DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
DOS - ip_options
- ncollingridge
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 69
- Thank you received: 0
06 Aug 2023 09:15 #102730
by ncollingridge
DOS - ip_options was created by ncollingridge
All of a sudden (since yesterday morning, Saturday 5th Aug) I am getting reports from a BX2000 (which I use for its VOIP features) like the following:
2023/08/05 16:04:45 -- [DOS][Block][ip_options, option=router_alert][169.254.128.177->224.0.0.251][2][HLen=24, TLen=32]
2023/08/05 16:05:13 -- [DOS][Block][ip_options, option=router_alert][169.254.128.177->224.0.0.251][2][HLen=24, TLen=32]
2023/08/05 16:05:37 -- [DOS][Block][ip_options, option=router_alert][169.254.128.177->224.0.0.251][2][HLen=24, TLen=32]
2023/08/05 16:06:04 -- [DOS][Block][ip_options, option=router_alert][169.254.128.177->224.0.0.251][2][HLen=24, TLen=32]
2023/08/05 16:06:33 -- [DOS][Block][ip_options, option=router_alert][169.254.128.177->224.0.0.251][2][HLen=24, TLen=32]
2023/08/05 16:07:01 -- [DOS][Block][ip_options, option=router_alert][169.254.128.177->224.0.0.251][2][HLen=24, TLen=32]
2023/08/05 16:07:24 -- [DOS][Block][ip_options, option=router_alert][169.254.128.177->224.0.0.251][2][HLen=24, TLen=32]
As you can see this is something which recurs roughly every 25 seconds and seems to be categorised by the router as a DOS attack.
The two IP addresses are maybe a pointer to the nature of this in that one is a self-assigned address and the other is a multicast IP address used for Bonjour discovery. My working hypothesis is that there is a device on the LAN which has picked up a self-assigned address for some reason and is trying to find a Bonjour-advertising device on the network.
I am not aware of any device on the LAN which has a self-assigned address - could this be a sign of malware, or has anyone seen this behaviour before and can give me a pointer to a known cause?
2023/08/05 16:04:45 -- [DOS][Block][ip_options, option=router_alert][169.254.128.177->224.0.0.251][2][HLen=24, TLen=32]
2023/08/05 16:05:13 -- [DOS][Block][ip_options, option=router_alert][169.254.128.177->224.0.0.251][2][HLen=24, TLen=32]
2023/08/05 16:05:37 -- [DOS][Block][ip_options, option=router_alert][169.254.128.177->224.0.0.251][2][HLen=24, TLen=32]
2023/08/05 16:06:04 -- [DOS][Block][ip_options, option=router_alert][169.254.128.177->224.0.0.251][2][HLen=24, TLen=32]
2023/08/05 16:06:33 -- [DOS][Block][ip_options, option=router_alert][169.254.128.177->224.0.0.251][2][HLen=24, TLen=32]
2023/08/05 16:07:01 -- [DOS][Block][ip_options, option=router_alert][169.254.128.177->224.0.0.251][2][HLen=24, TLen=32]
2023/08/05 16:07:24 -- [DOS][Block][ip_options, option=router_alert][169.254.128.177->224.0.0.251][2][HLen=24, TLen=32]
As you can see this is something which recurs roughly every 25 seconds and seems to be categorised by the router as a DOS attack.
The two IP addresses are maybe a pointer to the nature of this in that one is a self-assigned address and the other is a multicast IP address used for Bonjour discovery. My working hypothesis is that there is a device on the LAN which has picked up a self-assigned address for some reason and is trying to find a Bonjour-advertising device on the network.
I am not aware of any device on the LAN which has a self-assigned address - could this be a sign of malware, or has anyone seen this behaviour before and can give me a pointer to a known cause?
Please Log in or Create an account to join the conversation.
- j1mbo
- Offline
- Member
Less
More
- Posts: 107
- Thank you received: 0
08 Aug 2023 08:47 #102741
by j1mbo
Replied by j1mbo on topic Re: DOS - ip_options
Set a PC to 169.254.128.178/24, ping 169.254.128.177 and find the MAC using arp -a
Next look at WiFi controller (if you have one) to try and narrow it down.
Next look at WiFi controller (if you have one) to try and narrow it down.
Please Log in or Create an account to join the conversation.
- ncollingridge
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 69
- Thank you received: 0
08 Aug 2023 08:57 #102742
by ncollingridge
Replied by ncollingridge on topic Re: DOS - ip_options
This alert seems to have stopped now, so I can only assume that the device that had self-assigned its address has finally picked up a proper address, so that it is no longer seen by the router as a possible DOS.
This post may help someone else who encounters a similar alert!
This post may help someone else who encounters a similar alert!
Please Log in or Create an account to join the conversation.
Moderators: Sami
Copyright © 2024 DrayTek