12 Oct
2017
12 Oct
'17
6:58 p.m.
Hello everyone,
I'm creating a gateway here, to be used to static and dynamic VPNs to
Portuguese HAMs trying to access the 44net.
I've noticed that after I've leaven the router a few days with the DNS
relay open (big mistake!), I was receiving a stream of dummy querys
about a hundred per second.
I was able to block it in our (Lisbon Polytechnics) firewall (before
ipip de-encapsulation) with the next iptables rule:
# iptables -t raw -A PREROUTING -i eth0 -p ipencap -d 193.137.237.9 -m
length --length 87 -m u32 --u32 "42 = 0x0035002f" -j DROP
Now I've disabled the gateway at the AMPR portal and I'll wait for them
to calm down.
I don't know if more tunnels are affected by this so I'm sharing the
information.
tcpdump output at the firewall:
10:24:57.864885 IP 169.228.34.84 > 193.137.237.9:
IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864886 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864888 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864889 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864929 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864931 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864933 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864934 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864936 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864937 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864938 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864940 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864941 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864943 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864944 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864945 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
73!
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Callsign: CT7ABP
QRA: Pedro Ribeiro
GRID Locator: IM58mr
QTH: São Francisco, Alcochete, Portugal
NET: http://www.qrz.com/db/CT7ABP
CT7ABP is also home station of CR7AJI Diogo
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
12 Oct
12 Oct
7:25 p.m.
It looks like they are trying to use your host as a DNS server. I have
found it best to block the port (53)
On Thu, Oct 12, 2017 at 3:58 PM, Pedro Ribeiro <ct7abp(a)gmail.com> wrote:
Hello everyone,
I'm creating a gateway here, to be used to static and dynamic VPNs to
Portuguese HAMs trying to access the 44net.
I've noticed that after I've leaven the router a few days with the DNS
relay open (big mistake!), I was receiving a stream of dummy querys about a
hundred per second.
I was able to block it in our (Lisbon Polytechnics) firewall (before ipip
de-encapsulation) with the next iptables rule:
# iptables -t raw -A PREROUTING -i eth0 -p ipencap -d 193.137.237.9 -m
length --length 87 -m u32 --u32 "42 = 0x0035002f" -j DROP
Now I've disabled the gateway at the AMPR portal and I'll wait for them to
calm down.
I don't know if more tunnels are affected by this so I'm sharing the
information.
tcpdump output at the firewall:
10:24:57.864885 IP 169.228.34.84 > 193.137.237.9: IP
--
------------------------------
John D. Hays
K7VE
<http://k7ve.org/blog> <http://twitter.com/#!/john_hays>
<http://www.facebook.com/john.d.hays>
101.173.185.122.17596 > 44.158.128.1.53:
46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864886 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864888 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864889 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864929 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864931 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864933 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864934 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864936 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864937 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864938 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864940 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864941 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864943 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864944 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
10:24:57.864945 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu.
(39) (ipip-proto-4)
73!
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Callsign: CT7ABP
QRA: Pedro Ribeiro
GRID Locator: IM58mr
QTH: São Francisco, Alcochete, Portugal
NET: http://www.qrz.com/db/CT7ABP
CT7ABP is also home station of CR7AJI Diogo
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
7:44 p.m.
Hi Pedro,
Funny thing..
If I do a reverse lookup up for 193.137.237.9 I get 9.237.137.193.in-addr.arpa domain
name pointer 193.137.237.9.IPLNet.local.
.local domain is often used internally for machines what use Active Directory at a LAN.
These type of internal host names should not
leaked by the DNS in Windows Server to the outside world.
73,
Bob VE3TOK
On 2017-10-12 06:58 PM, Pedro Ribeiro wrote:
Hello everyone,
I'm creating a gateway here, to be used to static and dynamic VPNs to Portuguese HAMs
trying to access the 44net.
I've noticed that after I've leaven the router a few days with the DNS relay open
(big mistake!), I was receiving a stream of dummy querys about a hundred per second.
I was able to block it in our (Lisbon Polytechnics) firewall (before ipip
de-encapsulation) with the next iptables rule:
# iptables -t raw -A PREROUTING -i eth0 -p ipencap -d 193.137.237.9 -m length --length 87
-m u32 --u32 "42 = 0x0035002f" -j DROP
Now I've disabled the gateway at the AMPR portal and I'll wait for them to calm
down.
I don't know if more tunnels are affected by this so I'm sharing the
information.
tcpdump output at the firewall:
10:24:57.864885 IP 169.228.34.84 >
193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY?
activum.nu. (39) (ipip-proto-4)
10:24:57.864886 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 >
44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4)
10:24:57.864888 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 >
44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4)
10:24:57.864889 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 >
44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4)
10:24:57.864929 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 >
44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4)
10:24:57.864931 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 >
44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4)
10:24:57.864933 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 >
44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4)
10:24:57.864934 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 >
44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4)
10:24:57.864936 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 >
44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4)
10:24:57.864937 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 >
44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4)
10:24:57.864938 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 >
44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4)
10:24:57.864940 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 >
44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4)
10:24:57.864941 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 >
44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4)
10:24:57.864943 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 >
44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4)
10:24:57.864944 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 >
44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4)
10:24:57.864945 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 >
44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4)
73!
13 Oct
13 Oct
7:02 a.m.
On 12 October 2017 at 23:58, Pedro Ribeiro <ct7abp(a)gmail.com> wrote:
Hello everyone,
I'm creating a gateway here, to be used to static and dynamic VPNs to
Portuguese HAMs trying to access the 44net.
I've noticed that after I've leaven the router a few days with the DNS relay
open (big mistake!), I was receiving a stream of dummy querys about a
hundred per second.
I was able to block it in our (Lisbon Polytechnics) firewall (before ipip
de-encapsulation) with the next iptables rule:
# iptables -t raw -A PREROUTING -i eth0 -p ipencap -d 193.137.237.9 -m
length --length 87 -m u32 --u32 "42 = 0x0035002f" -j DROP
Now I've disabled the gateway at the AMPR portal and I'll wait for them to
calm down.
I don't know if more tunnels are affected by this so I'm sharing the
information.
I consider it an automatic configuration check for DNS servers. If I
accidentally misconfigure a DNS server than I get a notification in
the form of a huge increase in bandwidth within a few hours!
Your firewall rule will only block that specific query, and the next
attempt using a different hostname will start everything all over
again.
Recursive Resolvers should be limited to only serving specific clients
(44/8?), but if you do want an open resolver then you need to actively
"manage it". At a bare minimum you should disable ANY queries, and I
would suggest also investigating Response Rate Limiting.
Doing it "properly" like Google/OpenDNS/etc is beyond a few
configuration options in an off-the-shelf resolver, hence it being
easier to just restrict the allowed hosts.
Thanks,
Mike, M6XCV
2596
days inactive
2597
days old
4 comments
5 participants
participants (5)
-
Boudewijn (Bob) Tenty -
James Sharp -
K7VE - John -
M6XCV (Mike) -
Pedro Ribeiro