I keep getting alerts from my router, looking as thouh it's attacking itself.
The source and destination IPs are almost always that of one of my external IP addresses. Am I missing something subtle, here, or is it just a pointless alert?
Draytek 2820vn
Example entries:
DOS][Block][udp_flood, timeout=10][2??.1??.??.2??:60142->2??.1??.??.2??:35974][UDP][HLen=20, TLen=1308]
[DOS][Block][udp_flood, timeout=10][2??.1??.??.222:63885->2??.1??.??.222:35974][UDP][HLen=20, TLen=249]
[DOS][Block][udp_flood, timeout=10][2??.1??.??.222:63885->2??.1??.??.222:35974][UDP][HLen=20, TLen=399]
[DOS][Block][tcp_flag, scanner=fin_wo_ack][2??.1??.??.222:55657->222.1??.??.222:25][TCP][HLen=20, TLen=40, Flag=F, Seq=3020597573, Ack=0, Win=65535]
[DOS][Block][tcp_flag, scanner=fin_wo_ack][2??.1??.??.217:58064->2??.1??.??.217:25][TCP][HLen=20, TLen=40, Flag=F, Seq=4024456782, Ack=0, Win=65535]
[DOS][Block][udp_flood, timeout=10][90.206.45.197:55753->90.206.45.197:58977][UDP][HLen=20, TLen=520]
[DOS][Block][udp_flood, timeout=10][90.206.45.197:55753->90.206.45.197:58977][UDP][HLen=20, TLen=101]
[DOS][Block][tcp_flag, scanner=fin_wo_ack][2??.1??.??.222:46449->2??.1??.??.222:25][TCP][HLen=20, TLen=40, Flag=F, Seq=3698167683, Ack=0, Win=65535]
(I've redacted the IP address, as who knows who's out there reading this- nevertheless, it's the same (WAN) address on both sides).
--
Marc
Cleopatra Consultants Ltd