Two-way IPS question 382.2 beta 2

[eastavin]

Nice expansion of reports in the AI Protection section. Good stuff. Now I just need to learn how to best use them.

Since updating to 382 I see the new AI report that indicates a device on my network is being protected by the 2-way IPS feature. Screen shots attached of a lot of attempts to reach it. My challenge though is that I dont have a device with this MAC address that I am aware of. If I check the Mac manufacturers database for the MAC in the 2way IPS report it says Cisco.. and I have only one device made by Cisco but its mac address is different 00A:55... a VOIP ATA Spa112 as reported by the Client Status screen on the Asus RT-AC68U.

Could this be a virtual MAC from the ATA device? (have not called Cisco yet) Does the report suggest that the device is somehow inviting this activity? I turned off Bonjour on the ATA but nothing changed -the reports continue.

Is there someway for the Asus router to link the reported MAC address in the 2 way IPS report to a known device listed in the Client Status screen? One would think a Client status screen should list all the MACs and not just the h/w ones?

Thank you for any thoughts you have on this! I am certainly glad the Asus router and the Merlin FW are protecting my network.

Edward

 

[AndreiV]

The source is external , not internal. The mac address is the attacking device , not something you own.

 

[RMerlin]

A Cisco MAC is typically either your modem, or your ISP's router that's facing your modem (meaning the traffic is coming from the Internet, not from inside your LAN).

 

[eastavin]

Thanks. That helps a little. I checked the cable modem and the MAC on that one is not a cisco. So if I understand AndreiV the same MAC address is attacking through numerous IP addresses listed in the report over the days... and as the IP addresses are spread around the planet.. its just another day on the net. (Or is it the reverse.. being attacked from numerous IP addresses but the single mac address represents the last device facing my network at the ISP)

I suppose I could open a ticket with the ISP to investigate if this is their device for whatever its worth?

 

[ColinTaylor]

MAC addresses don't travel outside their local network, unlike IP addresses. So all incoming traffic, from whatever IP address will have the MAC address of the last device it was routed through (that's usually your cable modem).

 

[eastavin]

MAC addresses don't travel outside their local network, unlike IP addresses. So all incoming traffic, from whatever IP address will have the MAC address of the last device it was routed through (that's usually your cable modem).

Thank you for that. Is there any further conclusion I can make as I have checked the cable modem diagnostic page and label on the back cover.. they match each other and indicate a 3rd Mac address from Thomson. So is it at all accurate to say the attacking device is the next one upstream toward the ISP? That would make it one owned by the last mile provider under contract to the ISP.

Edward

 

[ColinTaylor]

So is it at all accurate to say the attacking device is the next one upstream toward the ISP? That would make it one owned by the last mile provider under contract to the ISP.

No. The MAC address will not identify the attacker, the source IP address will.

(Your cable modem is probably operating as a bridge, so the MAC address you are seeing is that of the ISP's upstream equipment.)