For several hours now, amprgw has been seeing a storm of traceroutes from hundreds of different source addresses. It looks like a botnet has been activated to probe net 44 using short-TTL packets like traceroute.
In reaction to this, I've temporarily set the gateway to discard any packet with a TTL of less than 30. (The TTL is decremented by one when the packet is forwarded; normally, of course, only packets with a TTL value of zero are discarded.)
Interesting... is it real traceroute traffic (to UDP port 33434 and higher) or is it different?
I have had this rule (with TTL limit 16 and only for UDP 33434-33499) on our gateway for quite some time and I do not see many hits on it.
Maybe the traffic is different. I do not observe increased input traffic.
Rob
They looked like real traceroutes, but it seems to have diminished quite recently; a packet capture a moment or so ago didn't see any. I noticed it because amprgw logs all 'time exceeded' packets it sends, and there were suddenly a LOT of these.
However, there's quite a bit more insidious kind of traffic. The Nagra people (Kudelski Switzerland) are probing our network with false NTP packets from the subnet 185.35.62.0/23. The comment in the RIPE database is
inetnum: 185.35.62.0 - 185.35.63.255 descr: This IP network is used for Internet security research. Internet-scale port scanning activities are launched from this network. Don't hesitate to contact portscan@nagra.com would you have any question.
I've added that subnet to the "security research" blocking list here.
Seems it's a never-ending battle. - Brian
On Mon, Jul 03, 2017 at 10:08:19AM +0200, Rob Janssen wrote:
Interesting... is it real traceroute traffic (to UDP port 33434 and higher) or is it different?
I have had this rule (with TTL limit 16 and only for UDP 33434-33499) on our gateway for quite some time and I do not see many hits on it.
Maybe the traffic is different. I do not observe increased input traffic.
Rob
So if the storm Stopped what is the explain for the raise of the inbound denied traffic noise (first graph) from about 15MB/S to about 35MB/S ?
May it be the Swiss probe ?
do you have any kind of tool to check or all have to be done by looking into the logs ?
Ronen - 4Z4ZQ
________________________________ From: 44Net 44net-bounces+ronenp=hotmail.com@hamradio.ucsd.edu on behalf of Brian Kantor Brian@UCSD.Edu Sent: Monday, July 3, 2017 3:00 AM To: AMPRNet working group Subject: Re: [44net] Traceroute storm
; a packet capture a moment or so ago didn't see any.
_________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
I don't know what the explanation is. I'll try to find out.
The probes from Switzerland were noticeable but not enough to explain all the difference in traffic that you are seeing.
There is also a lot of SIP probing going on. It doesn't account for all the increase in traffic either.
No, I don't have a tool to tell me what the increased traffic is. Perhaps I'll have to write one.
Mostly I look at the usage statistics, the firewall counters, and the graphs that are on the web site. I find out a lot by capturing traffic and looking at it by eye. I've only been looking at UDP traffic so far today. - Brian
On Mon, Jul 03, 2017 at 11:03:33AM +0000, R P wrote:
So if the storm Stopped what is the explain for the raise of the inbound denied traffic noise (first graph) from about 15MB/S to about 35MB/S ? May it be the Swiss probe ? do you have any kind of tool to check or all have to be done by looking into the logs ? Ronen - 4Z4ZQ
Hey Brian,
I appreciate you spending some of your time to manually recognizing and adding additional network filters to keep our little corner of the Internet cleaner than usual! Thanks!
--David KI6ZHD
I've added that subnet to the "security research" blocking list here.
Seems it's a never-ending battle.
- Brian
You're quite welcome. - Brian
On Mon, Jul 03, 2017 at 09:45:59AM -0700, David Ranch wrote:
Hey Brian, I appreciate you spending some of your time to manually recognizing and adding additional network filters to keep our little corner of the Internet cleaner than usual! Thanks! --David KI6ZHD
+1 --- Pardon my brevity, I'm on a Samsung Galaxy Note 3. Sent via the axMail-FAX suite.
On July 3, 2017 12:47:08 PM David Ranch amprgw@trinnet.net wrote:
Hey Brian,
I appreciate you spending some of your time to manually recognizing and adding additional network filters to keep our little corner of the Internet cleaner than usual! Thanks!
--David KI6ZHD
I've added that subnet to the "security research" blocking list here.
Seems it's a never-ending battle.
- Brian
-
Brian -
Brian Kantor -
David Ranch -
R P -
Rob Janssen