14 May
2017
14 May
'17
4:29 p.m.
Just some data points: in the last 16 hours, the firewall on amprgw has
dropped over 43 million attempts to connect to the implicated ports:
623,664,16992,16993,16994,16995. We've also dropped about 2 billion
attempts to connect to the other SMB ports: 111,135-139,445, etc.
This is AFTER having already dropped all packets from known 'security'
scanners like shodan, which therefore aren't counted in those totals.
We've dropped 63 million of those.
But by far, the most popular inbound is attempts to connect to the telnet
port (23) on amprnet hosts; we've dropped 6 billion of those.
And we've dropped another 7 billion other packets that were destined for
other ports on non-registered amprnet addresses. I don't have details
of which ports these are, but I know that port 80 (http) is one of them.
At 25 MB/s inbound traffic, receiving packets and filtering them is
taking about 10-12% of the machine, leaving it around 85% idle. The DNS
nameserver accounts for about 2% of the load. The encap/decap process
resource consumption is negligible. It spends about 95% of its time
waiting for packets.
- Brian