All,
I looked at my router's system log and noticed two interesting messages:
> [ 272.794578] conntrack: generic helper won't handle protocol 47.
> Please consider loading the specific helper module.
> [367924.542265] TCP: request_sock_TCP: Possible SYN flooding on port
> 53. Sending cookies. Check SNMP counters.
I realized I'm currently under a "small" attack. About 2 p.p.s. are
causing my SYN_Flood rules to hit. What's interesting is:
- I don't run any GRE tunnels (most of the Protocol 47 packets are
coming from China)
- The only tcp/53 I have open is AMPR DNS (most connections are coming
from 104.236.176.72)
Does anyone currently use tcp AXFR to copy 44.IN-ADDR.ARPA. or AMPR.ORG.
from me?
73,
- Lynwood
KB3VWG
The National Science Foundation and Mozilla are sponsoring an
initiative to bypass the wired web to bring additional people
online and to provide survivability in times of disaster.
Sound familiar? Seems we're already doing some of that; perhaps
some of us should apply for some of the grant money to spice things up.
> https://blog.mozilla.org/blog/2017/06/21/2-million-prize-decentralize-web-a…
- Brian
Decentralize the web is indeed what we have always been doing. Probably because we started in the
times when the internet was still very decentralized and all communication was peer-to-peer.
Lately, internet has been transformed into a client-server network much like the telephone BBS world
was in those days: there are users, they connect to some server where all they want to have can be
found and stored.
This is also a reason why IPv6 has not really taken off. The design principle behind IPv6, to have enough
addresses to assign one to every device and have all of those devices communicate peer-to-peer, has
largely been abandoned on the internet. There is no reason anymore to have a different address for
every device.
In fact, now that we have the AMPRnet coming alive again here, many of the users are so accustomed
to this way of working that they implement it on their ham network as well: everything NATted behind a
single IP address. Even though they can just apply for a subnet large enough for their shack.
Maybe we should invest in explaining the difference between our network and the internet as it is used
today, and how this change on internet came about. It could help people think different.
Rob
> I don't think this would be wise because then the DDoS'ers would
> be targeting the 44-net address as well, thus impacting that router.
> - Brian
Is it now running on a machine at home on some private DSL line? (as the whois for the IP suggests)
In that case it should be possible to make it a little more resistant against this kind of malevolents...
(not that I volunteer to host it on our internet connection, we have DDoS experience as well...)
Is there any indication who is behind this? Is there any activity on that system that could grief
someone or some group? Any message telling what has to be stopped or done?
Rob
Probably more denial of service stuff going on.
I know www.ampr.org and portal.ampr.org are not on 44net space, but I
wonder if there would be a possible advantage to being accessible both
from the normal internet and via a private 44 route. In DDoS cases
maybe things could be as normal for connects within the network?
That is the same thought I had to the login required for the
gw.ampr.org stats. Maybe their could be no login required within the
network to view?
Just some thinking out loud.
Is www.ampr.org<http://www.ampr.org> working ?
Is it accessible from NON 44 IP
if answers are Yes to all I cant contact it
Ronen - 4Z4ZQ
Amateur Radio Digital Communications | Managing the ...<http://www.ampr.org/>
www.ampr.org
Looking for technical information or how to get a subnet allocation? Be sure to visit our WIKI, and interact with us on the Portal. You may join our discussion ...
Hi All.
Apologies for sending this to the list, but I've discovered I haven't
got valid email addresses for everyone that connects to my system.
After switching from ADSL to the Australian national broadband network
the IP address my system was allocated for the last 10 years had to
change: For those who may have been connecting to FBB or AXIP/UDP
directly to my commercial IP address, please change your configuration
From: 203.59.134.49
To: 203.59.7.248
The IPIP gateway IP has already been changed and
vk6hgr.ampr.org/44.136.204.77 should be reachable.
73, Gavin
--
Gavin Rogers | Amateur radio station VK6HGR
http://www.livingwaters.com/good | http://vk6hgr.ampr.org/
MSN/Skype/Email: grogers(a)vk6hgr.echidna.id.au
As Marius said, there is no plug and play / universal setup, which I
believe is good. Yes its frustrating at first, but when you do get it
going at least you can say you learned something.
Everyones setup will be different, as is their understanding of Linux
and networking.
I remember looking at the same wiki page quite some time back, and I
was stumped at almost the very first step
> ip link set dev ampr0 up
I'd get no such device returned as an error. I discovered the ampr0
naming convention wasn't liked by my flavor of Linux, it pretty much
had to be tunl0 for me.
And from there many more things that took my mind quite a while to
understand, specifically with the need for policy routing etc.
This is what I wrote after I had it working. An explanation that made
sense to me. And I have tried to keep it to date in a minimal fashion
to help others.
http://www.qsl.net/k/kb9mwr//wapr/tcpip/ampr-ripd.html
I have since done things differently. Rather than adding a USB
network eth1, I use VLAN tags and a switch. And I never did really
document the firewall stuff, which I do now as well.
Start small and work up from there is my suggestion. I always
recommend starting by installing tcpdump and connecting directly to
your modem (in a bridged mode if needed), and verifying the RIP
traffic. From there you can see if your equipment can forward
protocol 4 or DMZ correctly to whatever your gateway machine will be.
Steve, KB9MWR
