[44net] DDoS via net44

12 Oct 2017

Hello everyone,

I'm creating a gateway here, to be used to static and dynamic VPNs to 
Portuguese HAMs trying to access the 44net.

I've noticed that after I've leaven the router a few days with the DNS 
relay open (big mistake!), I was receiving a stream of dummy querys 
about a hundred per second.

I was able to block it in our (Lisbon Polytechnics) firewall (before 
ipip de-encapsulation) with the next iptables rule:

# iptables -t raw -A PREROUTING -i eth0 -p ipencap -d 193.137.237.9 -m 
length --length 87 -m u32 --u32 "42 = 0x0035002f" -j DROP

Now I've disabled the gateway at the AMPR portal and I'll wait for them 
to calm down.

I don't know if more tunnels are affected by this so I'm sharing the 
information.

tcpdump output at the firewall:

...
  10:24:57.864885 IP 169.228.34.84 > 193.137.237.9:
IP 
 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. 
 (39) (ipip-proto-4)
 10:24:57.864886 IP 169.228.34.84 > 193.137.237.9: IP 
 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. 
 (39) (ipip-proto-4)
 10:24:57.864888 IP 169.228.34.84 > 193.137.237.9: IP 
 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. 
 (39) (ipip-proto-4)
 10:24:57.864889 IP 169.228.34.84 > 193.137.237.9: IP 
 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. 
 (39) (ipip-proto-4)
 10:24:57.864929 IP 169.228.34.84 > 193.137.237.9: IP 
 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. 
 (39) (ipip-proto-4)
 10:24:57.864931 IP 169.228.34.84 > 193.137.237.9: IP 
 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. 
 (39) (ipip-proto-4)
 10:24:57.864933 IP 169.228.34.84 > 193.137.237.9: IP 
 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. 
 (39) (ipip-proto-4)
 10:24:57.864934 IP 169.228.34.84 > 193.137.237.9: IP 
 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. 
 (39) (ipip-proto-4)
 10:24:57.864936 IP 169.228.34.84 > 193.137.237.9: IP 
 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. 
 (39) (ipip-proto-4)
 10:24:57.864937 IP 169.228.34.84 > 193.137.237.9: IP 
 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. 
 (39) (ipip-proto-4)
 10:24:57.864938 IP 169.228.34.84 > 193.137.237.9: IP 
 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. 
 (39) (ipip-proto-4)
 10:24:57.864940 IP 169.228.34.84 > 193.137.237.9: IP 
 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. 
 (39) (ipip-proto-4)
 10:24:57.864941 IP 169.228.34.84 > 193.137.237.9: IP 
 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. 
 (39) (ipip-proto-4)
 10:24:57.864943 IP 169.228.34.84 > 193.137.237.9: IP 
 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. 
 (39) (ipip-proto-4)
 10:24:57.864944 IP 169.228.34.84 > 193.137.237.9: IP 
 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. 
 (39) (ipip-proto-4)
 10:24:57.864945 IP 169.228.34.84 > 193.137.237.9: IP 
 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. 
 (39) (ipip-proto-4)  
73!

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Callsign: CT7ABP
QRA: Pedro Ribeiro
GRID Locator: IM58mr
QTH: São Francisco, Alcochete, Portugal
NET: http://www.qrz.com/db/CT7ABP
CT7ABP is also home station of CR7AJI Diogo
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

[44net] DDoS via net44