I got curious about what all the inbound traffic we're
experiencing (and mostly rejecting) was all about. Here's
a very elementary breakdown of a one minute sample of
what I saw on the inbound Ethernet:
22434704 packets read from savefile
344 non-IP packets discarded
proto 1 (ICMP) count 87478
proto 2 count 14
proto 4 (IPIP) count 26162
proto 6 (TCP) count 20467723
proto 17 (UDP) count 1829610
proto 41 count 330
proto 47 (GRE) count 23041
proto 103 count 2
I'll do some additional analysis when I have time.
- Brian
> I suspected at some point that there is a network using 44 addresses
> internally, had some leaks on them and that the garbage (DNS replies,
> ICM rejects, IP fragments and such stuff) were the replies from hosts on
> the internet receiving that traffic and sending replies back via the
> ampr-gw.
I think that is not a legitimate use but an attack group that spoofs sender
addresses when sending their attacks and they use net-44 addresses as well.
To have that go down, more ISPs should implement BCP38 (source address filtering).
Unfortunately, there is little incentive for ISPs to do that, because it benefits
only others and not themselves.
Rob
> it is strange that my one camera consume half of the bandwith of all the 44 net bandwith
Oh but that is only the traffic from tunneled hosts talking to the internet via amprgw!
We output about twice that amount (700kB/s) continuoously on our gateway for only network 44.137.0.0/16.
And that is after the Brandmeister hosts have been disconnected for internet addresses due to the DDoS.
Before that, it was several MB/s, up to about 8 MB/s last february.
Rob
> Perhaps it's time to revisit UDPIP. Does Linux support the use
> of UDP port 94 for encapsulation?
It appears it has been introduced in kernel 3.18 which is quite recent and
will mean there are some issues for many users.
(requirement to install a backported kernel and "ip" program that supports
the newly introduced "ip fou" subcommand.
It is not supported on the systems we are currently running.
(Debian Wheezy and Jessie)
It also is not supported on MikroTik routers.
Rob
May someone explain to me how the "Firewall: inbound raw vs outbound encapsulated traffic" show that the encap data is bigger then the raw input ? may i misunderstand something ?
> Perhaps someone in the path between
> us and Germany inserted a protocol 4 block
That is what I suggest... it is up for us, and we can reach you, so it
is probably not a problem in either Germany nor inside your network.
Try a traceroute to a few gateways with zero traffic to find if there is
a common path or provider.
Rob
Does anyone know if the network coordinator for MA USA watches this list?
I emailed him about adding a couple A records for me to get my 44 net going
but haven't heard back. I got his callsign off the portal network page and
then had to go to QRZ to find his email. Not sure if he still checks the
email or not...so I figured I'd ask here.
Better question, why do we need to create a DNS entry for hosts to start
routing traffic from the 44 net to my gateway?
Thanks
Craig
KC1ETB
I moved the statistics files and graphs around and added some.
https://gw.ampr.org/ still redirects you to www.ampr.org
Non-sensitive info is in https://gw.ampr.org/router/
Available without a password. This is traffic counters and graphs.
Gateway-related info is in https://gw.ampr.org/private/
A username and password are still required to access this.
- Brian
> The reason I prefer IPv6 over IPv4 NAT is it gives me the option to use
> the same ports on multiple hosts on my network. IPv4 NAT is quite
> crippling for some of ujs (who also happen to know how to manage our
> firewalls ;) ).
Yes of course NAT is a pain when doing special things, but for most internet
users it is not a problem at all. Especially now that the internet has evolved
from a peer-to-peer network into a traditional client-server network where a few
big companies run all the services and the users connect only to there, even when
they want to communicate with another user.
What I like about IPv6 is that it gives me out-of-band management of IPv4
networks. Yesterday I did a major restructuring of our AMPRnet-Internet
gateway, where a MikroTik CCR has been added to the existing PC Linux solution to
take over part of the services, and I could make all the network topology changes
with confidence that I would not lock myself out, using IPv6. That is also handy
when managing the very complicated IPv4 firewall.
In fact so many users have been completely accustomed to NAT that they even apply
it to AMPRnet... Putting their systems on RFC1918 addresses and translating it to
net-44 addresses in the router. I would not do that...
Rob
