9 Feb
2014
9 Feb
'14
2:12 p.m.
44net-request(a)hamradio.ucsd.edu wrote:
Subject:
[44net] incoming traffic.
From:
John Ronan <jpronans(a)gmail.com>
Date:
02/09/2014 05:10 PM
To:
AMPRNet working group <44net(a)hamradio.ucsd.edu>
Hi All,
I've seeing continuous traffic coming in from amprgw.sysnet.ucsd.edu. from
5.135.135.42 to 44.155.6.1 port 80 over my tunnel. Anyone else seeing the same?
I've disabled my tunnel for the moment as I don't have the time at the moment to
chase it down.
Regards
John
EI7IG
It is not specifically from that address. It appears to be a distributed
attack on http servers, at least
to network 44. I see the same incoming stream of connects to several hosts in my subnet,
all from
a different source IP. Sometimes after several hours it stops and starts from another
IP.
I have crafted iptables rules that block it effectively:
iptables -A firewall -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A firewall -p tcp --syn -m recent --name tcp --set
iptables -A firewall -p tcp --syn -m recent --name tcp --update --seconds 30 --hitcount 15
-j DROP
iptables -A firewall -p tcp --dport 80 --syn -j ACCEPT
iptables -A firewall -p tcp --dport 443 --syn -j ACCEPT
iptables -A firewall -p tcp -j DROP
It just drops any source IP that sends more than 15 connects in 30 seconds.
Adjust for the port numbers that you want to accept (80 and 443 in this example)
There is also an internet-wide scan from source address 64.78.174.63 with traffic like
this:
21:04:33.762663 64.78.174.63 -> 44.137.40.2 TCP 52 [TCP Port numbers reused] http >
http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
I see it on another server outside net-44 as well.
It is blocked by the same rule but I have just firewalled the entire 64.78.160.0/20 net as
this does not look like someone I want to deal with.
Rob