Hi,
I have been monitoring traffic coming in via the tunnel and am a bit
shocked how much bogus (?) traffic comes in from non-44 addresses.
I have these rules in my firewall script:
/usr/sbin/iptables -P INPUT DROP
# Drop all traffic coming from Internet addresses via the tunnel to PE1ICQnet, except port 8000:8001 to raspberry pi (Dire Wolf).
/usr/sbin/iptables -A INPUT -i ampr0 -s 44.0.0.0/8 -d 44.137.27.123 -p tdp -m multiport --dport 8000:8001 -j ACCEPT
/usr/sbin/iptables -A INPUT -i ampr0 ! -s 44.0.0.0/8 -d 44.137.27.112/28 -j DROP
When I monitor traffic on the tunnel interface with
tcpdump -i ampr0 -vvn
then I see a lot of traffic like this:
15:47:54.172385 IP (tos 0x0, ttl 51, id 60643, offset 0, flags [none], proto ICMP (1), length 98)
119.206.12.19 > 44.137.27.125: ICMP 119.206.12.19 udp port 53 unreachable, length 78
IP (tos 0x28, ttl 234, id 31771, offset 0, flags [DF], proto UDP (17), length 70)
44.137.27.125.29327 > 119.206.12.19.53: [udp sum ok] 31771+ A? ocektarhe.www.2015yf.com. (42)
Remarkable, because at the moment I do not even have ip address
44.137.27.125 in use on the LAN.
How do I need to interpret the above traffic dump?
Is it because 44.137.27.125 is spoofed?
Is it an attack using bogus domain resolving? (I see a lot of variants
in the 2015yf.com domain)
Basically, my question is, should I worry? ;-)
73 PE1ICQ // Arno
