OK so my main router that connects to my upstream provider is getting a ton of attention right now. I have a firewall rule that throws IP’s into an address list whenever someone attempts to telnet, ssh, or ftp into the input chain of that router. It stores these IP’s for 7 days and drops any and all traffic from these IP’s for the 7 days. As of right now that address list is 35,000 and growing! Its not bothering the router, CPU is around 10-15%.
So I decided to start logging their activity to see what they are trying to do and I’m being flooded by IP’s trying to telnet into the subnet ID, not the IP of the router itself. Is that even possible? Lets assume that router has an IP of 1.1.1.1/24, they are telnetting into 1.1.1.0.
Telnet is not even enabled in the services, but this router also protects other routers down the line, do I need something to protect the subnet ID’s of those other routers?