Recently I have been tracing the tunnel traffic a bit to investigate a strange situation.
Sometimes I got unsolicited ping replies on the NET screen. It appears that sometimes a ping reply is received without any ping having been sent. Users of Windows or Linux ping will never notice this, because there is a special application that sends a ping with unique ID and then listens for replies with the same ID and prints them. However, NET (written in the days when the network still was a friendly place) just uses a timestamp as the ID, sends the ping, and forgets about it. It continously listens for incoming ping replies and when one arrives, it prints it to the console with a roundtriptime calculated from the current timestamp and whatever happens to be in the ID field of the reply. Thus nonsense ping replies are printed. This happened here one to several times a day.
So I put a statefull firewall (Linux iptables) in front of NET, and studied the logs a bit. The firewall is (partly) like this:
iptables -A netwall -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A netwall -p icmp --icmp-type 8 -j ACCEPT iptables -A netwall -p icmp -j LOGDROP
So it accepts all icmp related to ongoing traffic, it accepts incoming ping requests and logs and drops everything else (LOGDROP is a target that does a LOG and a DROP)
Now it becomes apparent that the bogus ping replies are not the only thing that is going on. There is a regular flow if incoming "destination unreachable" ICMP replies that refer to connections that I never made. I also enabled some logging for unsolicited TCP replies and there are SYN ACK and RST replies as well.
Apparently my 44-addresses are used as spoofed source addresses by other people. Do other users notice this? I presume it is done by a DDOS tool or similar, but the rate at which I receive this traffic (maybe 10 packets an hour) does not make it likely that they use only my address. However, I have not seen this effect on my public addresses, so probably they don't use random addresses. Maybe they use the entire net-44 space? In that case there should be an awful amount of ICMP type 3 and TCP RST traffice coming in at amprgw... (my space is only one millionth of the total)
Another unrelated question: a lot of you likely have an amsat.org address. Do you also see the endless stream of Korean spam? From the headers it looks like it is sent to many different amsat.org users. It has been ongoing here for many years, some 20 messages a day. These guys are very persistent. (of course it is easily filtered)
Rob
Hi Rob,
I also get a some strange unrelated traffic: ping replies, SYN-ACK on various ports, pings and SYN targeted to random IPs on my subnets. So nothing new here. I studied the source addresses for some time: china, russia, and alot of "this IP range is really wold wide" according to RIPE. Since they achieve nothing, I choose to ignore them, along with some tight stateful firewall rules.
Marius, YO2LOJ
RE Firewall
If your not really great with ipchains / iptables there is a firewall called CSF that is really easy to configure
Sam
-
Marius Petrescu -
Rob Janssen -
VK4AA|VK4TTT