Re: [44net] Security - Nested IPIP

All,

Since I have no record of these de-encapsulations, after analysis, I consider this a concern - this is the specific packet of concern:

2020-03-10 13:54:46.767     0.000 IPIP      45.79.209.21:0     ->       44.60.44.1:0            2      148     1

Only IPs with DNS records (44.1) were hit...I will be searching my entire subnet record in netflow.

I need an Operator to identify and describe this packet; and reveal themselves to me ASAP.

N1URO, I will also be re-evaluating the kb3vwg-001.ampr.org A and PTRs - I'll contact you.

- KB3VWG

-----Original Message----- From: lleachii lleachii@aol.com To: 44net 44net@mailman.ampr.org Sent: Fri, Mar 13, 2020 11:59 pm Subject: Re: Security - Nested IPIP

All, I received this on tunl0...an operator is implicated. Please check your configs, or coordinate this with me ASAP.

I have not reviewed my Netflow records; but please be vigilant of this traffic. I warned of this issue in the "ancient" 44 mailing archives.

Date first seen          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows2020-03-10 13:54:00.024     0.004 IPIP      45.79.209.21:0     ->     44.60.44.132:0            2      148     12020-03-10 13:54:07.102     0.001 IPIP      45.79.209.21:0     ->       44.60.44.6:0            2      148     12020-03-10 13:54:12.970     0.005 IPIP      45.79.209.21:0     ->       44.60.44.3:0            2      148     12020-03-10 13:54:14.196     0.000 IPIP      45.79.209.21:0     ->     44.60.44.135:0            2      148     12020-03-10 13:54:18.845     0.000 IPIP      45.79.209.21:0     ->      44.60.44.11:0            2      148     12020-03-10 13:54:20.285     0.000 IPIP      45.79.209.21:0     ->     44.60.44.130:0            2      148     12020-03-10 13:54:21.122     0.000 IPIP      45.79.209.21:0     ->     44.60.44.129:0            2      148     12020-03-10 13:54:21.316     0.004 IPIP      45.79.209.21:0     ->      44.60.44.15:0            2      148     12020-03-10 13:54:23.458     0.000 IPIP      45.79.209.21:0     ->      44.60.44.10:0            2      148     12020-03-10 13:54:26.495     0.000 IPIP      45.79.209.21:0     ->       44.60.44.7:0            2      148     12020-03-10 13:54:26.946     0.000 IPIP      45.79.209.21:0     ->      44.60.44.14:0            2      148     12020-03-10 13:54:30.658     0.004 IPIP      45.79.209.21:0     ->      44.60.44.13:0            2      148     12020-03-10 13:54:32.915     0.005 IPIP      45.79.209.21:0     ->     44.60.44.131:0            2      148     12020-03-10 13:54:43.095     0.004 IPIP      45.79.209.21:0     ->     44.60.44.128:0            2      148     12020-03-10 13:54:43.226     0.005 IPIP      45.79.209.21:0     ->      44.60.44.12:0            2      148     12020-03-10 13:54:46.767     0.000 IPIP      45.79.209.21:0     ->       44.60.44.1:0            2      148     1Summary: total flows: 16, total bytes: 2368, total packets: 32, avg bps: 405, avg pps: 0, avg bpp: 74Time window: 2020-03-06 20:42:15 - 2020-03-13 23:39:18Total flows processed: 785839, Blocks skipped: 0, Bytes read: 50600280Sys: 0.532s flows/second: 1477141.0  Wall: 0.501s flows/second: 1567023.9

Times EDT.

---

root@OpenWrt:~# ip route get 45.79.209.21 from 44.60.44.25445.79.209.21 from 44.60.44.254 via 169.228.34.84 dev tunl0 table 44 uid 0     cache  (default route -nested IPIP loop) 73 ::and elbow bump::,

- Lynwood KB3VWG