I am having a difficult time following these formats. What packet type is this? the 45.x is the inside or outside source??
Rest of this is hopefully unrelated --
I have been playing with AWS and got myself a 44.x IP after requesting elastics IPs a few times.. I downloaded the amprhosts and did a quick ICMP echo scan of those with DNS entries. It was just before whatever this traffic is (Mar 9 03:25 UTC). Maybe unrelated or maybe they saw my scan and did a scan.. I don't know...
I was hoping to put together a list of IPs that are still trusting the AWS parts of 44.x whereas they should not. I only very briefly looked at the difference between the 2 scans I ran -- from within AWS 44.x IP space, and a non-44 IP. I would expect the results to be the same, but the 1 site I checked was trusting AWS gave me a mikrotek router login page.
A bit more concerning is I didn't see the IP in the portal. It was 44.170.101.1. They are announcing entire /16 for Croatia. Probably legit but just undocumented and a bit trusty of address space which is no longer amprnet...
regards, scott
On Sat, Mar 14, 2020 at 1:34 AM lleachii--- via 44Net 44net@mailman.ampr.org wrote:
These 2 packets were also dropped - raw rule. But who has a bot inside AMPR? 2020-03-10 13:54:46.767 0.000 IPIP 45.79.209.21:0 -> 44.60.44.1:0 2 148 1
Only IPs with DNS records (44.1) were hit...I will be searching my entire subnet record in netflow.
I need an Operator to identify and describe this packet; and reveal themselves to me ASAP.
N1URO, I will also be re-evaluating the kb3vwg-001.ampr.org A and PTRs - I'll contact you.
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net