44net

44net@mailman.ampr.org

3179 discussions

by Brian Kantor

Just some data points: in the last 16 hours, the firewall on amprgw has dropped over 43 million attempts to connect to the implicated ports: 623,664,16992,16993,16994,16995. We've also dropped about 2 billion attempts to connect to the other SMB ports: 111,135-139,445, etc. This is AFTER having already dropped all packets from known 'security' scanners like shodan, which therefore aren't counted in those totals. We've dropped 63 million of those. But by far, the most popular inbound is attempts to connect to the telnet port (23) on amprnet hosts; we've dropped 6 billion of those. And we've dropped another 7 billion other packets that were destined for other ports on non-registered amprnet addresses. I don't have details of which ports these are, but I know that port 80 (http) is one of them. At 25 MB/s inbound traffic, receiving packets and filtering them is taking about 10-12% of the machine, leaving it around 85% idle. The DNS nameserver accounts for about 2% of the load. The encap/decap process resource consumption is negligible. It spends about 95% of its time waiting for packets. - Brian

7 years, 11 months

how to route Mikrotik Gateway Commercial IP to the ISP and not to UCSD ?

by R P

Hi there I have investigated the High drops that my Router get from UCSD with the help of the new PCAP files that Brian Made available for us it tern out that my router MikroTik that sit on the DMZ of the Cable modem Is Probed from the outside world in its Commercial IP and send its Trafic to the UCSD interface which is its default route How can I redirect packets from the outside world that sent to the router commercial IP to go back to the ISP and not go to the UCSD interface ? is there any Mikrotik Expert that can tell me what to do ? I need only to route the ip of the router that sit on the DMZ I saw that another Mikrotik on the AMPRNT get a lot of drops and it looks it have something similar Any help is welcome As i Stated before Im willing to give web telnet Or SSH access Just for Info the router connected on the DMZ of the Main Cable router it uses 192.168.1.x address and the DMZ point to this address Regards Any info is more then welcome Regards Ronen - 4Z4ZQ http://www.ronen.org Ronen Pinchooks (4Z4ZQ) WebSite<http://www.ronen.org/> www.ronen.org ronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com

7 years, 11 months

Re: [44net] some amprgw filtering statistics

by Charles

Yes, please. <div>-------- Original message --------</div><div>From: Brian Kantor <Brian(a)UCSD.Edu> </div><div>Date:05/15/2017 19:26 (GMT-05:00) </div><div>To: AMPRNet working group <44net(a)hamradio.ucsd.edu> </div><div>Cc: </div><div>Subject: Re: [44net] some amprgw filtering statistics </div><div> </div>(Please trim inclusions from previous messages) _______________________________________________ I see from the web server logs that some people are attempting to retrieve the graphs but don't have login credentials. My apologies for the hassle; email to me and I'll send some to you. - Brian _________________________________________ 44Net mailing list 44Net(a)hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net

7 years, 11 months

Newbie Question

by Craig Brauckmiller

Hey all, I am new to the 44 net stuff and had a couple basic questions. I went to the archive site and didn't see a search feature so I figured I would start here. I've got my block allocated and am trying to setup my Juniper SRX firewall to tunnel to the 44 net. However, I can't seem to find a place where the tunnel destination address is listed or if there is anything special I need to do on the AMPR site to activate traffic tunneling. I'd be happy to share the config of my Juniper SRX with the community once I get it working. Thanks Craig Brauckmiller KC1ETB

7 years, 11 months

VA co-ordinator

by Mark Phillips

Would the person handing out numbers in VA please contact me off-list. I need a subnet for Floyd, VA. Thanks!! Mark G7LTT/NI2O

7 years, 11 months

Re: [44net] the current worldwide Windows ransomware situation

by Rob Janssen

> Some consumer quality routers assume that all LAN addresses *MUST* be > in an RFC1918 range, e.g., 192.168.n.n. The routers usually allow the > user to set the third octet, but not the first or second, and they > reserve the last octet for DHCP and/or local fixed addresses. IIRC, > most allow the user to set the subnet mask's last octet too, but > that's as much flexibility as users get. Some ISPs manage the router and assign a fixed address to the LAN. > Sometimes, the same restrictions apply to the other devices on the > LAN, especially printers, and so it's often easier to put a 44net > address on the "WAN" side of a router and do NAT. Well, I think the main reason why people are doing this is limitations in typical consumer-quality operating systems. One widely used OS appears to have been dumbed down to the level that it is no longer possible to set a second address on a network interface (was possible in older versions!), let alone to configure policy routing. People want to be able to access the AMPRnet using their devices that they also use for internet browsing. It would be straightforward to set an extra 44.x.x.x address on the network and a route for 44.0.0.0/8 pointing to the router used for that, and it would basically work. I do this on my workstation but I also have policy routing to send traffic with my AMPRnet source address to the AMPRnet. So I can also allow access from internet addresses and send the return traffic the right way. But that widely used OS cannot do that, at least not from the GUI (registry hacks probably still work). There are ways to work around it: you can install a second network card, or you can add a VLAN to your network. Unfortunately, that again is not a feature of the rudimentary network code of that OS, it is to be provided in the drivers of the network card. Sometimes it is possible to download drivers from the card manufacturer site and do VLAN, but when the manufacturer does not care about that or places this in a different market segment, you are out of luck. With all those limitations, I can understand why people install a more capable router (e.g. MikroTik) to let it handle the job that is too difficult for MS, and resort to NAT to make their systems available on both internet and AMPRnet. But, doing it that way is even more tricky. It can work correctly, but you carefully have to consider all the possible paths and handle them correctly using suitable NAT rules, routing policy, and multiple route tables. Unfortunately even some professional "firewall devices" are unable to operate in transparent mode and always assume they have to do NAT. There are examples of that in our network as well. People take home left-over big name devices from work and try to use them in our HAMNET, usually encountering all kinds of limitations and also bugs due to the old firmware. Support has ended or there never has been any support without separate, expensive, contract. It is normally more cost-effective to buy e.g. a MikroTik hEX3 and use that, if only because of the huge savings in energy costs... Rob

7 years, 12 months

Re: [44net] the current worldwide Windows ransomware situation

by Gabriel Medinas

Yes Ruben that is ok but is used the platform .orion to precisely not be located and remain anonymous through thor browser with proxy relay. Any of there attack attemps that we stopped may passed you these links (think are obsolete now) so you can verify for yourself whether they are legal or not. http://sonuh5glplozc2m.tor2web.org/A4113B9D69E5094A http://sonuh5glplozc2m.onion.to/A4113B9D69E5094A or via thor: sonuh5glplozc2m.onion/A4113B9D69E5094A Follow the instructions of the site and then with the ID:A413B9D69E50F94A !!! and good luck with this... 73 de Gabriel YV5KXE Venezuela AMPR-Coordinator Message: 9 Date: Sun, 14 May 2017 15:29:41 +0000 From: Ruben ON3RVH <on3rvh(a)on3rvh.be> To: AMPRNet working group <44net(a)hamradio.ucsd.edu> Subject: Re: [44net] the current worldwide Windows ransomware situation Message-ID: <1B69D7CC-274E-4635-8D90-C162A950A5FF(a)on3rvh.be> Content-Type: text/plain; charset="us-ascii" Just a small correction as I don't like to see this kind of misinformation, but .onion is the Tor network and Tor is not underground. It's not because criminals like to use it that it is underground. There are legit sites too within the .onion domain. Ruben - ON3RVH > On 14 May 2017, at 16:59, Gabriel Medinas <gmedinas(a)gmail.com> wrote: > > (Please trim inclusions from previous messages) > _______________________________________________ > Grettings to the group, this Rasomware theme is an evolving project, some > employe just opened an infected email and it was an attack vector on the > internal platform that runs around the LAN via the port 445 SMB protocol > using a security hole that already Microsoft solved two months ago. > > Precisely the attackers know that many companies do not update the OS of > their internal pc for issues of licensing and budget that make them > vulnerable, also do not pay much attention to the safety of their > equipment, here was shown how fragile it is the windows platform for these > attacks and is the bulk of the equipment that these large companies have, > such as the case of Telefonica in Spain, FEDEX, hospital networks in > England, etc. > > These themes are every day in BBVA Corporation in my IT Security > (Cybersecurity) Venezuela work, see this problem in a important evolution > but it is more to come because they will continue looking for new > possibilities to be able to collect the money with the Bitcoins. > > On the question of the domains, those that are in the common Internet those > are not relevant, only the important are the .onion underground that they > use to recolet the extortion money from people-companies through these > crypto tools attacks. > > As Brian says, linux and mac are safe for now... > > 73 de Gabriel YV5KXE > Venezuela AMPR-Coordinator > > > Message: 2 > Date: Sat, 13 May 2017 04:51:33 +0000 > From: R P <ronenp(a)hotmail.com> > To: AMPRNet working group <44net(a)hamradio.ucsd.edu> > Subject: Re: [44net] the current worldwide Windows ransomware > situation > Message-ID: > <BY2PR14MB04246C791B6C331478C3B033C7E30@BY2PR14MB0424. > namprd14.prod.outlook.com> > > Content-Type: text/plain; charset="iso-8859-1" > > IM not sure that this is the right group but as i wrote before here we > have top experts in it field so Ill try > > I read the explain on the virus in the sites ... > > The domain is well known .. someone pay for it > > is it so problem to catch the person who paid for this domain ??? > > what about shutting out this domain and by that stop the spread of the > software ? >

7 years, 12 months

Re: [44net] the current worldwide Windows ransomware situation

by Gabriel Medinas

Grettings to the group, this Rasomware theme is an evolving project, some employe just opened an infected email and it was an attack vector on the internal platform that runs around the LAN via the port 445 SMB protocol using a security hole that already Microsoft solved two months ago. Precisely the attackers know that many companies do not update the OS of their internal pc for issues of licensing and budget that make them vulnerable, also do not pay much attention to the safety of their equipment, here was shown how fragile it is the windows platform for these attacks and is the bulk of the equipment that these large companies have, such as the case of Telefonica in Spain, FEDEX, hospital networks in England, etc. These themes are every day in BBVA Corporation in my IT Security (Cybersecurity) Venezuela work, see this problem in a important evolution but it is more to come because they will continue looking for new possibilities to be able to collect the money with the Bitcoins. On the question of the domains, those that are in the common Internet those are not relevant, only the important are the .onion underground that they use to recolet the extortion money from people-companies through these crypto tools attacks. As Brian says, linux and mac are safe for now... 73 de Gabriel YV5KXE Venezuela AMPR-Coordinator Message: 2 Date: Sat, 13 May 2017 04:51:33 +0000 From: R P <ronenp(a)hotmail.com> To: AMPRNet working group <44net(a)hamradio.ucsd.edu> Subject: Re: [44net] the current worldwide Windows ransomware situation Message-ID: <BY2PR14MB04246C791B6C331478C3B033C7E30@BY2PR14MB0424. namprd14.prod.outlook.com> Content-Type: text/plain; charset="iso-8859-1" IM not sure that this is the right group but as i wrote before here we have top experts in it field so Ill try I read the explain on the virus in the sites ... The domain is well known .. someone pay for it is it so problem to catch the person who paid for this domain ??? what about shutting out this domain and by that stop the spread of the software ?

7 years, 12 months

Re: [44net] the current worldwide Windows ransomware situation

by Rob Janssen

> Yes, I can see your example. Fortunately, one thing I have seen so far > is routers being supplied with all inbound connections stopped. > Furthermore, mine doesn't allow you to totally disable the firewall, > only for specific hosts (which I have done for some key Linux systems), > or for specific ports on specific hosts (which I did on Windows for > testing - I never leave Windows exposed to the net). Now with a router > like mine, your scenario wouldn't work, because the temporary IP > addresses would never be allowed to pass. > So, there are ways to build it into the router design to make it harder > for people to shoot themselves in the foot. :) Yes, I think there has been some ISP/Manufacturer working group to get this cleared up and defined. My ISP waited with IPv6 rollout until this was resolved, and the router they deliver does exactly what you describe above. When IPv6 was designed, the idea was still that every host should be able to communicate with every other host. That has proven to be a bad idea on an open network, so IPv6 had to be crippled to make it viable. But that at the same time removes one of the major incentives to roll it out, as NAT can be used as an alternative solution in most situations. Many places have still not started IPv6 rollout... Rob

7 years, 12 months

the current worldwide Windows ransomware situation

by Brian Kantor

If you're interested in reading more about the current Windows worm/ransomware, these two sites have brief articles explaining what's up. http://blog.talosintelligence.com/2017/05/wannacry.html https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-wid… Note that they recommend blocking ports 139 and 445 to help prevent the spread of the worm infection. Amprgw has been blocking those ports for quite some time, but that doesn't prevent the infection from spreading within a group of computers or an organization. It is strongly suggested that people running Windows should be sure that all issued patches have been applied. As usual, systems running non-Windows OS's (Linux, etc) are immune to this attack. - Brian

7 years, 12 months

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

44net