14 Mar
2020
14 Mar
'20
12:43 a.m.
I am having a difficult time following these formats. What packet type
is this? the 45.x is the inside or outside source??
Rest of this is hopefully unrelated --
I have been playing with AWS and got myself a 44.x IP after requesting
elastics IPs a few times.. I downloaded the amprhosts and did a quick
ICMP echo scan of those with DNS entries. It was just before whatever
this traffic is (Mar 9 03:25 UTC). Maybe unrelated or maybe they saw
my scan and did a scan.. I don't know...
I was hoping to put together a list of IPs that are still trusting the
AWS parts of 44.x whereas they should not. I only very briefly looked
at the difference between the 2 scans I ran -- from within AWS 44.x IP
space, and a non-44 IP. I would expect the results to be the same,
but the 1 site I checked was trusting AWS gave me a mikrotek router
login page.
A bit more concerning is I didn't see the IP in the portal. It was
44.170.101.1. They are announcing entire /16 for Croatia. Probably
legit but just undocumented and a bit trusty of address space which is
no longer amprnet...
regards,
scott
On Sat, Mar 14, 2020 at 1:34 AM lleachii--- via 44Net
<44net(a)mailman.ampr.org> wrote:
These 2 packets were also dropped - raw rule.
But who has a bot inside AMPR?
2020-03-10 13:54:46.767 0.000 IPIP 45.79.209.21:0 -> 44.60.44.1:0
2 148 1
Only IPs with DNS records (44.1) were hit...I will be searching my entire subnet record
in netflow.
I need an Operator to identify and describe this packet; and reveal themselves to me
ASAP.
N1URO, I will also be re-evaluating the kb3vwg-001.ampr.org A and PTRs - I'll contact
you.
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net