I got to thinking about Ronen's question as to how to find non-functional
gateway, and I've come up with a scheme.
I've added code to the rip sender that watches for ICMP unreachable
packets coming back to amprgw during the rip sending cycle, which repeats
every 5 minutes.
If an ICMP unreachable packet is received, the matching gateway is
removed from that cycle, so with luck (if the unreachables get here
quickly enough) we'll only send one or two packets to a gateway that's
not reachable.
The time and gateway address are logged; some future process should be
able to analyze this log and do something about the gateway if it's out
of service long enough. (What it will do about it isn't exactly clear
right now.)
This doesn't seem to have slowed down the rip sender much if at all.
- Brian
> That's actually a limitation on how multicast works. In usual
> circumstances, a router does not listen to multicasts not originating
> from the subnet its interface is connected to.
Could that be the reason why ampr-ripd multicast mode does not work for me?
I always put the local address /32 on the tunnel interface. Maybe it would
work when that is changed to /8 ?
Rob
> I'm curious, what Router OS are you using?
Debian Wheezy with backport kernel 3.16
Also Raspbian Wheezy with kernel 4.1.19+
Well, it probably is some setting. It has worked before but lately I
have not seen any RIP packet in the iptables counters, even though I see
them with tshark.
Now I just use -r and that works. Not worth to spend effort on.
Rob
Hi there
I understand that two ways optional to send RIP info
1) multicast (what now is operative)
2) direct transfer
The multicast require that both interfaces AMPRGW and the ham gateway will have same netmask (in our case /8)
is it the same with the direct transmit ?
If yes why the multicast way was chosen ? what is the benefit ?
Thanks for any info on the subject
Ronen - 4Z4ZQ
Well, when you implement it correctly a dynamic block of incoming scanners
will not block the replies to your own outgoing connections.
First allow ESTABLISHED,RELATED and then block the IPs of detected scanners.
Rob
I was in the process of selecting a netflow viewer -- most of them are
web-based -- when it occured to me that someone using it could discover
every connection that someone has made through the amprgw router.
The flow data records source and destination address and ports, how much
traffic was transferred, the time of day, and how long the connection
lasted. Every flow record is about 50 bytes of data, and there can
easily be a hundred of them per second. In aggregate, it's a lot of data.
And it has privacy implications.
I was originally considering making an interactive netflow inquiry tool
available on the gateways section of the gw.ampr.org website so gateway
operators could see what traffic their AMPRNet router is handling.
But because there's no way to restrict it so that someone could only
view flows involving their own endpoint or subnet, I think it's too
much information to be made freely available for people to browse.
And there is the consideration that inquiries could wind up presenting
a significant load on the system.
I think that presenting anonymized aggregate data wouldn't be a problem,
so I'm going to look into that. Probably some traffic density graphs
would be ok. And I'm willing, once the tools are installed and working,
to make extracts of the data for a gateway operator who is having a
problem with his traffic flow.
What's people's opinion of this?
- Brian
Hi
I was "playing" with my AMPR Router yesterday
I had a open user (on purpose) and saw that from that user few IP (not my ones) were logged in
after some more research i have discovered that this users was opening connections to other hosts ....
That made me suspicious on what going on ....
I have checked one of the IP that was connected and back resolve showed customer.worldstream.nl comming via SSH
I understand something not good happening i have closed this user rebooted the router (to clear the connection )
and then i started to get alot of connections to port 22 to my router from that host
I had to put Firewall rule (drop) for that address and destination port (22)(although im against fire-walling)
After less then 24 hours the traffic stopped from that host the trafic (Via UCSD (Encapped) went down from 19 KBytes/sec to less then 1 Kbyte/sec
now. I know how to deal with the technical aspects (firewall .etc)
What is not understand to me is what is the purpose ... If it is a robot what is the point of fluddling SSH connections is it brute force ? or anything else ? and how come that after 24 hours it stopped it supposed to be endless loop if it is an automated process
Please light my eyes on that if you have more experience then me
currently the router is "quiet" without non wanted users logged in and un necessary connections
I see on the log here and there breake attempt mainly to Ports 23 22 and SIP from various hosts but it is few in a minute
Regards
Ronen - 4Z4ZQ
http://www.ronen.org
Ronen Pinchooks (4Z4ZQ) WebSite<http://www.ronen.org/>
www.ronen.orgronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com
All,
Consider the following
- a virus, malicious person, or by accident, a source address is set to
8.8.8.8
- you run a port scan to your job, a test IP, etc.
- They have intrusion detection
- They use Google DNS
It seems a DDoS attack could be very easily launched. Perhaps those
folks could sill consider making an ipset of allowed outbound IP addresses.
Also be careful how you block your own rules, an attacker spoofing the
IP of common addresses could cause DoS. If you were attempting to
connect to your IP, a man-in-the-middle attack (or someone who otherwise
learns the destination IP and port) would make it seem as you were
always blocked (but your firewall hits are greater than you expect).
Theres probably common if you change the port and your corporate network
team at work begin to see low bandwidth encrypted links on an unknown port.
73,
-Lynwood
KB3VWG
Marius at al,
I'm wondering if anyone has tried the new feature that sends RIP44. If
so I have a question. If you use the -a, does it remove those routes?
I need to account for this in a script I'm writing depending on if the
downstream device is on a WAN or if they have a private route/connection
between themselves. Since I use policy-based routing, I can keep the
false record for my own subnet on table 44 and encap file; but for
others (and other projects for AMPRNet), I can see this used to be
placed on a second device to provide a real-time looking-glass tool, etc.
- Lynwood
KB3VWG
Hey all, I recently got my gateway and ip block allocations all setup
including the DNS piece thanks to Brian and others.
I've got the tunnel defined on my router. When I run a TCPDUMP on the
physical interface that is hooked up to m169.228.66.251y cable modem, I am
not seeing any traffic from the 169.228.66.251 tunnel endpoint. Nor,
obviously, am I seeing any traffic on my tunnel interface.
How do I troubleshoot this?
Thanks
Craig
KC1ETB
