0

The log of my router display such a message:

IP SPOOFING ATTACK:IN=eth1.3900 OUT= MAC=5c:XXXXXXXXXXXXX SRC=192.168.1.10 DST=85.XXXXXXXXXX LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=5750 PROTO=TCP SPT=6859 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0

What I don't understand is the SRC address: it's in my LAN but I have no device with this IP ! Explanation ?
Shall I protect my system stronger ?

Improve this question
2
  • Do you have a machine on your network that has a matching MAC address? Is Eth1.3900 a wired or wireless ethernet interface?
    – Nevin Williams
    Commented Feb 18, 2017 at 21:38
  • The only five first numbers (5c ...) are identical to my Zyxel router mac address. eth1.3900 is a wired ethernet interface.
    – Bertaud
    Commented Feb 18, 2017 at 23:22

1 Answer 1

Reset to default
0

Someone from the internet outside of your local network (192.168.1.0/24 range) is trying to send packets to your router and make them look like they come from inside your local network. Clearly that can't be right: packets with a local address cannot come in from outside; therefore, it must be a spoofed packet (ie. someone has faked the source address in the packet header before sending it to your router).

The fact that your router has logged this packet should (in theory) mean that it has also been blocked by its firewall, so the fact that you see this log should mean that your firewall is working correctly

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .