29 Apr
2017
29 Apr
'17
6:51 p.m.
As I've mentioned, I'm now logging statistics for the amprgw
router. I could make these available on a web site, but I'm
hesitant to do so without consensus from the community because
the per-gateway stats have the side effect of revealing what
subnet goes to what gateway, thus giving the bad guys more
insight into how the AMPRNet-Internet gateway works and what
hosts to impersonate to inject bad packets into the network.
A sample of the statistics file is below.
What do you folks think about making this available?
- Brian
started at Sat Apr 29 10:15:37 2017
snapshot at Sat Apr 29 10:45:00 2017
uptime: 0+00:29:23 (1763 seconds)
packets/bytes
---------/---------
121781/76089093 ipip encapped input
117631/73371842 forwarded out
0/0 no source gateway
467445/48802372 raw input
467434/48801678 encapped out
0/0 no destination gateway
2646/175516 encap to encap dropped
7692 discarded
0 TTL exceeded
0 ICMP sent
615 routes loaded (gateway counters cleared) 1486 seconds ago at Sat Apr 29 10:20:14 2017
entry subnet encap gateway outpkts outbytes inpkts inbytes
----- ------------------- ----- ---------------- --------- --------- --------- ---------
0 44.0.0.1/32 ipip 169.228.66.251 2 175 0 0
[etc]
29 Apr
29 Apr
7:10 p.m.
Brian,
What if we put this stats page behind the portal login?
That way only registered AMPRNet users can access and view it and the outside world is non
the wiser..
73,
Ruben - ON3RVH
-----Original Message-----
From: 44Net [mailto:44net-bounces+on3rvh=on3rvh.be@hamradio.ucsd.edu] On Behalf Of Brian
Kantor
Sent: zaterdag 29 april 2017 19:52
To: 44net(a)hamradio.ucsd.edu
Subject: [44net] amprgw router statistics
(Please trim inclusions from previous messages)
_______________________________________________
As I've mentioned, I'm now logging statistics for the amprgw router. I could make
these available on a web site, but I'm hesitant to do so without consensus from the
community because the per-gateway stats have the side effect of revealing what subnet goes
to what gateway, thus giving the bad guys more insight into how the AMPRNet-Internet
gateway works and what hosts to impersonate to inject bad packets into the network.
A sample of the statistics file is below.
What do you folks think about making this available?
- Brian
started at Sat Apr 29 10:15:37 2017
snapshot at Sat Apr 29 10:45:00 2017
uptime: 0+00:29:23 (1763 seconds)
packets/bytes
---------/---------
121781/76089093 ipip encapped input
117631/73371842 forwarded out
0/0 no source gateway
467445/48802372 raw input
467434/48801678 encapped out
0/0 no destination gateway
2646/175516 encap to encap dropped
7692 discarded
0 TTL exceeded
0 ICMP sent
615 routes loaded (gateway counters cleared) 1486 seconds ago at Sat Apr 29 10:20:14 2017
entry subnet encap gateway outpkts outbytes inpkts inbytes
----- ------------------- ----- ---------------- --------- --------- --------- ---------
0 44.0.0.1/32 ipip 169.228.66.251 2 175 0 0
[etc]
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
9:16 p.m.
That would be difficult to do, but is a possibility.
Alternatively, also difficult to do, I could possibly make it available
by FTP with the same password as the encap file.
- Brian
On Sat, Apr 29, 2017 at 06:10:26PM +0000, Ruben ON3RVH wrote:
What if we put this stats page behind the portal
login?
That way only registered AMPRNet users can access and view it and the outside world is
non the wiser..
73,
Ruben - ON3RVH
30 Apr
30 Apr
12:52 a.m.
I'd prefer individual subnets NOT be listed in any public location.
Michael
N6MEF
-----Original Message-----
That would be difficult to do, but is a possibility.
Alternatively, also difficult to do, I could possibly make it available
by FTP with the same password as the encap file.
- Brian
On Sat, Apr 29, 2017 at 06:10:26PM +0000, Ruben ON3RVH wrote:
What if we put this stats page behind the portal
login?
That way only registered AMPRNet users can access and view it and the
outside
world is non the wiser..
> 73,
> Ruben - ON3RVH
12:55 a.m.
The current router statistics (updated every 15 minutes)
are now available from https://gw.ampr.org/private/stats.txt
using the same username and password as it takes to
FTP the encap file from the portal. (This is NOT your
portal login but rather the FTP access authorization.)
Because it contains somewhat sensitive data (the same
data as in the 'encap' file), I've chosen to make it
available using the same username and password.
In viewing the per-gateway counters, note that any gateway
whose counters (all of them) are zero is omitted from the
listing.
- Brian
1:01 a.m.
Now that's spooky: I hadn't even published the URL on this
list when someone attempted to fetch it from host 4.79.123.3.
- Brian
On Sat, Apr 29, 2017 at 04:55:00PM -0700, Brian Kantor wrote:
The current router statistics (updated every 15
minutes)
are now available from https://gw.ampr.org/private/stats.txt
using the same username and password as it takes to
FTP the encap file from the portal. (This is NOT your
portal login but rather the FTP access authorization.)
Because it contains somewhat sensitive data (the same
data as in the 'encap' file), I've chosen to make it
available using the same username and password.
2:21 p.m.
Brian,
That is rather odd that someone had the URL before it left your mind
(and server)...the few hits you saw from me were to check if directory
browsing is disabled.
Chris,
Do you run anything else on that server?
Basically, I'm asking...is the only thing of value to a hacker on that
device the data that comprises The Portal...?
Marc,
Sharing lists may be a solution. I may be willing to make my netflow
available. In principal, I stopped blocking IPs and blocs in 2013 or
2014. It's become easier to generally firewall and monitor the various
protocols/ports they're randomly trying to access. This is more so
necessary in the ecosystem of the Internet of Things, where a device in
Country A can infect a device in Country B, and spread to Countries C ad
infinitum.
73,
- Lywnood
KB3VWG
3:01 p.m.
All,
From the most recent 12-hour NetFlow sampling, these are the ports most
commonly attempted to IPs in my subnet (for which I host no available
inbound services and have a general firewall rule against):
tcp/22 - SSH
tcp/23 - Telnet
tcp/ 2323 - Telnet 'Alternative'
tcp/2222 - SSH 'Alternative'
tcp/631
tcp/3306
tcp/3389 - Microsoft Remote Desktop Protocol
tcp/5358
tcp/5555
tcp/8081
tcp/8888
tcp/9200
udp/161 - Simple Network Management Protocol
udp/523
udp/623
tcp/502
udp/5060 - Session Initiation Protocol - Voice over IP
ICMP Packets not corresponding to any sent packets:
ICMP Time-Exceeded-In-transit
ICMP Destination-Host-Unreachable
ICMP Destination-Port-Unreachable
Other:
ICMP Echo-Request (normal pinging)
These four particular NetFlow data are somewhat alarming, since it
appears a RIP packet may have been attempted to be sent:
2017-04-29 20:56:05.866 0.000 TCP94.102.49.193:31430
<http://192.168.7.9/nfsen/nfsen.php#null> ->44.60.44.131:8099
<http://192.168.7.9/nfsen/nfsen.php#null> 1 40 1
2017-04-29 21:22:16.421 0.000 UDP94.102.49.193:12902
<http://192.168.7.9/nfsen/nfsen.php#null> ->44.60.44.2:520
<http://192.168.7.9/nfsen/nfsen.php#null> 1 52 1
2017-04-29 21:41:19.325 0.000 TCP94.102.49.193:1702
<http://192.168.7.9/nfsen/nfsen.php#null> ->44.60.44.131:9051
<http://192.168.7.9/nfsen/nfsen.php#null> 1 40 1
2017-04-29 22:06:55.283 0.000 TCP94.102.49.193:26459
<http://192.168.7.9/nfsen/nfsen.php#null> ->44.60.44.131:4911
<http://192.168.7.9/nfsen/nfsen.php#null> 1 40 1
This occurs 24x7x365. Those who do not run firewalls to block services
from the Internet should really consider it.
- KB3VWG
3:04 p.m.
The NetFlow data are from a computer search engine (finds machines, not
websites)
*94.102.49.193 -> cloud.census.shodan.io*
IP range : 94.102.49.0 - 94.102.49.255
Network name : SC-QUASI61
Infos : QUASI
Infos : Quasi Networks LTD (IBC)
Country : Seychelles (SC)
Abuse email : abuse(a)quasinetworks.com, abuse(a)quasinetworks.com
Source : RIPE
https://en.wikipedia.org/wiki/Shodan_(website)
- KB3VWG
On 04/30/2017 10:01 AM, lleachii(a)aol.com wrote:
These four particular NetFlow data are somewhat
alarming, since it
appears a RIP packet may have been attempted to be sent:
2017-04-29 20:56:05.866 0.000 TCP94.102.49.193:31430
<http://192.168.7.9/nfsen/nfsen.php#null> ->44.60.44.131:8099
<http://192.168.7.9/nfsen/nfsen.php#null> 1 40 1
2017-04-29 21:22:16.421 0.000 UDP94.102.49.193:12902
<http://192.168.7.9/nfsen/nfsen.php#null> ->44.60.44.2:520
<http://192.168.7.9/nfsen/nfsen.php#null> 1 52 1
2017-04-29 21:41:19.325 0.000 TCP94.102.49.193:1702
<http://192.168.7.9/nfsen/nfsen.php#null> ->44.60.44.131:9051
<http://192.168.7.9/nfsen/nfsen.php#null> 1 40 1
2017-04-29 22:06:55.283 0.000 TCP94.102.49.193:26459
<http://192.168.7.9/nfsen/nfsen.php#null> ->44.60.44.131:4911
<http://192.168.7.9/nfsen/nfsen.php#null> 1 40 1
3:05 p.m.
I assume it means that my ISP is running a caching proxy, or it could mean
that some 3-letter agency is spying on my browsing habits.
Or of course, with the recent change in privacy law, the ISP or upstream
could be building a database of where I've been browsing in order to
sell advertising targeting me.
- Brian
On Sun, Apr 30, 2017 at 09:21:32AM -0400, lleachii--- via 44Net wrote:
That is rather odd that someone had the URL before it
left your mind (and
server)...the few hits you saw from me were to check if directory browsing
is disabled.
3:32 p.m.
I'm workin an a HTBH (Honeypot Triggered Blackhole) project. Got the idea that
honeypot traffic is non customer traffic and thus could be used to temp blackhole traffic
on the border routers from originating IP's.
This could also be used here. But it's still in design phase..
Ruben - ON3RVH
On 30 Apr 2017, at 15:22, lleachii--- via 44Net
<44net(a)hamradio.ucsd.edu> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
Brian,
That is rather odd that someone had the URL before it left your mind (and server)...the
few hits you saw from me were to check if directory browsing is disabled.
Chris,
Do you run anything else on that server?
Basically, I'm asking...is the only thing of value to a hacker on that device the
data that comprises The Portal...?
Marc,
Sharing lists may be a solution. I may be willing to make my netflow available. In
principal, I stopped blocking IPs and blocs in 2013 or 2014. It's become easier to
generally firewall and monitor the various protocols/ports they're randomly trying to
access. This is more so necessary in the ecosystem of the Internet of Things, where a
device in Country A can infect a device in Country B, and spread to Countries C ad
infinitum.
73,
- Lywnood
KB3VWG
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
3:38 p.m.
Ruben,
I understand consensus amongst the operators (and from Brian, since he
runs AMPRGW), that we not run honeypots. Since any traffic engaging with
the remote host generates unnecessary bandwidth at AMPRGW.
This is why I simply block and keep detailed stats on all IP hits.
- KB3VWG
3:48 p.m.
I agree it's best not to run it on AMPRNet.
I do have one running on another subnet and once everything is set up and I have my API
ready and stable, that data could be used by AMPRNet operators interrested in it to
block/nullroute those hosts on their border
Ruben - ON3RVH
On 30 Apr 2017, at 16:39, lleachii--- via 44Net
<44net(a)hamradio.ucsd.edu> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
Ruben,
I understand consensus amongst the operators (and from Brian, since he runs AMPRGW), that
we not run honeypots. Since any traffic engaging with the remote host generates
unnecessary bandwidth at AMPRGW.
This is why I simply block and keep detailed stats on all IP hits.
- KB3VWG
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
3:51 p.m.
Very true indeed Ruben.
I think all OPs should look at http://shodan.io/ for their IP addresses,
hostnames, Gateway IPs, etc.
I see a lot of our devices on this search engine, giving brand, firmware
type, ports accessible, etc.
- KB3VWG
On 04/30/2017 10:48 AM, Ruben ON3RVH wrote:
I agree it's best not to run it on AMPRNet.
I do have one running on another subnet and once everything is set up and I have my API
ready and stable, that data could be used by AMPRNet operators interrested in it to
block/nullroute those hosts on their border
Ruben - ON3RVH
> On 30 Apr 2017, at 16:39, lleachii--- via 44Net <44net(a)hamradio.ucsd.edu>
wrote:
>
> (Please trim inclusions from previous messages)
> _______________________________________________
> Ruben,
>
> I understand consensus amongst the operators (and from Brian, since he runs AMPRGW),
that we not run honeypots. Since any traffic engaging with the remote host generates
unnecessary bandwidth at AMPRGW.
>
> This is why I simply block and keep detailed stats on all IP hits.
>
>
>
> - KB3VWG
> _________________________________________
> 44Net mailing list
> 44Net(a)hamradio.ucsd.edu
> http://hamradio.ucsd.edu/mailman/listinfo/44net
1:08 a.m.
Thanks Brian. As always, your continued enhancements are very much
appreciated.
Michael
N6MEF
-----Original Message-----
From: 44Net [mailto:44net-bounces+n6mef=mefox.org@hamradio.ucsd.edu] On
Behalf Of Brian Kantor
Sent: Saturday, April 29, 2017 4:55 PM
To: AMPRNet working group <44net(a)hamradio.ucsd.edu>
Subject: Re: [44net] amprgw router statistics
(Please trim inclusions from previous messages)
_______________________________________________
The current router statistics (updated every 15 minutes)
are now available from https://gw.ampr.org/private/stats.txt
using the same username and password as it takes to
FTP the encap file from the portal. (This is NOT your
portal login but rather the FTP access authorization.)
Because it contains somewhat sensitive data (the same
data as in the 'encap' file), I've chosen to make it
available using the same username and password.
In viewing the per-gateway counters, note that any gateway
whose counters (all of them) are zero is omitted from the
listing.
- Brian
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
1:14 a.m.
Thank you! It's been kind of fun writing the router code; I haven't
worked on a sizeable 'C' program in some time. (It's about 4,000
lines of code, all told.)
There's lots more to do still.
- Brian
On Sat, Apr 29, 2017 at 05:08:44PM -0700, Michael Fox - N6MEF wrote:
Thanks Brian. As always, your continued enhancements
are very much
appreciated.
Michael
N6MEF
4:17 a.m.
I think I'm missing something obvious here, but how can I find the credentials
for accessing this? I tried looking for instructions on how to FTP the encap
file from the portal, but I could only find information about the API.
Thanks,
Zachary
VA3ZTS
On Sat, Apr 29, 2017 at 04:55:00PM -0700, Brian Kantor wrote:
(Please trim inclusions from previous messages)
_______________________________________________
The current router statistics (updated every 15 minutes)
are now available from https://gw.ampr.org/private/stats.txt
using the same username and password as it takes to
FTP the encap file from the portal. (This is NOT your
portal login but rather the FTP access authorization.)
Because it contains somewhat sensitive data (the same
data as in the 'encap' file), I've chosen to make it
available using the same username and password.
In viewing the per-gateway counters, note that any gateway
whose counters (all of them) are zero is omitted from the
listing.
- Brian
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
4:49 a.m.
Well, the login/password wouldn't be very secure if we posted them
on the wiki, would they?
If you're a gateway operator, I'll mail them to you. Contact me
off-list.
- Brian
On Sat, Apr 29, 2017 at 11:17:25PM -0400, Zachary Seguin wrote:
I think I'm missing something obvious here, but
how can I find the credentials
for accessing this? I tried looking for instructions on how to FTP the encap
file from the portal, but I could only find information about the API.
Thanks,
Zachary
VA3ZTS
29 Apr
29 Apr
8:52 p.m.
The gateway subnets available today from google ....
________________________________
From: 44Net <44net-bounces+ronenp=hotmail.com(a)hamradio.ucsd.edu> on behalf of Brian
Kantor <Brian(a)UCSD.Edu>
Sent: Saturday, April 29, 2017 10:51:59 AM
To: 44net(a)hamradio.ucsd.edu
Subject: [44net] amprgw router statistics
(Please trim inclusions from previous messages)
_______________________________________________
As I've mentioned, I'm now logging statistics for the amprgw
router. I could make these available on a web site, but I'm
hesitant to do so without consensus from the community because
the per-gateway stats have the side effect of revealing what
subnet goes to what gateway, thus giving the bad guys more
insight into how the AMPRNet-Internet gateway works and what
hosts to impersonate to inject bad packets into the network.
A sample of the statistics file is below.
What do you folks think about making this available?
- Brian
started at Sat Apr 29 10:15:37 2017
snapshot at Sat Apr 29 10:45:00 2017
uptime: 0+00:29:23 (1763 seconds)
packets/bytes
---------/---------
121781/76089093 ipip encapped input
117631/73371842 forwarded out
0/0 no source gateway
467445/48802372 raw input
467434/48801678 encapped out
0/0 no destination gateway
2646/175516 encap to encap dropped
7692 discarded
0 TTL exceeded
0 ICMP sent
615 routes loaded (gateway counters cleared) 1486 seconds ago at Sat Apr 29 10:20:14 2017
entry subnet encap gateway outpkts outbytes inpkts inbytes
----- ------------------- ----- ---------------- --------- --------- --------- ---------
0 44.0.0.1/32 ipip 169.228.66.251 2 175 0 0
[etc]
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
30 Apr
30 Apr
3:21 a.m.
On Sat, 29 Apr 2017 10:51:59 -0700, Brian Kantor wrote:
As I've mentioned, I'm now logging statistics
for the amprgw
router. I could make these available on a web site, but I'm
hesitant to do so without consensus from the community because
the per-gateway stats have the side effect of revealing what
subnet goes to what gateway, thus giving the bad guys more
insight into how the AMPRNet-Internet gateway works and what
hosts to impersonate to inject bad packets into the network.
...
What do you folks think about making this available?
Brian,
I suggest you make an anonymized version available to trusted list
members, and ask those whom request access to refrain from
distributing the information publicly.
Since I have little experience in this area, I would prefer to see
summary info instead of the actual data. HTH.
73,
Bill W4EWH
2562
days inactive
2563
days old
19 comments
7 participants
participants (7)
-
Bill Horne W4EWH -
Brian Kantor -
lleachii@aol.com -
Michael Fox - N6MEF -
R P -
Ruben ON3RVH -
Zachary Seguin