Hello group,
I am wondering if anyone else is seeing the following: starting on 5 March 2020 and continuing through the present I have detected a large spike in inbound traffic to several of my AMPR 44 IP addresses (on 44.50.1.0/24). The spike has been large enough that my logging ELK stack is struggling to keep up.
This traffic is coming from the public internet. Most of these are looking at standard ports 443, 80, 25, and 22.
These are being directed to IP addresses in my subnet that are not in use, and therefore are being dropped (but logged) at the firewall. Nothing is running on these IPs so there is no way the traffic is in response to anything I can find coming from my network.
I realize devices periodically scan the "entire internet" but this is more than that... in one day I saw 100,000 TCP SYN from a single public IP address. That is a significant spike and I am not certain why they sent so much traffic from a single IP to a single IP.
Wondering if anyone else is seeing the same?
73 DE KC0AKY
Hi Shawn,
This is "pretty normal" (normal in a sence that I see this kind of traffic on all customer networks too when vacation times begin) Since the COVID-19 outbreak a lot of school have closed and ppl start working from home. But every time youngsters are on vacation, I see an increase in botnet/scans/hack traffic/attempts
73
Ruben ON3RVH
-----Original Message----- From: 44Net 44net-bounces+on3rvh=on3rvh.be@mailman.ampr.org On Behalf Of Shawn M Garringer via 44Net Sent: Thursday, March 12, 2020 17:30 To: 44net@mailman.ampr.org Cc: ampr@shawngarringer.org Subject: [44net] Large increase in inbound suspicious traffic from public internet to systems on 44 net?
Hello group,
I am wondering if anyone else is seeing the following: starting on 5 March 2020 and continuing through the present I have detected a large spike in inbound traffic to several of my AMPR 44 IP addresses (on 44.50.1.0/24). The spike has been large enough that my logging ELK stack is struggling to keep up.
This traffic is coming from the public internet. Most of these are looking at standard ports 443, 80, 25, and 22.
These are being directed to IP addresses in my subnet that are not in use, and therefore are being dropped (but logged) at the firewall. Nothing is running on these IPs so there is no way the traffic is in response to anything I can find coming from my network.
I realize devices periodically scan the "entire internet" but this is more than that... in one day I saw 100,000 TCP SYN from a single public IP address. That is a significant spike and I am not certain why they sent so much traffic from a single IP to a single IP.
Wondering if anyone else is seeing the same?
73 DE KC0AKY
_________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Hi,
I tend to notice this happening after a subnet becomes routed a few weeks later. They are scanning for open SMTP relays and SSH access to brute force. It may be if your not using them two ports for anything ensuring they are closed as far up the chain as you can. I am in the process of moving mine from a VPS to a dedicated router which means i can kill the traffic at carrier level before i route it on to my locations.
73's
2E0EMO
On Mon, 30 Mar 2020 at 10:25, Ruben ON3RVH via 44Net 44net@mailman.ampr.org wrote:
Hi Shawn,
This is "pretty normal" (normal in a sence that I see this kind of traffic on all customer networks too when vacation times begin) Since the COVID-19 outbreak a lot of school have closed and ppl start working from home. But every time youngsters are on vacation, I see an increase in botnet/scans/hack traffic/attempts
73
Ruben ON3RVH
-----Original Message----- From: 44Net 44net-bounces+on3rvh=on3rvh.be@mailman.ampr.org On Behalf Of Shawn M Garringer via 44Net Sent: Thursday, March 12, 2020 17:30 To: 44net@mailman.ampr.org Cc: ampr@shawngarringer.org Subject: [44net] Large increase in inbound suspicious traffic from public internet to systems on 44 net?
Hello group,
I am wondering if anyone else is seeing the following: starting on 5 March 2020 and continuing through the present I have detected a large spike in inbound traffic to several of my AMPR 44 IP addresses (on 44.50.1.0/24). The spike has been large enough that my logging ELK stack is struggling to keep up.
This traffic is coming from the public internet. Most of these are looking at standard ports 443, 80, 25, and 22.
These are being directed to IP addresses in my subnet that are not in use, and therefore are being dropped (but logged) at the firewall. Nothing is running on these IPs so there is no way the traffic is in response to anything I can find coming from my network.
I realize devices periodically scan the "entire internet" but this is more than that... in one day I saw 100,000 TCP SYN from a single public IP address. That is a significant spike and I am not certain why they sent so much traffic from a single IP to a single IP.
Wondering if anyone else is seeing the same?
73 DE KC0AKY
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
On Thu, 2020-03-12 at 11:30 -0500, Shawn M Garringer via 44Net wrote:
Hello group,
I am wondering if anyone else is seeing the following: starting on 5 March 2020 and continuing through the present I have detected a large spike in inbound traffic to several of my AMPR 44 IP addresses (on 44.50.1.0/24). The spike has been large enough that my logging ELK stack is struggling to keep up.
This traffic is coming from the public internet. Most of these are looking at standard ports 443, 80, 25, and 22.
These are being directed to IP addresses in my subnet that are not in use, and therefore are being dropped (but logged) at the firewall. Nothing is running on these IPs so there is no way the traffic is in response to anything I can find coming from my network.
I realize devices periodically scan the "entire internet" but this is more than that... in one day I saw 100,000 TCP SYN from a single public IP address. That is a significant spike and I am not certain why they sent so much traffic from a single IP to a single IP.
Wondering if anyone else is seeing the same?
73 DE KC0AKY
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Shawn et al;
On Thu, 2020-03-12 at 11:30 -0500, Shawn M Garringer via 44Net wrote:
I am wondering if anyone else is seeing the following: starting on 5 March 2020 and continuing through the present I have detected a large spike in inbound traffic to several of my AMPR 44 IP addresses (on 44.50.1.0/24). The spike has been large enough that my logging ELK stack is struggling to keep up.
A good number of folks have seen a spike in scans by botnets spoofing IPs but not just on 44-net. Commercial ISPs have seen similar spikes of traffic and have taken proactive measures to try and halt these brute force attacks.
Some of the spoofed IPs I've seen include the U.S. military, U.S. postal service, USDA, many universities and municipalities... to name a few. At one point I even caught a 222-net IP try to inject my DNS server with a bogus ampr.org zone file on my public IP. Of course it failed and my firewall bagged it.
The best you can do is tighten your firewall rules so that these spoofs do as little damage as possible.
Hi All,
First off, I would like to say my coordinator has been great when it comes to supporting me. As I know, he is still waiting for access to added DNS entries.
To complete my configuration Ubiquiti Edgerouter 10X, I need to have some DNS entries added and 1 correction DNS entries from my allocation. Is there anyone who could add them manually for now??
I would appreciate any help here!!
73, n5uxt - allocation ampr.org 44.108.2.0/17
--------------------------------------------------------- If you don't ask, you will never know!!
_________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Hi Angelo,
I am not aware of any coordinators requesting access to the dns system, please ask him to email me if access is required and I can explain how.
In the meantime you can send any urgent requests to me if you like.
73, Chris G1FEF
On 30 Mar 2020, at 14:24, Angelo Glorioso via 44Net 44net@mailman.ampr.org wrote:
Hi All,
First off, I would like to say my coordinator has been great when it comes to supporting me. As I know, he is still waiting for access to added DNS entries.
To complete my configuration Ubiquiti Edgerouter 10X, I need to have some DNS entries added and 1 correction DNS entries from my allocation. Is there anyone who could add them manually for now??
I would appreciate any help here!!
73, n5uxt - allocation ampr.org 44.108.2.0/17
If you don't ask, you will never know!!
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Hello Chris,
Thanks for the quick reply. Can you please add the following 😊
gw.n5uxt.ampr.org. 44.108.2.1 pc.n5uxt.ampr.org 44.108.2.2 allstar.ampr.org 44.108.2.3 Allstar1.n5uxt.ampr.org 44.108.2.4 Allstar2.n5uxt.ampr.org 44.108.2.5 test.n5uxt.ampr.org 44.108.2.6 gw2..n5uxt.ampr.org 44.108.2.7 linux.n5uxt.ampr.org. 44.108.2.8 n5uxt.ampr.org 44.1.8.2.13
Remove the following : 44.108.2.31 - gw.n5uxt.ampr.orghttp://gw.n5uxt.ampr.org/ 44.108.2.32 - test.n5uxt.ampr.orghttp://test.n5uxt.ampr.org/ 44.108.2.45 - linux.n5uxt.ampr.orghttp://linux.n5uxt.ampr.org/ 44.108.2.52 - linux2.n5uxt.ampr.org
Thanks for your help Chris!
73 de Angelo - Allocations 44.108.2.0/27
________________________________ From: 44Net 44net-bounces+n5uxt=hotmail.com@mailman.ampr.org on behalf of G1FEF via 44Net 44net@mailman.ampr.org Sent: Monday, March 30, 2020 1:31 PM To: AMPRNet working group 44net@mailman.ampr.org Cc: G1FEF chris@g1fef.co.uk Subject: Re: [44net] DNS Entries Please
Hi Angelo,
I am not aware of any coordinators requesting access to the dns system, please ask him to email me if access is required and I can explain how.
In the meantime you can send any urgent requests to me if you like.
73, Chris G1FEF
On 30 Mar 2020, at 14:24, Angelo Glorioso via 44Net 44net@mailman.ampr.org wrote:
Hi All,
First off, I would like to say my coordinator has been great when it comes to supporting me. As I know, he is still waiting for access to added DNS entries.
To complete my configuration Ubiquiti Edgerouter 10X, I need to have some DNS entries added and 1 correction DNS entries from my allocation. Is there anyone who could add them manually for now??
I would appreciate any help here!!
73, n5uxt - allocation ampr.org 44.108.2.0/17
If you don't ask, you will never know!!
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Chris and Angelo,
I think i got my login for dns sorted yesterday with the n1uro cgi script and login.
I have added the DNS entries this morning.
Chris, can you assist with verification that you can see the dns entries added for Angelo this morning? I am not sure of the time for it to populate.
I apologize for the delays. Angelo, I have my test router on the bench at the office this morning to verify configuration of the scripting and will reach out to you after I run a few tests.
Best Regards, Elias Kd5jfe Louisiana
Sent from my iPhone
Chis,
Thanks for all your help!
Angelo
--------------------------------------------------------- If you don't ask, you will never know!!
________________________________ From: 44Net 44net-bounces+n5uxt=hotmail.com@mailman.ampr.org on behalf of G1FEF via 44Net 44net@mailman.ampr.org Sent: Monday, March 30, 2020 1:31 PM To: AMPRNet working group 44net@mailman.ampr.org Cc: G1FEF chris@g1fef.co.uk Subject: Re: [44net] DNS Entries Please
Hi Angelo,
I am not aware of any coordinators requesting access to the dns system, please ask him to email me if access is required and I can explain how.
In the meantime you can send any urgent requests to me if you like.
73, Chris G1FEF
On 30 Mar 2020, at 14:24, Angelo Glorioso via 44Net 44net@mailman.ampr.org wrote:
Hi All,
First off, I would like to say my coordinator has been great when it comes to supporting me. As I know, he is still waiting for access to added DNS entries.
To complete my configuration Ubiquiti Edgerouter 10X, I need to have some DNS entries added and 1 correction DNS entries from my allocation. Is there anyone who could add them manually for now??
I would appreciate any help here!!
73, n5uxt - allocation ampr.org 44.108.2.0/17
If you don't ask, you will never know!!
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
-
ampr@shawngarringer.org -
Angelo Glorioso -
Brian -
Elias Basse -
G1FEF -
Mitchell Southgate -
Ruben ON3RVH