Forum Discussion

pvanbuskirk's avatar
pvanbuskirk
New Contributor

Cisco DPQ3925 - DoS-type alerts in firewall log

I'm seeing strange DoS-type alerts in the firewall log for my Cisco DPQ3925 gateway. This has been happening for at least a few days...possibly longer because I've never looked at the firewall log before.

The log entry contains the following:

  • Description: Teardrop or derivative
  • Count: 58
  • Last Occurrence: Tue Sep 27 06:53:28 2016 
  • Target: 180.8.210.155:0
  • Source: 0.0.63.0:0 
Neither of those IPs are DHCP addresses since my network is in the 192.168.0.0/24 space.

Over the past few days I've seen other examples for different remote target IPs and different descriptions including "Illegal Fragments" and "Ping of Death". So the alerts generally look like DoS attacks, but I'm not clear if the packets are inbound or outbound from my network.

Sorry I cannot post a screenshot because the forum image selector is not working for me in the latest Chrome.

When I look at the Connected Devices Summary in Setup > Lan Setup, there are no devices with either the target or source IP.

Here's what I did years ago to secure the network:

  • Changed default admin password to a strong password
  • WPA2-Personal AES PSK, broadcast enabled
  • MAC whitelist filter
  • Remote management: disabled
  • SPI firewall protection Off, because Xbox won't work with it on despite attempts to port forward etc.
  • Block Anonymous Internet Requests: On
Tiffany R re-pushed the latest firmware to the router about 24 hours ago, so the firmware is (and was) up-to-date and the activity is still happening.
Has anyone seen this behavior before?

Cisco Modem
DPQ3925
firewall

1 Reply

Sort By
Most LikedOldestNewest
Replies have been turned off for this discussion
  • EdwardH's avatar
    EdwardH
    Valued Contributor
    Assuming the log is correct and the source is 0.0.63.0:0 that is a connection made by a local device sending out to 180.8.210.155:0 which appears to be a IP address assigned to somewhere in Japan/Asia.

    The 0.0.0.0 addresses are not valid public addresses are are used for routing in a local network. Similar to dialing for a operator on the phone. Now what is trying to send out over the network especially without a port number we would not be able to tell just off of that information. If is continuing to happen you may want to report it to our Network Security team to have them review the logs further. You can email them directly at abuse@cox.net with the logs they may be able to shine some more light on what is going on.

    ---