44net July 2017

44net@mailman.ampr.org

20 participants
27 discussions

Re: [44net] gw.ampr.org from tunnel system
by Rob Janssen 12 Jul '17

12 Jul '17

> Rob, it looks like the problem might be nearer to you... > Interestingly, when I traceroute to 44.137.40.2 with 169.228.34.84 as > the source address, I get: > ... That is normal, it will be routed over internet to our BGP subnet 44.137.0.0/16 which is via that gw-44-137 which then forwards it to 44.137.40.2 over IPIP. However, 44.137.40.2 does not reply to pings from internet. > When I repeat that traceroute with 44.0.0.1 as the source address, > it gets nearly as far, but not quite: > ... That is strange. Don't you have a route to 44.137.40.2 in your encap table? I would expect you to send it into an IPIP tunnel direct to that system. Or is there some magic in amprgw that makes it ignore IPIP tunnels within BGP routed subnets? That would cause this to fail... > I can ping 213.222.29.194 from 169.228.34.84, but not from > 44.0.0.1. But you can ping 44.137.0.1 (the amprnet address of that same system) from 44.0.0.1 ? > It looks, at first glance, like there's a 44 path problem in > 213.222.29.194. When you route back to 44.137.40.2 via 213.222.29.194 it is explained, because that system has a stateful firewall that does not expect replies to traffic that has not gone out via that same system. Rob

2 1

Re: [44net] gw.ampr.org from tunnel system
by Rob Janssen 12 Jul '17

12 Jul '17

> I thought those problems were fixed as well, or I would not have changed > the submission address. I am not aware of any changes that would have > affected the connectivity of 44.0.0.1. It should be working. > More details might be helpful, such as the actual IP addresses involved, > or perhaps traceroutes showing where the routing stops working. Yes, I think it worked but likely that was on the previous gateway. The system is 44.137.40.2 (89.18.172.156) The route is: 44.0.0.1 via 169.228.34.84 dev tunl0 proto ampr-ripd onlink A traceroute immediately fails. (only stars) tshark dump of a "ping" (looks OK): Internet Protocol Version 4, Src: 89.18.172.156 (89.18.172.156), Dst: 169.228.34.84 (169.228.34.84) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 104 Identification: 0x949e (38046) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: IPIP (4) Header checksum: 0xd40c [validation disabled] [Good: False] [Bad: False] Source: 89.18.172.156 (89.18.172.156) Destination: 169.228.34.84 (169.228.34.84) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Internet Protocol Version 4, Src: 44.137.40.2 (44.137.40.2), Dst: 44.0.0.1 (44.0.0.1) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 84 Identification: 0x8f7f (36735) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: ICMP (1) Header checksum: 0x2a9e [validation disabled] [Good: False] [Bad: False] Source: 44.137.40.2 (44.137.40.2) Destination: 44.0.0.1 (44.0.0.1) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Internet Control Message Protocol Type: 8 (Echo (ping) request) Code: 0 Checksum: 0xbba6 [correct] Identifier (BE): 23938 (0x5d82) Identifier (LE): 33373 (0x825d) Sequence number (BE): 1 (0x0001) Sequence number (LE): 256 (0x0100) Timestamp from icmp data: Jul 12, 2017 20:30:58.200360000 CEST [Timestamp from icmp data (relative): 0.000371000 seconds] Data (48 bytes) 0000 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 ................ 0010 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 ........ !"#$%&' 0020 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 ()*+,-./01234567 Data: 08090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f... [Length: 48] This system has our own gateway 213.222.29.194 as its default tunnel route but otherwise it is a standard ampr-ripd setup with 2 route tables. Rob

2 1

gw.ampr.org from tunnel system
by Rob Janssen 12 Jul '17

12 Jul '17

Recently I saw a header in the DNS robot reply mails that the mail address has changes and the update mails now have to be sent @gw.ampr.org. I changed that in my script, but then I noticed that my system on the IPIP tunnel network cannot send mail there. Of course gw.ampr.org is 44.0.0.1 and there have been issues with reaching that from the IPIP gateway systems, but I thought those were fixed. I have changed my mail config to send the mail via my ISP smarthost and that works, but what is the status on this? Is it supposed to be working, does it work for others? It only affects my gateway on the IPIP tunnel network. From the BGP routed gateway and the radio-connected systems here in the Netherlands there is no problem, and neither from normal internet addresses. Rob

3 2

misconfigured gateways
by Brian Kantor 07 Jul '17

07 Jul '17

In general, all encapsulated packets sent to the amprgw router for decapsulation and forwarding should have inner source addresses on the 44.0.0.0/8 network, since they are being originated by hosts on that network. The owners of the following gateways should contact me or consult the error listing in the /private/pkterrors.txt file regarding misconfiguration of their gateway routing rules which is leading to the sending of packets to amprgw which have a non-44 inner source address. These packets are being discarded by the gateway router, so they're not being delivered anywhere. This could be caused by an erroneous default route pointing at amprgw. Probably you shouldn't have one of those. This isn't causing any harm, but it's not doing any good either. - Brian VE3CGG 24.55.194.111 KE5MKM 98.6.215.34 EB1AJP 188.82.69.230 VE2HOM 206.80.251.222

1 0

Re: [44net] Traceroute storm
by Rob Janssen 03 Jul '17

03 Jul '17

> For several hours now, amprgw has been seeing a storm of traceroutes from > hundreds of different source addresses. It looks like a botnet has been > activated to probe net 44 using short-TTL packets like traceroute. > In reaction to this, I've temporarily set the gateway to discard any > packet with a TTL of less than 30. (The TTL is decremented by one when > the packet is forwarded; normally, of course, only packets with a TTL > value of zero are discarded.) Interesting... is it real traceroute traffic (to UDP port 33434 and higher) or is it different? I have had this rule (with TTL limit 16 and only for UDP 33434-33499) on our gateway for quite some time and I do not see many hits on it. Maybe the traffic is different. I do not observe increased input traffic. Rob

5 6

Re: [44net] Traceroute storm
by Rob Janssen 03 Jul '17

03 Jul '17

> However, there's quite a bit more insidious kind of traffic. The Nagra > people (Kudelski Switzerland) are probing our network with false > NTP packets from the subnet 185.35.62.0/23. The comment in the RIPE > database is > inetnum: 185.35.62.0 - 185.35.63.255 > descr: This IP network is used for Internet security research. Internet-scale port scanning activities are launched from this network. Don't hesitate to contactportscan at nagra.com <http://hamradio.ucsd.edu/mailman/listinfo/44net> would you have any question. > I've added that subnet to the "security research" blocking list here. > Seems it's a never-ending battle. It sure is. 185.35.60.0/22 was already in the blocklist here, I have seen "research" traffic from the bottom half of that network as well. Rob

1 0

Traceroute storm
by Brian Kantor 03 Jul '17

03 Jul '17

For several hours now, amprgw has been seeing a storm of traceroutes from hundreds of different source addresses. It looks like a botnet has been activated to probe net 44 using short-TTL packets like traceroute. In reaction to this, I've temporarily set the gateway to discard any packet with a TTL of less than 30. (The TTL is decremented by one when the packet is forwarded; normally, of course, only packets with a TTL value of zero are discarded.) This will not affect normal traffic, most of which has TTL values in the 40 to 64 range, but will throw away the short TTL packets used by traceroute. If you have problems with some site suddenly timing out instead of its normal reachability, let me know and I'll re-enable the normal TTL processing. In that case, we'll have to find some other way to cope with the storm of traceroutes. - Brian

2 1

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

44net July 2017