I'm getting thousands of connections to my network, in the the traffic log it says from 10.0.0.207.
But I do not even have theat range in my network. The attacker is trying the entire 10.0.0.0/8 range so there are many, thousands of attempted connections.
In torch, I cannot see that IP on any of my external interfaces, but on my LAN interface, I see the connections.
How can 'it' connect without even a valid IP? Surely there should be an ARP SOMEWHERE on the network, or at least have a valid IP to be able to connect?
How can I trace the 'real' IP and source of the attack?
eg, in traffic log I see connection from 10.0.0.207 to 10.3.32.32, neither IP is on my network, nor do I have VPN enabled?
Thanks
Ekkas