AI Protection alert - what does this alert mean exactly?

[Johno]

I've set up the AI-Protection feature on my RT-AC68U with security alerts emailed to me. I get a lot of the following reported threats (I've removed my IP address from the destination):

Event Date Event type Source Destination
2018-11-02 08:27:04 Vulnerability Protection 209.141.54.253 [my static IP addr]

If I look up that source I find it's a company supposedly specialising in DDOS prevention! If I check the router admin pages under AI-Protection - Two-Way IPS it details the attack as an External Attack in the form of EXPLOIT Remote Command Execution via Shell Script -2

Now if I'm understanding this correctly, apparently a company that supposedly provides services to prevent DDOS attacks is attacking my router? Or am I misunderstanding the alert?

 

[OzarkEdge]

I've set up the AI-Protection feature on my RT-AC68U with security alerts emailed to me. I get a lot of the following reported threats (I've removed my IP address from the destination):

Event Date Event type Source Destination
2018-11-02 08:27:04 Vulnerability Protection 209.141.54.253 [my static IP addr]

If I look up that source I find it's a company supposedly specialising in DDOS prevention! If I check the router admin pages under AI-Protection - Two-Way IPS it details the attack as an External Attack in the form of EXPLOIT Remote Command Execution via Shell Script -2

Now if I'm understanding this correctly, apparently a company that supposedly provides services to prevent DDOS attacks is attacking my router? Or am I misunderstanding the alert?

I would assume someone is probing many IP addresses for vulnerabilities to exploit, yours included. I would not presume to know who it is or what they do.

You can't do much about it except make sure your router is secured and up-to-date. Whenever I'm done updating my router, I power OFF/ON the router and browse to GRC Shields Up! to test UPnP and all common service ports vulnerability... it's not a comprehensive test but it will imply things are generally secure vs. some glitch that leaves you wide open.

OE

 

[Johno]

I would assume someone is probing many IP addresses for vulnerabilities to exploit, yours included. I would not presume to know who it is or what they do.

You can't do much about it except make sure your router is secured and up-to-date. Whenever I'm done updating my router, I power OFF/ON the router and browse to GRC Shields Up! to test UPnP and all common service ports vulnerability... it's not a comprehensive test but it will imply things are generally secure vs. some glitch that leaves you wide open.

OE

I've looked up the source IP address and it's provider is FranTech Solutions, based in California, though the location of the IP address is Las Vegas.

Like you say, there's not much I can do about it except keep my router up to date.

 

[OzarkEdge]

I've looked up the source IP address and it's provider is FranTech Solutions, based in California, though the location of the IP address is Las Vegas.

Like you say, there's not much I can do about it except keep my router up to date.

Maybe you could tell them the IP address they host in Las Vegas is scanning routers to attack. If they're not amoral, they might investigate.

OE

 

[ColinTaylor]

If I look up that source I find it's a company supposedly specialising in DDOS prevention!

I don't think so. You probably went to a site that has a report on that IP address. Apparently it's a known malware server. See the report at the bottom of this page or here.

 

[OzarkEdge]

I don't think so. You probably went to a site that has a report on that IP address. Apparently it's a known malware server. See the report at the bottom of this page or here.

Those abuse reports are current, within the last month. So, maybe the ISP would take an interest. But it's likely a wack-a-mole proposition.

OE

 

[jrmtz85]

From 10/25-10/31 the IPS on my 86u reported about 30 attempts from that exact same IP address. They seem to have finally given up. No attempts yesterday or today so far.