Possible DNS-Rebind attack detected and unresponsive router plus one more

[TanyaC]

Of late I have been seeing this in my RT-AC88u Merlin log file..

Feb 11 13:29:30 dnsmasq[807]: possible DNS-rebind attack detected: ipv4.tracker.harry.lu
Feb 11 13:29:55 dnsmasq[807]: possible DNS-rebind attack detected: ipv4.tracker.harry.lu
Feb 11 13:30:03 dnsmasq[807]: possible DNS-rebind attack detected: sugoi.pomf.se

That is sometime followed by;

Feb 11 13:53:34 kernel: br0: port 1(vlan1) neighbor 8000.08:bd:43:75:47:d1 lost
Feb 11 13:53:34 kernel: br0: topology change detected, propagating
Feb 11 13:55:16 kernel: br0: port 1(vlan1) neighbor 8000.08:bd:43:75:47:d1 lost
Feb 11 13:55:16 kernel: br0: topology change detected, propagating
Feb 11 13:55:38 kernel: br0: port 1(vlan1) neighbor 8000.08:bd:43:75:47:d1 lost
Feb 11 13:55:38 kernel: br0: topology change detected, propagating
Feb 11 13:57:38 kernel: br0: port 1(vlan1) neighbor 8000.08:bd:43:75:47:d1 lost
Feb 11 13:57:38 kernel: br0: topology change detected, propagating
Feb 11 13:58:00 kernel: br0: port 1(vlan1) neighbor 8000.08:bd:43:75:47:d1 lost
Feb 11 13:58:00 kernel: br0: topology change detected, propagating
Feb 11 14:00:34 kernel: br0: port 1(vlan1) neighbor 8000.08:bd:43:75:47:d1 lost
Feb 11 14:00:34 kernel: br0: topology change detected, propagating

At which time my router becomes unresponsive and I have to reboot it.

Since the rebind attack is detected does that mean it has been blocked? Do I have a problem?
Are the neighbor lost and rebind attacks related to each other?
How do prevent this?

I'm not using Plex.

One more question - When I reboot my router it always start with a date of May 5. Why is that? Is it correctable?

thanks

 

[dave14305]

Since the rebind attack is detected does that mean it has been blocked?

Yes. Both names return 127.0.0.1, which is considered a rebind attack.

I have a problem?
Are the neighbor lost and rebind attacks related to each other?

Probably not.

When I reboot my router it always start with a date of May 5. Why is that?

That’s the default date of the firmware. amtm has a “router date keeper” script to help restore the approximate time sooner after a reboot.

 

[TanyaC]

Ok, so I am experiencing loss of connectivity to the router frequently. it could last up to an hour. Several reboots, re-plugging cables, power off etc does not restore access.

Other network devices are accessible, just not the router, or devices connected directly to the router.
So of course, when the router is inaccessible it takes down my VoIP service as the ATA is directly connected to the router.

I'm not seeing any other messages in the log that might indicate a problem.

I've tried a factory reset, and I'm running the latest Merlin firmware for the RT-AC88u.

What might I try next?

btw: The mac address: 08:bd:43:75:47:d1 refers to a Netgear MS510TX multigig switch which is connected to the router. That's connected via cat6. That services my file server and a laptop. This is then connected to another MS510TX switch via the fiber port in my study which services 4 PCs.

Might the server switch have a fault?

thanks

 

[TanyaC]

Found it. Faulty port on the server switch. Sorry for the delay in posting back