26 Mar
2020
26 Mar
'20
2:29 p.m.
Rob,
You stated:
So all traffic received on IPIP tunnels should be from net44 only in our case.
Unfortunately not all of it is.
Can you elaborate on the traffic that isn't, please?
Is this traffic from another operator...or a non-operator?
Can you also elaborate if this traffic forwards in any cases?
That's what we're tying to stop. Please note, I haven't identified this is
related to any IPENCAP issue specifically (except that it appears we may have some
operators that forward traffic not destined for them). While I understand your concern,
I'm not sure it's related to IPENCAP 100%.
73,
- Lynwood
KB3VWG
26 Mar
26 Mar
3:02 p.m.
New subject: Security - Nested IPIP
Hi all
it's very simple
run a tcpdump -ni (inteface) proto 4 (this testing is scrolling fast 24x7)
address1 (gwampr) (GW-of dest host) (thenipencap address3(from bamdit) (dest 44net remote
address (ports 1-65535) being scanned
So the Bandit addresses(Non44net) of the 14 I looked at over a couple of seconds
yestrday are frome
Denmark, Bulgaria,Turkey,Netherlands,USA,Japan,Moldova,Russia
It's crasy
the rule at the GW-ampr gateway address3 should only be in the 44.0.9 and 44.128/10
range. I monitor this real time as I am 'sad'
And like to see who it trying to break in and fail to mine and hosted downstream sub
networks of mt partners.
As other have mentioned before, these use to be blocked
Well they are blocked here.
Sigh!! And I am not a Network Technician
Paul
On 26 March 2020 at 19:29 lleachii--- via 44Net
<44net(a)mailman.ampr.org> wrote:
Rob,
You stated:
So all traffic received on IPIP tunnels should be from net44 only in our case.
Unfortunately not all of it is.
Can you elaborate on the traffic that isn't, please?
Is this traffic from another operator...or a non-operator?
Can you also elaborate if this traffic forwards in any cases?
That's what we're tying to stop. Please note, I haven't identified this is
related to any IPENCAP issue specifically (except that it appears we may have some
operators that forward traffic not destined for them). While I understand your concern,
I'm not sure it's related to IPENCAP 100%.
73,
- Lynwood
KB3VWG
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
______________________________________________
This email has been scanned by Netintelligence
http://www.netintelligence.com/email
6:04 p.m.
New subject: Security - Nested IPIP
Paul,
This is common and normal to be expected, and not the crafty traffic getting through being
discussed. This should be firewalled already.
address1 (gwampr) (GW-of dest host) (thenipencap address3(from bamdit) (dest 44net remote
address (ports 1-65535) being scanned
Also, you should see ZERO 44net IPs from AMPRGW (aside from subnets arraigned at AMPRGW).
I'm not sure if you're confused...AMPRGW should only give you IPs != 44net. 44net
IPs come from the ~400 tunnels we run. The only problem you highlight is that your
AMPRGW_IP variable my case - was a registered operator in the portal from Poland; not
USCD. Now the issue should be clearer to you.
Marius and Rob,
I plan to test a split of my tunnels around 0500UTC (if I am awake). I will create tunl0
(REMOTE_IP none) to you and for the -L beacon. tunl1 (REMOTE_IP AMPRGW) will be AMPRGW
only.
To workaround the wrong routes being added to table 44:
#TESTS
#/etc/config/ampr-ripd-2.3-PPC2 -p <the_password> -i tunl1 -g eth0.2 -t 46 -F tunl0
-x '/etc/config/load_ipipfilter.sh'
#/etc/config/ampr-ripd-2.3-PPC -p <the_password> -i tunl0 -g eth0.2 -s -t 44 -a
44.60.44.0/24 -L kb3vwg@fm18ot &
* uncomment test commands
* create amprwan2 to tunl1, assign to amprwan_zone
* add ip rule for amprwan2
* change default route from amprwan to amprwan2
* wait ~5-15 mins if Public IP changes
* #think I have to allow 520/udp forward from IP_tunl1 to IP_tunl0
Let me know if this seems plausible.
73,
- Lynwood
KB3VWG
-----Original Message-----
From: paul Lewis <paul(a)theskywaves.net>
To: AMPRNet working group <44net(a)mailman.ampr.org>
Cc: lleachii <lleachii(a)aol.com>
Sent: Thu, Mar 26, 2020 4:02 pm
Subject: Re: [44net] Security - Nested IPIP
Hi all
it's very simple
run a tcpdump -ni (inteface) proto 4 (this testing is scrolling fast 24x7)
address1 (gwampr) (GW-of dest host) (thenipencap address3(from bamdit) (dest 44net remote
address (ports 1-65535) being scanned
So the Bandit addresses(Non44net) of the 14 I looked at over a couple of seconds
yestrday are frome
Denmark, Bulgaria,Turkey,Netherlands,USA,Japan,Moldova,Russia
It's crasy
the rule at the GW-ampr gateway address3 should only be in the 44.0.9 and 44.128/10
range. I monitor this real time as I am 'sad'
And like to see who it trying to break in and fail to mine and hosted downstream sub
networks of mt partners.
As other have mentioned before, these use to be blocked
Well they are blocked here.
Sigh!! And I am not a Network Technician
Paul
On 26 March 2020 at 19:29 lleachii--- via 44Net
<44net(a)mailman.ampr.org> wrote:
Rob,
You stated:
So all traffic received on IPIP tunnels should be from net44 only in our case.
Unfortunately not all of it is.
Can you elaborate on the traffic that isn't, please?
Is this traffic from another operator...or a non-operator?
Can you also elaborate if this traffic forwards in any cases?
That's what we're tying to stop. Please note, I haven't identified this is
related to any IPENCAP issue specifically (except that it appears we may have some
operators that forward traffic not destined for them). While I understand your concern,
I'm not sure it's related to IPENCAP 100%.
73,
- Lynwood
KB3VWG
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
______________________________________________
This email has been scanned by Netintelligence
http://www.netintelligence.com/email
1703
days inactive
1703
days old
3 comments
2 participants
participants (2)
-
lleachii@aol.com -
paul Lewis