> Rob, it looks like the problem might be nearer to you...
> Interestingly, when I traceroute to 44.137.40.2 with 169.228.34.84 as
> the source address, I get:
> ...
That is normal, it will be routed over internet to our BGP subnet 44.137.0.0/16
which is via that gw-44-137 which then forwards it to 44.137.40.2 over IPIP.
However, 44.137.40.2 does not reply to pings from internet.
> When I repeat that traceroute with 44.0.0.1 as the source address,
> it gets nearly as far, but not quite:
> ...
That is strange. Don't you have a route to 44.137.40.2 in your encap table?
I would expect you to send it into an IPIP tunnel direct to that system.
Or is there some magic in amprgw that makes it ignore IPIP tunnels within BGP
routed subnets? That would cause this to fail...
> I can ping 213.222.29.194 from 169.228.34.84, but not from
> 44.0.0.1.
But you can ping 44.137.0.1 (the amprnet address of that same system) from 44.0.0.1 ?
> It looks, at first glance, like there's a 44 path problem in
> 213.222.29.194.
When you route back to 44.137.40.2 via 213.222.29.194 it is explained, because that
system has a stateful firewall that does not expect replies to traffic that has not
gone out via that same system.
Rob
> I thought those problems were fixed as well, or I would not have changed
> the submission address. I am not aware of any changes that would have
> affected the connectivity of 44.0.0.1. It should be working.
> More details might be helpful, such as the actual IP addresses involved,
> or perhaps traceroutes showing where the routing stops working.
Yes, I think it worked but likely that was on the previous gateway.
The system is 44.137.40.2 (89.18.172.156)
The route is:
44.0.0.1 via 169.228.34.84 dev tunl0 proto ampr-ripd onlink
A traceroute immediately fails. (only stars)
tshark dump of a "ping" (looks OK):
Internet Protocol Version 4, Src: 89.18.172.156 (89.18.172.156), Dst: 169.228.34.84 (169.228.34.84)
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 104
Identification: 0x949e (38046)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: IPIP (4)
Header checksum: 0xd40c [validation disabled]
[Good: False]
[Bad: False]
Source: 89.18.172.156 (89.18.172.156)
Destination: 169.228.34.84 (169.228.34.84)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Internet Protocol Version 4, Src: 44.137.40.2 (44.137.40.2), Dst: 44.0.0.1 (44.0.0.1)
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 84
Identification: 0x8f7f (36735)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: ICMP (1)
Header checksum: 0x2a9e [validation disabled]
[Good: False]
[Bad: False]
Source: 44.137.40.2 (44.137.40.2)
Destination: 44.0.0.1 (44.0.0.1)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0xbba6 [correct]
Identifier (BE): 23938 (0x5d82)
Identifier (LE): 33373 (0x825d)
Sequence number (BE): 1 (0x0001)
Sequence number (LE): 256 (0x0100)
Timestamp from icmp data: Jul 12, 2017 20:30:58.200360000 CEST
[Timestamp from icmp data (relative): 0.000371000 seconds]
Data (48 bytes)
0000 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 ................
0010 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 ........ !"#$%&'
0020 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 ()*+,-./01234567
Data: 08090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f...
[Length: 48]
This system has our own gateway 213.222.29.194 as its default tunnel route
but otherwise it is a standard ampr-ripd setup with 2 route tables.
Rob
Recently I saw a header in the DNS robot reply mails that the mail address has changes and the
update mails now have to be sent @gw.ampr.org. I changed that in my script, but then I noticed
that my system on the IPIP tunnel network cannot send mail there. Of course gw.ampr.org is 44.0.0.1
and there have been issues with reaching that from the IPIP gateway systems, but I thought those were
fixed.
I have changed my mail config to send the mail via my ISP smarthost and that works, but what is the
status on this? Is it supposed to be working, does it work for others?
It only affects my gateway on the IPIP tunnel network. From the BGP routed gateway and the radio-connected
systems here in the Netherlands there is no problem, and neither from normal internet addresses.
Rob
In general, all encapsulated packets sent to the amprgw router for
decapsulation and forwarding should have inner source addresses on the
44.0.0.0/8 network, since they are being originated by hosts on that
network.
The owners of the following gateways should contact me or consult
the error listing in the /private/pkterrors.txt file regarding
misconfiguration of their gateway routing rules which is leading to the
sending of packets to amprgw which have a non-44 inner source address.
These packets are being discarded by the gateway router, so they're not
being delivered anywhere. This could be caused by an erroneous default
route pointing at amprgw. Probably you shouldn't have one of those.
This isn't causing any harm, but it's not doing any good either.
- Brian
VE3CGG 24.55.194.111
KE5MKM 98.6.215.34
EB1AJP 188.82.69.230
VE2HOM 206.80.251.222
> For several hours now, amprgw has been seeing a storm of traceroutes from
> hundreds of different source addresses. It looks like a botnet has been
> activated to probe net 44 using short-TTL packets like traceroute.
> In reaction to this, I've temporarily set the gateway to discard any
> packet with a TTL of less than 30. (The TTL is decremented by one when
> the packet is forwarded; normally, of course, only packets with a TTL
> value of zero are discarded.)
Interesting... is it real traceroute traffic (to UDP port 33434 and higher)
or is it different?
I have had this rule (with TTL limit 16 and only for UDP 33434-33499) on our
gateway for quite some time and I do not see many hits on it.
Maybe the traffic is different. I do not observe increased input traffic.
Rob
> However, there's quite a bit more insidious kind of traffic. The Nagra
> people (Kudelski Switzerland) are probing our network with false
> NTP packets from the subnet 185.35.62.0/23. The comment in the RIPE
> database is
> inetnum: 185.35.62.0 - 185.35.63.255
> descr: This IP network is used for Internet security research. Internet-scale port scanning activities are launched from this network. Don't hesitate to contactportscan at nagra.com <http://hamradio.ucsd.edu/mailman/listinfo/44net> would you have any question.
> I've added that subnet to the "security research" blocking list here.
> Seems it's a never-ending battle.
It sure is. 185.35.60.0/22 was already in the blocklist here, I have seen
"research" traffic from the bottom half of that network as well.
Rob
For several hours now, amprgw has been seeing a storm of traceroutes from
hundreds of different source addresses. It looks like a botnet has been
activated to probe net 44 using short-TTL packets like traceroute.
In reaction to this, I've temporarily set the gateway to discard any
packet with a TTL of less than 30. (The TTL is decremented by one when
the packet is forwarded; normally, of course, only packets with a TTL
value of zero are discarded.)
This will not affect normal traffic, most of which has TTL values in
the 40 to 64 range, but will throw away the short TTL packets used
by traceroute.
If you have problems with some site suddenly timing out instead of
its normal reachability, let me know and I'll re-enable the normal TTL
processing. In that case, we'll have to find some other way to cope
with the storm of traceroutes.
- Brian
