Can anyone explain what kind of attack this is? How could an attacker discover my router’s local private DNS address given router’s outbound traffic is NATed via a masquerade rule? My firewall is blocking this traffic, but I’m currious.
Drop_WAN_Input input: in:ether1 out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 111.7.96.178:36152->10.0.0.1:53, NAT 111.7.96.178:36152->(xx.xxx.xxx.xxx:53->10.0.0.1:53), len 52
Thanks
Attacker targets router’s public address (screened part in log entry), and NAT translates this request to private - 111.7.96.178:36152->10.0.0.1:53, NAT 111.7.96.178:36152->(xx.xxx.xxx.xxx:53->10.0.0.1:53). Attacker don’t see internal IP, if request would be answered, it’s source IP would be router’s public IP.
They dont really see the private IP they’re attacking, its the router who brings the data to the port redirect.
Thanks. That explains it.