44net

44net@mailman.ampr.org

3194 discussions

Re: [44net] SYN Flood, etc.
by Rob Janssen 27 Jun '17

27 Jun '17

> Further inspecting the firewall, only 5 packets in over 20,000 were > dropped. Perhaps the SYN Flood setting is too sensitive for a series of > multiple DNS queries at the same time. I sometimes see mis-detections of floods on TCP port 53 too. The resolver has to open a separate connection for each request once it has to use TCP mode. Due to the increased use of DNSSEC this happens more often than in the past. Rob

1 0

Re: [44net] SYN Flood, etc.
by Rob Janssen 27 Jun '17

27 Jun '17

> I'll be closing TCP/53 to the Internet - NOW. You need to close UDP/53 as well! It is widely abused for DDoS amplification, you really should not offer DNS service on internet unless you have modern software to do rate limiting etc. Look at the poor souls who make a change to their MikroTik router (usually configuring it for PPPoE according to the directions they find on Youtube instead of according to the manual) and mistakenly open their DNS resolver on internet... they end up being abused as DDoS amplifier/reflector all the time. We run a slave DNS server for AMPRnet as well, but: only on the 44 network. Rob

2 2

Re: [44net] SYN Flood, etc.
by Rob Janssen 27 Jun '17

27 Jun '17

> - The only tcp/53 I have open is AMPR DNS (most connections are coming from 104.236.176.72) Those are on my list of scanners/blackhats. The name "stretchoid.com" is already indicative of what they do. However, as Brian Kantor also wrote, it is a really bad idea to run a DNS server on an internet-facing interface. Keep it accessible only from the amprnet side. Rob

2 1

SYN Flood, etc.
by lleachii＠aol.com 27 Jun '17

27 Jun '17

All, I looked at my router's system log and noticed two interesting messages: > [ 272.794578] conntrack: generic helper won't handle protocol 47. > Please consider loading the specific helper module. > [367924.542265] TCP: request_sock_TCP: Possible SYN flooding on port > 53. Sending cookies. Check SNMP counters. I realized I'm currently under a "small" attack. About 2 p.p.s. are causing my SYN_Flood rules to hit. What's interesting is: - I don't run any GRE tunnels (most of the Protocol 47 packets are coming from China) - The only tcp/53 I have open is AMPR DNS (most connections are coming from 104.236.176.72) Does anyone currently use tcp AXFR to copy 44.IN-ADDR.ARPA. or AMPR.ORG. from me? 73, - Lynwood KB3VWG

3 3

Money for Wireless Research
by Brian Kantor 27 Jun '17

27 Jun '17

The National Science Foundation and Mozilla are sponsoring an initiative to bypass the wired web to bring additional people online and to provide survivability in times of disaster. Sound familiar? Seems we're already doing some of that; perhaps some of us should apply for some of the grant money to spice things up. > https://blog.mozilla.org/blog/2017/06/21/2-million-prize-decentralize-web-a… - Brian

4 3

Re: [44net] Money for Wireless Research
by Rob Janssen 25 Jun '17

25 Jun '17

Decentralize the web is indeed what we have always been doing. Probably because we started in the times when the internet was still very decentralized and all communication was peer-to-peer. Lately, internet has been transformed into a client-server network much like the telephone BBS world was in those days: there are users, they connect to some server where all they want to have can be found and stored. This is also a reason why IPv6 has not really taken off. The design principle behind IPv6, to have enough addresses to assign one to every device and have all of those devices communicate peer-to-peer, has largely been abandoned on the internet. There is no reason anymore to have a different address for every device. In fact, now that we have the AMPRnet coming alive again here, many of the users are so accustomed to this way of working that they implement it on their ham network as well: everything NATted behind a single IP address. Even though they can just apply for a subnet large enough for their shack. Maybe we should invest in explaining the difference between our network and the internet as it is used today, and how this change on internet came about. It could help people think different. Rob

1 0

FYI Map progress
by Marius Petrescu 23 Jun '17

23 Jun '17

FYI: I added some click response stuff to your dots on the map... http://yo2tm.ampr.org/ampr-map/

6 10

Is Your wireless router (or access point) breakable ?
by R P 22 Jun '17

22 Jun '17

It might interest some of us ... https://qz.com/1008273/complete-list-of-wifi-routers-included-in-wikileaks-… [https://qzprod.files.wordpress.com/2017/06/screen-shot-2017-06-16-at-3-49-4…]<https://qz.com/1008273/complete-list-of-wifi-routers-included-in-wikileaks-…> If your home wifi router is on this list, it might be vulnerable to CIA hacking tools<https://qz.com/1008273/complete-list-of-wifi-routers-included-in-wikileaks-…> qz.com The collection of tools can be used to monitor internet activity

1 0

Re: [44net] www.ampr.org Not responding ?
by Rob Janssen 21 Jun '17

21 Jun '17

> I don't think this would be wise because then the DDoS'ers would > be targeting the 44-net address as well, thus impacting that router. > - Brian Is it now running on a machine at home on some private DSL line? (as the whois for the IP suggests) In that case it should be possible to make it a little more resistant against this kind of malevolents... (not that I volunteer to host it on our internet connection, we have DDoS experience as well...) Is there any indication who is behind this? Is there any activity on that system that could grief someone or some group? Any message telling what has to be stopped or done? Rob

2 1

Re: [44net] www.ampr.org Not responding ?
by Steve L 21 Jun '17

21 Jun '17

Probably more denial of service stuff going on. I know www.ampr.org and portal.ampr.org are not on 44net space, but I wonder if there would be a possible advantage to being accessible both from the normal internet and via a private 44 route. In DDoS cases maybe things could be as normal for connects within the network? That is the same thought I had to the login required for the gw.ampr.org stats. Maybe their could be no login required within the network to view? Just some thinking out loud.

3 2

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

44net