13 Oct
2013
13 Oct
'13
1:26 p.m.
Recently I have been tracing the tunnel traffic a bit to investigate a strange situation.
Sometimes I got unsolicited ping replies on the NET screen. It appears that sometimes
a ping reply is received without any ping having been sent.
Users of Windows or Linux ping will never notice this, because there is a special
application that sends a ping with unique ID and then listens for replies with the
same ID and prints them.
However, NET (written in the days when the network still was a friendly place)
just uses a timestamp as the ID, sends the ping, and forgets about it. It continously
listens for incoming ping replies and when one arrives, it prints it to the console
with a roundtriptime calculated from the current timestamp and whatever happens
to be in the ID field of the reply. Thus nonsense ping replies are printed.
This happened here one to several times a day.
So I put a statefull firewall (Linux iptables) in front of NET, and studied the logs
a bit. The firewall is (partly) like this:
iptables -A netwall -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A netwall -p icmp --icmp-type 8 -j ACCEPT
iptables -A netwall -p icmp -j LOGDROP
So it accepts all icmp related to ongoing traffic, it accepts incoming ping requests
and logs and drops everything else (LOGDROP is a target that does a LOG and a DROP)
Now it becomes apparent that the bogus ping replies are not the only thing that is
going on. There is a regular flow if incoming "destination unreachable" ICMP
replies
that refer to connections that I never made. I also enabled some logging for unsolicited
TCP replies and there are SYN ACK and RST replies as well.
Apparently my 44-addresses are used as spoofed source addresses by other people.
Do other users notice this? I presume it is done by a DDOS tool or similar, but the
rate at which I receive this traffic (maybe 10 packets an hour) does not make it
likely that they use only my address. However, I have not seen this effect on my
public addresses, so probably they don't use random addresses.
Maybe they use the entire net-44 space? In that case there should be an awful
amount of ICMP type 3 and TCP RST traffice coming in at amprgw...
(my space is only one millionth of the total)
Another unrelated question: a lot of you likely have an amsat.org address.
Do you also see the endless stream of Korean spam? From the headers it looks
like it is sent to many different amsat.org users. It has been ongoing here for many
years, some 20 messages a day. These guys are very persistent.
(of course it is easily filtered)
Rob
13 Oct
13 Oct
2:20 p.m.
Hi Rob,
I also get a some strange unrelated traffic: ping replies, SYN-ACK on
various ports, pings and SYN targeted to random IPs on my subnets.
So nothing new here.
I studied the source addresses for some time: china, russia, and alot of
"this IP range is really wold wide" according to RIPE.
Since they achieve nothing, I choose to ignore them, along with some tight
stateful firewall rules.
Marius, YO2LOJ
15 Oct
15 Oct
11:29 a.m.
RE Firewall
If your not really great with ipchains / iptables there is a firewall called
CSF that is really easy to configure
Sam
4055
days inactive
4057
days old
2 comments
3 participants
participants (3)
-
Marius Petrescu -
Rob Janssen -
VK4AA|VK4TTT