DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

DOS - ip_options

  • ncollingridge
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
06 Aug 2023 09:15 #102730 by ncollingridge
DOS - ip_options was created by ncollingridge
All of a sudden (since yesterday morning, Saturday 5th Aug) I am getting reports from a BX2000 (which I use for its VOIP features) like the following:

2023/08/05 16:04:45 -- [DOS][Block][ip_options, option=router_alert][169.254.128.177->224.0.0.251][2][HLen=24, TLen=32]
2023/08/05 16:05:13 -- [DOS][Block][ip_options, option=router_alert][169.254.128.177->224.0.0.251][2][HLen=24, TLen=32]
2023/08/05 16:05:37 -- [DOS][Block][ip_options, option=router_alert][169.254.128.177->224.0.0.251][2][HLen=24, TLen=32]
2023/08/05 16:06:04 -- [DOS][Block][ip_options, option=router_alert][169.254.128.177->224.0.0.251][2][HLen=24, TLen=32]
2023/08/05 16:06:33 -- [DOS][Block][ip_options, option=router_alert][169.254.128.177->224.0.0.251][2][HLen=24, TLen=32]
2023/08/05 16:07:01 -- [DOS][Block][ip_options, option=router_alert][169.254.128.177->224.0.0.251][2][HLen=24, TLen=32]
2023/08/05 16:07:24 -- [DOS][Block][ip_options, option=router_alert][169.254.128.177->224.0.0.251][2][HLen=24, TLen=32]

As you can see this is something which recurs roughly every 25 seconds and seems to be categorised by the router as a DOS attack.

The two IP addresses are maybe a pointer to the nature of this in that one is a self-assigned address and the other is a multicast IP address used for Bonjour discovery. My working hypothesis is that there is a device on the LAN which has picked up a self-assigned address for some reason and is trying to find a Bonjour-advertising device on the network.

I am not aware of any device on the LAN which has a self-assigned address - could this be a sign of malware, or has anyone seen this behaviour before and can give me a pointer to a known cause?

Please Log in or Create an account to join the conversation.

More
08 Aug 2023 08:47 #102741 by j1mbo
Replied by j1mbo on topic Re: DOS - ip_options
Set a PC to 169.254.128.178/24, ping 169.254.128.177 and find the MAC using arp -a

Next look at WiFi controller (if you have one) to try and narrow it down.

Please Log in or Create an account to join the conversation.

  • ncollingridge
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
08 Aug 2023 08:57 #102742 by ncollingridge
Replied by ncollingridge on topic Re: DOS - ip_options
This alert seems to have stopped now, so I can only assume that the device that had self-assigned its address has finally picked up a proper address, so that it is no longer seen by the router as a possible DOS.

This post may help someone else who encounters a similar alert!

Please Log in or Create an account to join the conversation.

Moderators: Sami