3 Jul
2017
3 Jul
'17
6 a.m.
They looked like real traceroutes, but it seems to have diminished quite
recently; a packet capture a moment or so ago didn't see any. I noticed
it because amprgw logs all 'time exceeded' packets it sends, and there
were suddenly a LOT of these.
However, there's quite a bit more insidious kind of traffic. The Nagra
people (Kudelski Switzerland) are probing our network with false
NTP packets from the subnet 185.35.62.0/23. The comment in the RIPE
database is
inetnum: 185.35.62.0 - 185.35.63.255
descr: This IP network is used for Internet security research. Internet-scale
port scanning activities are launched from this network. Don't hesitate to contact
portscan(a)nagra.com would you have any question.
I've added that subnet to the "security research" blocking list here.
Seems it's a never-ending battle.
- Brian
On Mon, Jul 03, 2017 at 10:08:19AM +0200, Rob Janssen wrote:
Interesting... is it real traceroute traffic (to UDP
port 33434 and higher)
or is it different?
I have had this rule (with TTL limit 16 and only for UDP 33434-33499) on our
gateway for quite some time and I do not see many hits on it.
Maybe the traffic is different. I do not observe increased input traffic.
Rob