Menu
What's new
By:
Filters Better Search

frequently attacked from same address

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

randomName

randomName

Very Senior Member
In AiProtection I keep getting an attack from the same address. I just got off the phone with my ISP and they can't do anything about it except off me a $10a month security sweet package to my service. Reminds me of an old joke "Bricks thrown through windows? Call such-n-such" lol but anyways so I'm here wondering what I can do. Is there anything I can do?

TIA
 
If it is being blocked by the router then why worry about it?

If you turned AiProtection off you would still have all these scans and they would still be blocked by the firewall.

Only difference is nothing logged to make you go oh my god I am being attacked.
 
Story-time: back in the early days, I knew this guy who ran an IRC server at the ISP where he worked. There was some kid who kept trying to flood him with ping requests (that used to be an effective attack when most people were on a 28.8K connection, and the attacker would be at a university location).

That administrator dove into his IRC client's source code (he was using ircII), and modified the PING response code to return a 64 KB packet instead of a 64 bytes one).

That poor kid quickly went offline after he sent those couple of ping requests at him, and got flooded with 64 KB replies, being sent through that ISP's backbone... That took care of the problem :)


Back to OP issue: if the "attack" is always the same (a simple connection attempt to a specific port), then just ignore it. The firewall will stop him there. If however he's attempting multiple attack vector on a regular basis, I guess you could block him either through a manual iptables entry in the INPUT chain, or by using the router's Network Service Filtering.
 
RMerlin said:
Story-time: back in the early days, I knew this guy who ran an IRC server at the ISP where he worked. There was some kid who kept trying to flood him with ping requests (that used to be an effective attack when most people were on a 28.8K connection, and the attacker would be at a university location).

That administrator dove into his IRC client's source code (he was using ircII), and modified the PING response code to return a 64 KB packet instead of a 64 bytes one).

That poor kid quickly went offline after he sent those couple of ping requests at him, and got flooded with 64 KB replies, being sent through that ISP's backbone... That took care of the problem :)


Back to OP issue: if the "attack" is always the same (a simple connection attempt to a specific port), then just ignore it. The firewall will stop him there. If however he's attempting multiple attack vector on a regular basis, I guess you could block him either through a manual iptables entry in the INPUT chain, or by using the router's Network Service Filtering.
Click to expand...

It's no specific port, just an attack on my router address trying to access the back door, and 'remote command exe.' Would networking services help?
 
randomName said:
It's no specific port, just an attack on my router address trying to access the back door, and 'remote command exe.' Would networking services help?
Click to expand...

Personally I would simply ignore them. If they come up on the IPS log, then the connection attempts are already blocked anyway.
 
randomName said:
It's no specific port, just an attack on my router address trying to access the back door, and 'remote command exe.' Would networking services help?
Click to expand...


You are not being "attacked" , what you are seeing is background scatter and bots trying to find unpatched systems. It is happening to everyone , the only change is that AiProtection now shows you what it has blocked. Ai has been blocking these things since day one and previously didn't tell you.

I have 60+ events a week and have seen one IP address 7 times.

If you looked at you router log you would not find the "attacking "IP that was listed by AiProtection, it hasn't even reached your router, you are safe and have nothing to worry about. In many ways it would have been a lot better for Trend Micro to never start this new GUI.

Also , note the type of "attack" , 99% of the ones I see listed are old exploits , some as much as 8 years old, your router is patched against those already.

This is the exploit you are seeing :

EXPLOIT ASUSWRT 3.0.0.4.3 76_1071 LAN Backdoor Comm and Execution (CVE-2014-958 3 )
Click to expand...

LOOK at the date , 2014 , patched 4 years ago and no threat to you anyway.

Information on AiProtection :


https://www.asus.com/support/faq/1012070/
https://www.asus.com/AiProtection/


Internet >> AiProtection inspects all data before allowing anything through >> your router firewall . If AiProtection lists something as BLOCKED it has seen something it didn't like and STOPPED it from ever reaching your router .

Let AiProtection do its job, have a coffee and enjoy the weekend.
 
Last edited:
Ok, cool. I just get a little anxiety seeing the same address trying to use a back door exploit, or execute some remote command thing. I'm not use to it. I traded my old RT N66U for the 86U so this is all new to me.

Thanks all!!
 
It's like learning biology and then becoming a hypochondriac!
 
You must log in or register to reply here.

Similar threads

A
Ting-fire device can't get DHCP addr direct from Asus router wifi...can get address from Asus router via TP-Link extender
Replies
14
Views
679
anastrophe
A
S
Anyone else having issues trying to flash the newest merlin (stable or beta) to the GT-0AXE11000?
Replies
4
Views
632
OzarkEdge
OzarkEdge
R
RT-AX86S and saved syslog showing: kernel: br0: received packet on eth1 with own address as source address
Replies
9
Views
979
Jbennett360
J
E
Web History and Receiving emails from ASUS RT-AX92U Router
Replies
0
Views
1K
esfu
E
drinkingbird
Tutorial How to force a new WAN IP Address (to fix sites not loading, high latency, incorrect location displayed, etc)
Replies
7
Views
2K
drinkingbird
drinkingbird
Similar threads
Thread starter Title Forum Replies Date
K Wifi 2.4GHz signal dropout frequently ASUS Wireless 13
J Access to device on a different subnet, but same switch ASUS Wireless 4

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 906 (members: 15, guests: 891)
Top