Today I noticed several odd messages in the log files of a Raspberry pi showing this sort of thing:
[UFW LIMIT BLOCK] IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:YY:YY:YY:YY:YY:YY:08:00:45:00:00:3c:74:09:40:00 SRC=192.168.2.1 DST=192.168.2.14 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=29705 DF PROTO=TCP SPT=36152 DPT=18768 WINDOW=29200 RES=0x00 SYN URGP=0
Here XX:XX:XX:XX:XX:XX is the MAC address of the Pi, and YY:YY:YY:YY:YY:YY is the MAC address of the ASUS RT-AC85P router running OpenWRT 23.05.2
The destination port of 18768 is used as an external SSH log-in and is port-forwarded by OpenWRT to the Pi.
The extra MAC information (here 08:00:45:00:00:3c:74:09:40:00) and the source port changed from message to message, but I don't really know if that is important or not.
What is puzzling my is the source address of 192.168.2.1 as that is the router! So it appears that my router is trying to brute-force SSH and it was the UFW firewall that kicked in to block multiple attempts in a short period.
But...that is not what seems to happen on an external attack. I tried to generate the same UFW LIMIT by repeatedly SSH'ing in from another external network and I got this sort of thing:
[UFW LIMIT BLOCK] IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:YY:YY:YY:YY:YY:YY:08:00:45:00:00:3c:65:8d:40:00 SRC=ZZZ.ZZZ.ZZZ.ZZZ DST=192.168.2.14 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=25997 DF PROTO=TCP SPT=58972 DPT=18768 WINDOW=64240 RES=0x00 SYN URGP=0
It looks very similar, but the critical difference is the source IP address of ZZZ.ZZZ.ZZZ.ZZZ is the address of the network I tested from. So if it was a normal credential stuffing attack or similar from an external machine, why would it show up as the router's IPv4 address?
I am not doing anything terribly fancy with OpenWRT, though I do have a guest WiFi using a VLAN, but that is on the 192.168.3.nnn subnet, and at the time the above happened there was nobody home to be using WiFi anyway (and its a pretty quiet location, so drive-by snooping seems unlikely).
TL;DR how can an external attacker appear to be using the router's own IP address?