3 Jul
2017
3 Jul
'17
4:08 a.m.
For several hours now, amprgw has been seeing a storm
of traceroutes from
hundreds of different source addresses. It looks like a botnet has been
activated to probe net 44 using short-TTL packets like traceroute.
In reaction to this, I've temporarily set the
gateway to discard any
packet with a TTL of less than 30. (The TTL is decremented by one when
the packet is forwarded; normally, of course, only packets with a TTL
value of zero are discarded.)
Interesting... is it real traceroute traffic (to UDP port 33434 and higher)
or is it different?
I have had this rule (with TTL limit 16 and only for UDP 33434-33499) on our
gateway for quite some time and I do not see many hits on it.
Maybe the traffic is different. I do not observe increased input traffic.
Rob
3 Jul
3 Jul
6 a.m.
New subject: Traceroute storm
They looked like real traceroutes, but it seems to have diminished quite
recently; a packet capture a moment or so ago didn't see any. I noticed
it because amprgw logs all 'time exceeded' packets it sends, and there
were suddenly a LOT of these.
However, there's quite a bit more insidious kind of traffic. The Nagra
people (Kudelski Switzerland) are probing our network with false
NTP packets from the subnet 185.35.62.0/23. The comment in the RIPE
database is
inetnum: 185.35.62.0 - 185.35.63.255
descr: This IP network is used for Internet security research. Internet-scale
port scanning activities are launched from this network. Don't hesitate to contact
portscan(a)nagra.com would you have any question.
I've added that subnet to the "security research" blocking list here.
Seems it's a never-ending battle.
- Brian
On Mon, Jul 03, 2017 at 10:08:19AM +0200, Rob Janssen wrote:
Interesting... is it real traceroute traffic (to UDP
port 33434 and higher)
or is it different?
I have had this rule (with TTL limit 16 and only for UDP 33434-33499) on our
gateway for quite some time and I do not see many hits on it.
Maybe the traffic is different. I do not observe increased input traffic.
Rob
7:03 a.m.
New subject: Traceroute storm
So if the storm Stopped what is the explain for the raise of the inbound denied traffic
noise (first graph) from about 15MB/S to about 35MB/S ?
May it be the Swiss probe ?
do you have any kind of tool to check or all have to be done by looking into the logs
?
Ronen - 4Z4ZQ
________________________________
From: 44Net <44net-bounces+ronenp=hotmail.com(a)hamradio.ucsd.edu> on behalf of Brian
Kantor <Brian(a)UCSD.Edu>
Sent: Monday, July 3, 2017 3:00 AM
To: AMPRNet working group
Subject: Re: [44net] Traceroute storm
; a packet capture a moment or so ago didn't see any.
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
9:44 a.m.
New subject: Traceroute storm
I don't know what the explanation is. I'll try to find out.
The probes from Switzerland were noticeable but not enough to
explain all the difference in traffic that you are seeing.
There is also a lot of SIP probing going on. It doesn't account
for all the increase in traffic either.
No, I don't have a tool to tell me what the increased traffic is.
Perhaps I'll have to write one.
Mostly I look at the usage statistics, the firewall counters, and
the graphs that are on the web site. I find out a lot by capturing
traffic and looking at it by eye. I've only been looking at UDP
traffic so far today.
- Brian
On Mon, Jul 03, 2017 at 11:03:33AM +0000, R P wrote:
So if the storm Stopped what is the explain for the
raise of the inbound denied traffic noise (first graph) from about 15MB/S to about
35MB/S ?
May it be the Swiss probe ?
do you have any kind of tool to check or all have to be done by looking into the logs
?
Ronen - 4Z4ZQ
12:45 p.m.
New subject: Traceroute storm
Hey Brian,
I appreciate you spending some of your time to manually recognizing and
adding additional network filters to keep our little corner of the
Internet cleaner than usual! Thanks!
--David
KI6ZHD
I've added that subnet to the "security
research" blocking list here.
Seems it's a never-ending battle.
- Brian
1:23 p.m.
New subject: Traceroute storm
You're quite welcome.
- Brian
On Mon, Jul 03, 2017 at 09:45:59AM -0700, David Ranch wrote:
Hey Brian,
I appreciate you spending some of your time to manually recognizing and
adding additional network filters to keep our little corner of the Internet
cleaner than usual! Thanks!
--David
KI6ZHD
1:31 p.m.
New subject: Traceroute storm
+1
---
Pardon my brevity, I'm on a Samsung Galaxy Note 3.
Sent via the axMail-FAX suite.
On July 3, 2017 12:47:08 PM David Ranch <amprgw(a)trinnet.net> wrote:
>
> Hey Brian,
>
> I appreciate you spending some of your time to manually recognizing and
> adding additional network filters to keep our little corner of the
> Internet cleaner than usual! Thanks!
>
> --David
> KI6ZHD
>
>
>> I've added that subnet to the "security research" blocking list
here.
>>
>> Seems it's a never-ending battle.
>> - Brian
>
>
2698
days inactive
2698
days old
6 comments
5 participants
participants (5)
-
Brian -
Brian Kantor -
David Ranch -
R P -
Rob Janssen