 OUT=ppp1 MAC=50:e0:39:19:cc:10:2a:42:01:03:d3:c0:08:00 SRC=192.168.1.57 DST=100.69.0.0 LEN=4460 TOS=0x00 PREC=0x00 TTL=63 ID=38107 PROTO=ICMP TYPE=8 CODE=0 ID=13810 SEQ=1 MARK=0xb0020000
Many thanks in advance.
All Replies
-
from log it seems to be icmp packet. I would suggest to check with your ISP or retailer to see if they've got latest software image and update it.
0 -
Hi, and many thanks for your reply.
The first place I contacted was my ISP, who supplied the router, but all they could suggest is to change the SSID.
I really can't see how changing the SSID on the router would stop a device wirelessly connected to that router sending out these Pings of Death as it would still be connected to that same network. I did move it to a different subnet and, as expected, the same thing happens.
The Ping of Death messages occur in a block every 6 hours, there are 22 of them in the block, 1 every second and not all targeting the same ip address - some to my routers ip and others remote ip's which I believe are Amazon addresses.
I have contacted the manufacturer of the product involved, a Ring Chime Pro v2 and they think it's the router misinterpreting or mishandling the messages.
0 -
Hello @Griswold
Welcome to the forum.
The log message shows that the Ping of Death attack started on your LAN (br0), and was directed towards your broadband connection (ppp1).
It might well be from a device on your WiFi.
Changing the SSID and/or your WiFi password would mean that an attacker/hacker would be shut out for a while.
Why do you think that the source is the Ring Chime Pro v2 product? The source MAC address OUI does not seem to be registered with the IEEE Registration Authority (RA), whereas the
50:e0:39
is an OUI registered to Zyxel.
Kind regards,
Tony
0 -
Hi Tony, and many thanks for the reply.
The source address of 192.168.1.57 is that of my Ring Chime Pro and the MAC address matches.
I've been in contact with Ring and they believe the Chime Pro is unlikely to have been hacked but are sending a replacement and have asked me to return this one for their software people to examine.
Certainly the Chime Pro is probably the least intelligent of all the devices on my network, so probably the least likely target for hackers - what would they get from hacking it?
It will be interesting to see if yje problem goes away with the new chime.
Best Regards
Peter
1 -
The destination 100.69.0.0 is from Member in a cgnat not reachable from Wan .
The source 192.168.1.57 is local . Can it be located , may you could see it in the logs or in the information menu . Is there an Infection ?
May be possible to control Wlan Members and bind them to MAC Adresses .
0 -
Thanks Peter
192.168.1.57 is a Ring Chime Pro2. Ring don't think it's infected but are sending a replacement.
What I've not been able to establish is whether the router is dropping these pings or sending them out on the WAN.
Best Regards
Peter
0 -
Once i had a lot of Ping floods from Wan and tried to do something . I made a ACL Rule in the firewall section to block ICMP pings or limit Answers per Minute for service "ICMP:8 /Echo-request" …
You can reject or drop (no Answer) the ping .
https://www.akamai.com/glossary/what-is-a-ping-flood-attack
0
Guru Member
Ally Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 75 Security Highlight
