Hello everyone,
I'm creating a gateway here, to be used to static and dynamic VPNs to Portuguese HAMs trying to access the 44net.
I've noticed that after I've leaven the router a few days with the DNS relay open (big mistake!), I was receiving a stream of dummy querys about a hundred per second.
I was able to block it in our (Lisbon Polytechnics) firewall (before ipip de-encapsulation) with the next iptables rule:
# iptables -t raw -A PREROUTING -i eth0 -p ipencap -d 193.137.237.9 -m length --length 87 -m u32 --u32 "42 = 0x0035002f" -j DROP
Now I've disabled the gateway at the AMPR portal and I'll wait for them to calm down.
I don't know if more tunnels are affected by this so I'm sharing the information.
tcpdump output at the firewall:
10:24:57.864885 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864886 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864888 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864889 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864929 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864931 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864933 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864934 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864936 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864937 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864938 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864940 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864941 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864943 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864944 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864945 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4)
73!
It looks like they are trying to use your host as a DNS server. I have found it best to block the port (53)
On Thu, Oct 12, 2017 at 3:58 PM, Pedro Ribeiro ct7abp@gmail.com wrote:
Hello everyone,
I'm creating a gateway here, to be used to static and dynamic VPNs to Portuguese HAMs trying to access the 44net.
I've noticed that after I've leaven the router a few days with the DNS relay open (big mistake!), I was receiving a stream of dummy querys about a hundred per second.
I was able to block it in our (Lisbon Polytechnics) firewall (before ipip de-encapsulation) with the next iptables rule:
# iptables -t raw -A PREROUTING -i eth0 -p ipencap -d 193.137.237.9 -m length --length 87 -m u32 --u32 "42 = 0x0035002f" -j DROP
Now I've disabled the gateway at the AMPR portal and I'll wait for them to calm down.
I don't know if more tunnels are affected by this so I'm sharing the information.
tcpdump output at the firewall:
10:24:57.864885 IP 169.228.34.84 > 193.137.237.9: IP
101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864886 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864888 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864889 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864929 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864931 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864933 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864934 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864936 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864937 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864938 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864940 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864941 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864943 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864944 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864945 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4)
73!
--
Callsign: CT7ABP QRA: Pedro Ribeiro GRID Locator: IM58mr QTH: São Francisco, Alcochete, Portugal NET: http://www.qrz.com/db/CT7ABP CT7ABP is also home station of CR7AJI Diogo =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Hi Pedro,
Funny thing..
If I do a reverse lookup up for 193.137.237.9 I get 9.237.137.193.in-addr.arpa domain name pointer 193.137.237.9.IPLNet.local. .local domain is often used internally for machines what use Active Directory at a LAN. These type of internal host names should not leaked by the DNS in Windows Server to the outside world.
73,
Bob VE3TOK
On 2017-10-12 06:58 PM, Pedro Ribeiro wrote:
Hello everyone,
I'm creating a gateway here, to be used to static and dynamic VPNs to Portuguese HAMs trying to access the 44net.
I've noticed that after I've leaven the router a few days with the DNS relay open (big mistake!), I was receiving a stream of dummy querys about a hundred per second.
I was able to block it in our (Lisbon Polytechnics) firewall (before ipip de-encapsulation) with the next iptables rule:
# iptables -t raw -A PREROUTING -i eth0 -p ipencap -d 193.137.237.9 -m length --length 87 -m u32 --u32 "42 = 0x0035002f" -j DROP
Now I've disabled the gateway at the AMPR portal and I'll wait for them to calm down.
I don't know if more tunnels are affected by this so I'm sharing the information.
tcpdump output at the firewall:
10:24:57.864885 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864886 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864888 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864889 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864929 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864931 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864933 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864934 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864936 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864937 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864938 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864940 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864941 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864943 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864944 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4) 10:24:57.864945 IP 169.228.34.84 > 193.137.237.9: IP 101.173.185.122.17596 > 44.158.128.1.53: 46623+ [1au] ANY? activum.nu. (39) (ipip-proto-4)
73!
On 12 October 2017 at 23:58, Pedro Ribeiro ct7abp@gmail.com wrote:
Hello everyone,
I'm creating a gateway here, to be used to static and dynamic VPNs to Portuguese HAMs trying to access the 44net.
I've noticed that after I've leaven the router a few days with the DNS relay open (big mistake!), I was receiving a stream of dummy querys about a hundred per second.
I was able to block it in our (Lisbon Polytechnics) firewall (before ipip de-encapsulation) with the next iptables rule:
# iptables -t raw -A PREROUTING -i eth0 -p ipencap -d 193.137.237.9 -m length --length 87 -m u32 --u32 "42 = 0x0035002f" -j DROP
Now I've disabled the gateway at the AMPR portal and I'll wait for them to calm down.
I don't know if more tunnels are affected by this so I'm sharing the information.
I consider it an automatic configuration check for DNS servers. If I accidentally misconfigure a DNS server than I get a notification in the form of a huge increase in bandwidth within a few hours!
Your firewall rule will only block that specific query, and the next attempt using a different hostname will start everything all over again.
Recursive Resolvers should be limited to only serving specific clients (44/8?), but if you do want an open resolver then you need to actively "manage it". At a bare minimum you should disable ANY queries, and I would suggest also investigating Response Rate Limiting.
Doing it "properly" like Google/OpenDNS/etc is beyond a few configuration options in an off-the-shelf resolver, hence it being easier to just restrict the allowed hosts.
Thanks, Mike, M6XCV
-
Boudewijn (Bob) Tenty -
James Sharp -
K7VE - John -
M6XCV (Mike) -
Pedro Ribeiro