14 Mar
2020
14 Mar
'20
10:26 a.m.
All,
Since I have no record of these de-encapsulations
I think have the POSSIBLE origin of the outer packet:
Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port
Packets Bytes Flows2020-03-10 10:31:26.430 7120.652 IPIP 89.229.166.34:0
-> 173.66.138.124:0 86 7609 12020-03-10 10:31:26.430 7120.652
IPIP 173.66.138.124:0 -> 89.229.166.34:0 67 14247
12020-03-10 14:00:01.416 3606.239 IPIP 173.66.138.124:0 -> 89.229.166.34:0
68 16572 12020-03-10 14:00:01.416 3606.239 IPIP 89.229.166.34:0
-> 173.66.138.124:0 84 7128 12020-03-10 16:30:06.437 1.169
IPIP 173.66.138.124:0 -> 89.229.166.34:0 15 3569
12020-03-10 16:30:06.437 1.169 IPIP 89.229.166.34:0 -> 173.66.138.124:0
18 1486 12020-03-10 16:34:19.372 1883.215 IPIP 141.75.245.225:0
-> 173.66.138.124:0 28 2303 12020-03-10 16:34:19.372 1883.215
IPIP 173.66.138.124:0 -> 141.75.245.225:0 28 7792 1Summary:
total flows: 8, total bytes: 60706, total packets: 394, avg bps: 20, avg pps: 0, avg bpp:
154Time window: 2020-03-09 12:35:36 - 2020-03-10 18:46:54Total flows processed: 86880,
Blocks skipped: 0, Bytes read: 5583424Sys: 0.076s flows/second: 1143157.9 Wall: 0.059s
flows/second: 1471544.7
root@OpenWrt:~# ipset test ipipfilter 89.229.166.34Warning: 89.229.166.34 is in set
ipipfilter.
root@OpenWrt:~# ip route show table 44 | grep 89.229.166.3444.165.65.0/24 via
89.229.166.34 dev tunl0 proto 44 onlink window 840
44.165.65.0 / 24 HamNET Augustów
To those who've emailed me:
What is posted thus far are IP Headers 0 and 1 of nested IPIP packets. I do not believe I
can find a log of Header 2 - as it should have been RAW DROP on it's second loop
through the Routing Place. This third header and the traffic it generated (without
firewalling in place by others) is my concern. It should also be borne in mind that this
is why such traffic should not be entering our gateways without our knowledge.
- KB3VWG