12 Mar
2020
12 Mar
'20
12:30 p.m.
Hello group,
I am wondering if anyone else is seeing the following: starting on 5
March 2020 and continuing through the present I have detected a large
spike in inbound traffic to several of my AMPR 44 IP addresses (on
44.50.1.0/24). The spike has been large enough that my logging ELK
stack is struggling to keep up.
This traffic is coming from the public internet. Most of these are
looking at standard ports 443, 80, 25, and 22.
These are being directed to IP addresses in my subnet that are not in
use, and therefore are being dropped (but logged) at the firewall.
Nothing is running on these IPs so there is no way the traffic is in
response to anything I can find coming from my network.
I realize devices periodically scan the "entire internet" but this is
more than that... in one day I saw 100,000 TCP SYN from a single public
IP address. That is a significant spike and I am not certain why they
sent so much traffic from a single IP to a single IP.
Wondering if anyone else is seeing the same?
73 DE KC0AKY
30 Mar
30 Mar
5:23 a.m.
Hi Shawn,
This is "pretty normal" (normal in a sence that I see this kind of traffic on
all customer networks too when vacation times begin)
Since the COVID-19 outbreak a lot of school have closed and ppl start working from home.
But every time youngsters are on vacation, I see an increase in botnet/scans/hack
traffic/attempts
73
Ruben ON3RVH
-----Original Message-----
From: 44Net <44net-bounces+on3rvh=on3rvh.be(a)mailman.ampr.org> On Behalf Of Shawn M
Garringer via 44Net
Sent: Thursday, March 12, 2020 17:30
To: 44net(a)mailman.ampr.org
Cc: ampr(a)shawngarringer.org
Subject: [44net] Large increase in inbound suspicious traffic from public internet to
systems on 44 net?
Hello group,
I am wondering if anyone else is seeing the following: starting on 5 March 2020 and
continuing through the present I have detected a large spike in inbound traffic to several
of my AMPR 44 IP addresses (on 44.50.1.0/24). The spike has been large enough that my
logging ELK stack is struggling to keep up.
This traffic is coming from the public internet. Most of these are looking at standard
ports 443, 80, 25, and 22.
These are being directed to IP addresses in my subnet that are not in use, and therefore
are being dropped (but logged) at the firewall. Nothing is running on these IPs so there
is no way the traffic is in response to anything I can find coming from my network.
I realize devices periodically scan the "entire internet" but this is more than
that... in one day I saw 100,000 TCP SYN from a single public IP address. That is a
significant spike and I am not certain why they sent so much traffic from a single IP to a
single IP.
Wondering if anyone else is seeing the same?
73 DE KC0AKY
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
5:58 a.m.
Hi,
I tend to notice this happening after a subnet becomes routed a few
weeks later. They are scanning for open SMTP relays and SSH access to
brute force. It may be if your not using them two ports for anything
ensuring they are closed as far up the chain as you can. I am in the
process of moving mine from a VPS to a dedicated router which means i
can kill the traffic at carrier level before i route it on to my
locations.
73's
2E0EMO
On Mon, 30 Mar 2020 at 10:25, Ruben ON3RVH via 44Net
<44net(a)mailman.ampr.org> wrote:
Hi Shawn,
This is "pretty normal" (normal in a sence that I see this kind of traffic on
all customer networks too when vacation times begin)
Since the COVID-19 outbreak a lot of school have closed and ppl start working from home.
But every time youngsters are on vacation, I see an increase in botnet/scans/hack
traffic/attempts
73
Ruben ON3RVH
-----Original Message-----
From: 44Net <44net-bounces+on3rvh=on3rvh.be(a)mailman.ampr.org> On Behalf Of Shawn M
Garringer via 44Net
Sent: Thursday, March 12, 2020 17:30
To: 44net(a)mailman.ampr.org
Cc: ampr(a)shawngarringer.org
Subject: [44net] Large increase in inbound suspicious traffic from public internet to
systems on 44 net?
Hello group,
I am wondering if anyone else is seeing the following: starting on 5 March 2020 and
continuing through the present I have detected a large spike in inbound traffic to several
of my AMPR 44 IP addresses (on 44.50.1.0/24). The spike has been large enough that my
logging ELK stack is struggling to keep up.
This traffic is coming from the public internet. Most of these are looking at standard
ports 443, 80, 25, and 22.
These are being directed to IP addresses in my subnet that are not in use, and therefore
are being dropped (but logged) at the firewall. Nothing is running on these IPs so there
is no way the traffic is in response to anything I can find coming from my network.
I realize devices periodically scan the "entire internet" but this is more than
that... in one day I saw 100,000 TCP SYN from a single public IP address. That is a
significant spike and I am not certain why they sent so much traffic from a single IP to a
single IP.
Wondering if anyone else is seeing the same?
73 DE KC0AKY
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
6:03 a.m.
On Thu, 2020-03-12 at 11:30 -0500, Shawn M Garringer via 44Net wrote:
Hello group,
I am wondering if anyone else is seeing the following: starting on 5
March 2020 and continuing through the present I have detected a large
spike in inbound traffic to several of my AMPR 44 IP addresses (on
44.50.1.0/24). The spike has been large enough that my logging ELK
stack is struggling to keep up.
This traffic is coming from the public internet. Most of these are
looking at standard ports 443, 80, 25, and 22.
These are being directed to IP addresses in my subnet that are not in
use, and therefore are being dropped (but logged) at the firewall.
Nothing is running on these IPs so there is no way the traffic is in
response to anything I can find coming from my network.
I realize devices periodically scan the "entire internet" but this is
more than that... in one day I saw 100,000 TCP SYN from a single public
IP address. That is a significant spike and I am not certain why they
sent so much traffic from a single IP to a single IP.
Wondering if anyone else is seeing the same?
73 DE KC0AKY
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
--
If Confucius were alive today:
"A computing device left in the OFF power state never crashes"
-----
73 de Brian N1URO
IPv6 Certified
SMTP: n1uro-at-n1uro.ampr.org
6:09 a.m.
Shawn et al;
On Thu, 2020-03-12 at 11:30 -0500, Shawn M Garringer via 44Net wrote:
I am wondering if anyone else is seeing the following:
starting on 5
March 2020 and continuing through the present I have detected a large
spike in inbound traffic to several of my AMPR 44 IP addresses (on
44.50.1.0/24). The spike has been large enough that my logging ELK
stack is struggling to keep up.
A good number of folks have seen a spike in scans by botnets spoofing
IPs but not just on 44-net. Commercial ISPs have seen similar spikes of
traffic and have taken proactive measures to try and halt these brute
force attacks.
Some of the spoofed IPs I've seen include the U.S. military, U.S. postal
service, USDA, many universities and municipalities... to name a few. At
one point I even caught a 222-net IP try to inject my DNS server with a
bogus ampr.org zone file on my public IP. Of course it failed and my
firewall bagged it.
The best you can do is tighten your firewall rules so that these spoofs
do as little damage as possible.
--
If Confucius were alive today:
"A computing device left in the OFF power state never crashes"
-----
73 de Brian N1URO
IPv6 Certified
SMTP: n1uro-at-n1uro.ampr.org
9:24 a.m.
New subject: DNS Entries Please
Hi All,
First off, I would like to say my coordinator has been great when it comes to supporting
me. As I know, he is still waiting for access to added DNS entries.
To complete my configuration Ubiquiti Edgerouter 10X, I need to have some DNS entries
added and 1 correction DNS entries from my allocation. Is there anyone who could add them
manually for now??
I would appreciate any help here!!
73, n5uxt - allocation ampr.org 44.108.2.0/17
---------------------------------------------------------
If you don't ask, you will never know!!
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
9:31 a.m.
New subject: DNS Entries Please
Hi Angelo,
I am not aware of any coordinators requesting access to the dns system, please ask him to
email me if access is required and I can explain how.
In the meantime you can send any urgent requests to me if you like.
73,
Chris
G1FEF
On 30 Mar 2020, at 14:24, Angelo Glorioso via 44Net
<44net(a)mailman.ampr.org> wrote:
Hi All,
First off, I would like to say my coordinator has been great when it comes to supporting
me. As I know, he is still waiting for access to added DNS entries.
To complete my configuration Ubiquiti Edgerouter 10X, I need to have some DNS entries
added and 1 correction DNS entries from my allocation. Is there anyone who could add them
manually for now??
I would appreciate any help here!!
73, n5uxt - allocation ampr.org 44.108.2.0/17
---------------------------------------------------------
If you don't ask, you will never know!!
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
9:56 a.m.
New subject: DNS Entries Please
Hello Chris,
Thanks for the quick reply. Can you please add the following 😊
gw.n5uxt.ampr.org. 44.108.2.1
pc.n5uxt.ampr.org 44.108.2.2
allstar.ampr.org 44.108.2.3
Allstar1.n5uxt.ampr.org 44.108.2.4
Allstar2.n5uxt.ampr.org 44.108.2.5
test.n5uxt.ampr.org 44.108.2.6
gw2..n5uxt.ampr.org 44.108.2.7
linux.n5uxt.ampr.org. 44.108.2.8
n5uxt.ampr.org 44.1.8.2.13
Remove the following :
44.108.2.31 - gw.n5uxt.ampr.org<http://gw.n5uxt.ampr.org/>
44.108.2.32 - test.n5uxt.ampr.org<http://test.n5uxt.ampr.org/>
44.108.2.45 - linux.n5uxt.ampr.org<http://linux.n5uxt.ampr.org/>
44.108.2.52 - linux2.n5uxt.ampr.org
Thanks for your help Chris!
73 de Angelo - Allocations 44.108.2.0/27
________________________________
From: 44Net <44net-bounces+n5uxt=hotmail.com(a)mailman.ampr.org> on behalf of G1FEF
via 44Net <44net(a)mailman.ampr.org>
Sent: Monday, March 30, 2020 1:31 PM
To: AMPRNet working group <44net(a)mailman.ampr.org>
Cc: G1FEF <chris(a)g1fef.co.uk>
Subject: Re: [44net] DNS Entries Please
Hi Angelo,
I am not aware of any coordinators requesting access to the dns system, please ask him to
email me if access is required and I can explain how.
In the meantime you can send any urgent requests to me if you like.
73,
Chris
G1FEF
On 30 Mar 2020, at 14:24, Angelo Glorioso via 44Net
<44net(a)mailman.ampr.org> wrote:
Hi All,
First off, I would like to say my coordinator has been great when it comes to supporting
me. As I know, he is still waiting for access to added DNS entries.
To complete my configuration Ubiquiti Edgerouter 10X, I need to have some DNS entries
added and 1 correction DNS entries from my allocation. Is there anyone who could add them
manually for now??
I would appreciate any help here!!
73, n5uxt - allocation ampr.org 44.108.2.0/17
---------------------------------------------------------
If you don't ask, you will never know!!
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
10:25 a.m.
New subject: DNS Entries Please
Chris and Angelo,
I think i got my login for dns sorted yesterday with the n1uro cgi script and login.
I have added the DNS entries this morning.
Chris, can you assist with verification that you can see the dns entries added for Angelo
this morning? I am not sure of the time for it to populate.
I apologize for the delays. Angelo, I have my test router on the bench at the office this
morning to verify configuration of the scripting and will reach out to you after I run a
few tests.
Best Regards,
Elias
Kd5jfe
Louisiana
Sent from my iPhone
2:41 p.m.
New subject: DNS Entries Please
Chis,
Thanks for all your help!
Angelo
---------------------------------------------------------
If you don't ask, you will never know!!
________________________________
From: 44Net <44net-bounces+n5uxt=hotmail.com(a)mailman.ampr.org> on behalf of G1FEF
via 44Net <44net(a)mailman.ampr.org>
Sent: Monday, March 30, 2020 1:31 PM
To: AMPRNet working group <44net(a)mailman.ampr.org>
Cc: G1FEF <chris(a)g1fef.co.uk>
Subject: Re: [44net] DNS Entries Please
Hi Angelo,
I am not aware of any coordinators requesting access to the dns system, please ask him to
email me if access is required and I can explain how.
In the meantime you can send any urgent requests to me if you like.
73,
Chris
G1FEF
On 30 Mar 2020, at 14:24, Angelo Glorioso via 44Net
<44net(a)mailman.ampr.org> wrote:
Hi All,
First off, I would like to say my coordinator has been great when it comes to supporting
me. As I know, he is still waiting for access to added DNS entries.
To complete my configuration Ubiquiti Edgerouter 10X, I need to have some DNS entries
added and 1 correction DNS entries from my allocation. Is there anyone who could add them
manually for now??
I would appreciate any help here!!
73, n5uxt - allocation ampr.org 44.108.2.0/17
---------------------------------------------------------
If you don't ask, you will never know!!
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
1698
days inactive
1716
days old
9 comments
7 participants
participants (7)
-
ampr@shawngarringer.org -
Angelo Glorioso -
Brian -
Elias Basse -
G1FEF -
Mitchell Southgate -
Ruben ON3RVH