I'm getting thousands of connections to my network, in the the traffic log it says from 10.0.0.207.
But I do not even have theat range in my network. The attacker is trying the entire 10.0.0.0/8 range so there are many, thousands of attempted connections.
In torch, I cannot see that IP on any of my external interfaces, but on my LAN interface, I see the connections.
How can 'it' connect without even a valid IP? Surely there should be an ARP SOMEWHERE on the network, or at least have a valid IP to be able to connect?

How can I trace the 'real' IP and source of the attack?

eg, in traffic log I see connection from 10.0.0.207 to 10.3.32.32, neither IP is on my network, nor do I have VPN enabled?

Thanks
Ekkas

Is your wan ip a public ip? How large is the netmask? Maybe someone on your public localnet is messing with you.

I just tried this from a router with a public ip (x.x.x.119/27) but it only worked on the same localnet as the other public ip (x.x.x.118/27).

/ip route
add gateway=x.x.x.118 dst-address=10.0.0.0/8

And I can ping all the 10.x.x.x ips from that router. It even shows the redirected ip on the ping (x.x.x.118). And none of those ips are assigned to any interface in that computer.

That's what is so weird. I do not have a 10.0.0.x/x ip range, none of my IP ranges are within that range and I have 6 WAN interfaces all with public IPs.
I have 1 LAN interface going to wireless network with 10.1.x.x/24, 10.2.x.x/24 and 10.254.254/30 ranges, but no 10.0.x.x.x
I could not ping or tracert it but saw the IP in torch. After doing an ARP ping to each interface for that 10.0.0.207 IP, I found it on a public interface with public IP!!! (cannot normal-ping it)
I contacted my upstream IPS and they were also dumbfounded but will have a Cisco engineer look at it in the morning.
Strangely enough it was also not in my IP/ARP table but I can ARP-ping it! My understanding of networking just went out the window!

Ekkas

You should be blocking bogon addresses from the internet.

exactly, van every local area address from WANs and while at it ban every local net you are not using from your outgoing traffic.

If you want to see if the offending computer is as open to that type of attack as you are, try this:

/ip route
add gateway=xx.xx.xx.xx dst-address=10.0.0.0/24

Replace xx's with the offending public ip you found. Then try to ping 10.0.0.1, then 10.0.0.207. If that works, might want to see if you can put a few ssh/telnet login fails in his/her log. Might be a bit of a wake-up call for your new "friend"!

Thanks, I'll try that. But how is this possible? How can a bogon IP come from a router with public IP?
I thought I blocked it, but saw only in the input chain so I'll add it to the forward filter chain as well.

Ekkas

The only way I know it is possible is to route the subnet into your network just like my example above. But the offending computer must be on the public ip localnet (within your public ip subnet), to do it.

ADD: If I was doing that, these are the routes I would try from the offending computer/router:

/ip route
add gateway=yy.yy.yy.yy dst-address=192.168.0.0/16
add gateway=yy.yy.yy.yy dst-address=10.0.1.0/24
add gateway=yy.yy.yy.yy dst-address=10.0.2.0/23

and on to cover the entire 10.x.x.x range
and maybe the private 172.x.x.x set also, just to be sure.

replace yy.yy.yy.yy with your public ip.

FYI: I am not a hacker.

The Cisco router supplied to me by my ISP has a public IP range of /29, i.e. 5 usable IPs (1 for the router, 5 usable, 1 network, 1 broadcast=8 ips)
I use all 5, so are you saying that the 'hack' had to come from within the router itself or at least natted in the router?
If so, then I suspect the ISP, FBI, CIA or MIB was trying to find out what's going on inside our network... Unless someone could hack the Cisco.
I love the smell of a nice conspiracy theory.
Ekkas

I don't see any other way. Either a computer on your public subnet, or someone has routed that subnet into the Cisco router, and then from it into yours. Maybe someone else will see something I don't.

If you can ARP for it on the interface that faces the Cisco router, maybe that router just has proxy-arp enabled.

If you can ARP for it on the interface that faces the Cisco router, maybe that router just has proxy-arp enabled.

I am still new at proxy ARP, but wouldn't that only add to the mystery? If one client is using proxy ARP on his (ISP's actually) Cisco router, wouldn't you think all clients on that node would be using proxy ARP? No other client behind any other Cisco router would be able to enter the victim's ip as a gateway. It would be outside the suspect's localnet, and the gateway would be unreachable. It seems to me the suspect would need to gain control of the Cisco router at his/her location.

There isn't anything in proxy ARP in this situation that would answer for the 10.0.x.x ips on the Cisco router wan interface, then forward those packets to the MT router, is there? The Cisco router should know nothing about those.

I agree.
In my opinion it can only come from the Cisco router, doing an ARP-ping to any other interface does not give a result.
So someone must have access to the router to be able to NAT a private IP on that public router. The router does not have VPN access as far as I know, so my suspision is that either the ISP or Interpol or someone is trying to 'get in' by dubious means.
We do have a paedophile on our network that was arrested on Monday and I've had it is the past where Interpol visited our Internet cafe and could tell us on which PC another peadophile was sendinh Yahoo mail (about 4 years ago). So they have ways and means to get through into a natted LAN. (That was an ISDN connection shared with a XP PC)
As the Cisco ADSL router is assigned for our own use only and only the ISP can access it, I suspect it must be them, someone they gave access to, or at least an ex-employee who knows the username/password.
I logged a senior support request for them to explain this and is waiting a response.

My concern is that they can do the same thing with an unused public IP, so even if you block incoming bogons, they'll still get through if they have that kind of access to a router.
I'm certain there must be legal implications for this. It doesn't seem right.

Ekkas

If you don't think it is right, then stop it. Try this to insure what is going to be stopped.

/ip firewall filter
add chain=forward action=add-src-to-address-list address-list=hacker in-interface=ether1 connection-state=new protocol=tcp dst-address=10.0.0.0/8

Then check who ends up here in the hacker address list.
/ip firewall address-list