Hi,
Anyone know how to decode these please?
New router, new FW.
Log does not follow the format given on the Draytek website.
See sample line below:
2014/10/28 11:44:17 -- [DOS][block][tcp_flag, scanner=fin_wo_ack][192.168.2.19:63760->173.252.102.16:443][TCP][HLen=20, TLen=48, Flag=SF, Seq=3973794869, Ack=0, Win=65535]
I know the 192.168.2.19 ip address, it is an iPhone authorised to connect to out network.
The 173.252.102.16 resolves to a Facebook address.
To me this seems like an outgoing Denial Of Service attack on Facebook by an iPhone?
I get virtually identical logs on 2 devices, both iPhones, both from authorised users, however, the only thing in common is that they have been connected to a free university student wifi network at one of the local Uni's.
I can get the date/time bit, and obviously trace the ip's not sure what the ports are, is this a DOS attack from our side?
What does the rest mean?
Anyone please?
Also trying to research this myself, but wondering if anyone else has seen such.
Anyone know how to decode these please?
New router, new FW.
Log does not follow the format given on the Draytek website.
See sample line below:
2014/10/28 11:44:17 -- [DOS][block][tcp_flag, scanner=fin_wo_ack][192.168.2.19:63760->173.252.102.16:443][TCP][HLen=20, TLen=48, Flag=SF, Seq=3973794869, Ack=0, Win=65535]
I know the 192.168.2.19 ip address, it is an iPhone authorised to connect to out network.
The 173.252.102.16 resolves to a Facebook address.
To me this seems like an outgoing Denial Of Service attack on Facebook by an iPhone?
I get virtually identical logs on 2 devices, both iPhones, both from authorised users, however, the only thing in common is that they have been connected to a free university student wifi network at one of the local Uni's.
I can get the date/time bit, and obviously trace the ip's not sure what the ports are, is this a DOS attack from our side?
What does the rest mean?
Anyone please?
Also trying to research this myself, but wondering if anyone else has seen such.
