Well, when you implement it correctly a dynamic block of incoming scanners
will not block the replies to your own outgoing connections.
First allow ESTABLISHED,RELATED and then block the IPs of detected scanners.
Rob
I was in the process of selecting a netflow viewer -- most of them are
web-based -- when it occured to me that someone using it could discover
every connection that someone has made through the amprgw router.
The flow data records source and destination address and ports, how much
traffic was transferred, the time of day, and how long the connection
lasted. Every flow record is about 50 bytes of data, and there can
easily be a hundred of them per second. In aggregate, it's a lot of data.
And it has privacy implications.
I was originally considering making an interactive netflow inquiry tool
available on the gateways section of the gw.ampr.org website so gateway
operators could see what traffic their AMPRNet router is handling.
But because there's no way to restrict it so that someone could only
view flows involving their own endpoint or subnet, I think it's too
much information to be made freely available for people to browse.
And there is the consideration that inquiries could wind up presenting
a significant load on the system.
I think that presenting anonymized aggregate data wouldn't be a problem,
so I'm going to look into that. Probably some traffic density graphs
would be ok. And I'm willing, once the tools are installed and working,
to make extracts of the data for a gateway operator who is having a
problem with his traffic flow.
What's people's opinion of this?
- Brian
Hi
I was "playing" with my AMPR Router yesterday
I had a open user (on purpose) and saw that from that user few IP (not my ones) were logged in
after some more research i have discovered that this users was opening connections to other hosts ....
That made me suspicious on what going on ....
I have checked one of the IP that was connected and back resolve showed customer.worldstream.nl comming via SSH
I understand something not good happening i have closed this user rebooted the router (to clear the connection )
and then i started to get alot of connections to port 22 to my router from that host
I had to put Firewall rule (drop) for that address and destination port (22)(although im against fire-walling)
After less then 24 hours the traffic stopped from that host the trafic (Via UCSD (Encapped) went down from 19 KBytes/sec to less then 1 Kbyte/sec
now. I know how to deal with the technical aspects (firewall .etc)
What is not understand to me is what is the purpose ... If it is a robot what is the point of fluddling SSH connections is it brute force ? or anything else ? and how come that after 24 hours it stopped it supposed to be endless loop if it is an automated process
Please light my eyes on that if you have more experience then me
currently the router is "quiet" without non wanted users logged in and un necessary connections
I see on the log here and there breake attempt mainly to Ports 23 22 and SIP from various hosts but it is few in a minute
Regards
Ronen - 4Z4ZQ
http://www.ronen.org
Ronen Pinchooks (4Z4ZQ) WebSite<http://www.ronen.org/>
www.ronen.orgronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com
All,
Consider the following
- a virus, malicious person, or by accident, a source address is set to
8.8.8.8
- you run a port scan to your job, a test IP, etc.
- They have intrusion detection
- They use Google DNS
It seems a DDoS attack could be very easily launched. Perhaps those
folks could sill consider making an ipset of allowed outbound IP addresses.
Also be careful how you block your own rules, an attacker spoofing the
IP of common addresses could cause DoS. If you were attempting to
connect to your IP, a man-in-the-middle attack (or someone who otherwise
learns the destination IP and port) would make it seem as you were
always blocked (but your firewall hits are greater than you expect).
Theres probably common if you change the port and your corporate network
team at work begin to see low bandwidth encrypted links on an unknown port.
73,
-Lynwood
KB3VWG
Marius at al,
I'm wondering if anyone has tried the new feature that sends RIP44. If
so I have a question. If you use the -a, does it remove those routes?
I need to account for this in a script I'm writing depending on if the
downstream device is on a WAN or if they have a private route/connection
between themselves. Since I use policy-based routing, I can keep the
false record for my own subnet on table 44 and encap file; but for
others (and other projects for AMPRNet), I can see this used to be
placed on a second device to provide a real-time looking-glass tool, etc.
- Lynwood
KB3VWG
Hey all, I recently got my gateway and ip block allocations all setup
including the DNS piece thanks to Brian and others.
I've got the tunnel defined on my router. When I run a TCPDUMP on the
physical interface that is hooked up to m169.228.66.251y cable modem, I am
not seeing any traffic from the 169.228.66.251 tunnel endpoint. Nor,
obviously, am I seeing any traffic on my tunnel interface.
How do I troubleshoot this?
Thanks
Craig
KC1ETB
> Do you have a firewall that drops by default?
> On my machine, I have to allow 520/udp from 44.0.0.1 to 520/udp at
> 244.0.0.9.
I have a firewall rule but it remains at zero. It is unclear where this packet
gets lost, when I run "tshark" the RIP transmission is seen, but when I insert
a rule "iptables -I amprinp -p udp -s 44.0.0.1 --dport 520 -j ACCEPT" at the top
of the list (this rule is selected by "iptables -A INPUT -i tunl0 -j amprinp")
it too does not see any traffic.
This worked OK in the past but it has suddenly stopped working some time ago, I
think about two years. That happened when there was a kernel update, no other changes.
Rob
Hello everyone,
I created a new ampr-ripd release according to some wishes of our members.
Changes:
- brought back option -r, to allow using multicast sockets by default
and raw sockets as a backup for systems with multicast issues. This will
hopefully sort out the firewall filtering inability on previous releases
since 1.13.
- added 2 new command line options, -F and -E (capital letters) which
allow the forwarding of raw AMPR-RIP messages on a specific interface
(-F) and optional to a specific address (-E), similar to the -f and -e
options. These RIP messages are raw copies of the incoming ones:
password it there and they appear every 5 minutes and will be missing if
no data arrives from the AMPR gateway.
- added the setting of the proper 44.0.0.1/32 route to conform to the
latest gateway changes.
Download:
http://www.yo2loj.ro/hamprojects/ampr-ripd-2.0.tgzhttp://yo2tm.ampr.org/hamprojects/ampr-ripd-2.0.tgz
Have fun,
Marius, YO2LOJ
> BTW, the encap file does not change much. On average, one line in it
> will change per hour, as a gateway with a dynamic address updates its
> address (and it's often the same gateway flipping between two or three
> addresses), but gateways come and go at a much lower rate -- I'd guess
> one or two a week. So you'd be pretty safe just FTPing and processing
> a new encap file perhaps once a day if it winds up being a chore.
The automation in the classic FTP client is a bit difficult to use, especially
when you want to use it for different sites, but the "wget" and "curl" programs
can easily fetch a fixed file from a fixed server with a fixed user/password
by combining them all into a URL: ftp://user:pass@server.domain/path/to/file
Of course when you fetch and process the file once a day, you will not
be able to use those gateways that change IP address once a day due
to local provider policy. But probably you'll never notice that... :-)
Rob
> I expect you could have more luck by looking in to SLAX scripting as it
> should not be to hard to do this fully from the junos api's
> I did not check this but i don't think the ipip driver would be
> standard.
Well, it is not very straightforward so when it is your first script you
are probably going to have a hard time...
In Linux there is a point-to-multipoint IP tunnel, much as was the case in JNOS
when this whole IPIP mesh was designed. You configure only a single IP
tunneling interface, usually called tunl0, and you put a set of routes in
the route table with the destination subnets, the tunl0 device, and the remote
endpoint of the tunnel as the gateway address. Like this:
44.2.2.0/24 via 216.218.207.198 dev tunl0 onlink
44.2.7.0/30 via 73.185.12.233 dev tunl0 onlink
44.2.10.0/29 via 104.49.12.130 dev tunl0 onlink
The onlink attribute is required to suppress the "gateway not reachable" warning
you would normally get when the gateway is not directly reachable from the system.
With this facility, the updating is relatively easy: just make sure the actual routing
table agrees with the distributed information, by adding and deleting single routes.
Without such point-to-multipoint tunneling, you will have to create a separate
tunnel interface for each gateway, and setup routes to the remote subnets pointing
to the correct gateway tunnel. Remember there are (way) more subnets than gateways,
you need to find the routes with the same remote gateway, and create only a single
tunnel device for those combinations, and point the matching subnet routes to that device.
To obtain the information about the subnets, you either listen to the RIP broadcasts
made by amprgw, or you regularly download the "encap.txt" which has this format:
route addprivate 44.2.2/24 encap 216.218.207.198
route addprivate 44.2.7/30 encap 73.185.12.233
route addprivate 44.2.10/29 encap 104.49.12.130
so you need to parse that and get the subnet and gateway fields from it.
(this format is the commandline format that JNOS used)
There is no separate "list of endpoints" so you have to create that yourself
from that list of routes (take the last field and put it in a list, removing
duplicates).
Now when you have written a script to transform this into commands to create
the proper tunnel devices and add the routes, the real fun begins!
The next time you get the information, you need to check if there are changes.
When there are, there usually will be a change of tunnel endpoint address (for
a gateway that is on a dynamic internet address). You will find several entries
in the information that suddenly have a different next hop address, but of course
they are not grouped together, they are scattered through the lines you received.
You will need to locate the correct tunnel device (which you will need to look up
using the *previous* table of received information) and change its endpoint.
But, there are other possibilities, ocurring less often: a subnet could have been
added or removed from a gateway (and maybe moved to another), a new gateway can be
added, or a gateway can be removed (with all its subnets).
And of course, combinations of the above, e.g. a gateway has its endpoint address
changed and at the same time adds or deletes a subnet.
That is probably a rare occurrence, but it should not cause disaster (like a crash).
Of course you could simplify things by just deleting everything (routes and devices)
and rebuilding it from zero whenever there is some change. But that could cause
brief interruptions of the routing and/or high load on the CPU.
Sure, it can be done. But for someone who is not experienced in programming in
general, and has to learn the scripting language for the particular platform as
well, it will be tough.
I would certainly advise to look at Marius' script for MikroTik, as it of course
has the algorithms described above. It would have to be rewritten in a different
language and the constructs to add/delete tunnel devices and routes will have to
be changed.
Rob
