storm

List overview All Threads
Download

newer

older

Correct behaviour towards BGP...

amprgw router bug fixed

Brian Kantor

6 May 2017 6 May '17

11:38 a.m.

I'm been seeing rather a storm of incoming packets to the amprgw gateway; there are six times as many inbound packets to routable AMPRNet addresses as outbound. The firewall is doing its duty: in the last about 24 hours it's discarded 9,905,154,331 incoming packets as being from bad guys, and of the packets that did get past the badguy list, 24,974,234,978 were discarded. It's running around 30 MB/s, at about 20 million packets a minute.

Looking at the incoming traffic, it appears to be mostly TCP connection requests with large window sizes to varying 44.x.x.x addresses, with lots of different destination port numbers but many are to port 23 (TELNET) and port 80 (HTTP). There's a goodly number of UDP requests to port 53 (DNS) too.

The system seems to be about 85% idle. - Brian

Show replies by date

lleachii＠aol.com

6 May 6 May

5:50 p.m.

Brian,

I've quickly browsed 24 hours of flows for the ports you noted, I found 3 hits for my DNS:

2 from: 2017-05-05 13:58:49.468 10.768 TCP 44.60.44.3:53 -> 123.113.190.94:16689 2 88 1 2017-05-05 13:58:49.468 10.768 TCP 123.113.190.94:16689 -> 44.60.44.3:53 3 128 1

and 1 from: 2017-05-05 14:03:24.727 0.260 UDP 44.60.44.3:53192 -> 192.109.42.4:53 1 78 1 2017-05-05 14:03:24.727 0.260 UDP 192.109.42.4:53 -> 44.60.44.3:53192 1 94 1

but this is interesting:

2017-05-05 14:10:16.333 0.000 TCP 123.113.190.94:16883 -> 44.60.44.2:80 1 40 1 2017-05-05 14:10:16.335 0.000 TCP 123.113.190.94:16883 -> 44.60.44.11:80 1 40 1 2017-05-05 14:10:16.336 0.000 TCP 123.113.190.94:16883 -> 44.60.44.3:80 1 40 1 2017-05-05 14:10:16.337 0.000 TCP 123.113.190.94:16883 -> 44.60.44.13:80 1 40 1 2017-05-05 14:10:16.337 0.000 TCP 123.113.190.94:16883 -> 44.60.44.6:80 1 40 1 2017-05-05 14:10:16.337 0.000 TCP 123.113.190.94:16883 -> 44.60.44.14:80 1 40 1 2017-05-05 14:10:16.338 0.000 TCP 123.113.190.94:16883 -> 44.60.44.12:80 1 40 1 2017-05-05 14:10:16.353 0.000 TCP 123.113.190.94:16883 -> 44.60.44.129:80 1 40 1 2017-05-05 14:10:16.354 0.000 TCP 123.113.190.94:16883 -> 44.60.44.130:80 1 40 1 2017-05-05 14:10:16.355 0.000 TCP 123.113.190.94:16883 -> 44.60.44.134:80 1 40 1 2017-05-05 14:10:16.357 0.000 TCP 123.113.190.94:16883 -> 44.60.44.132:80 1 40 1 2017-05-05 14:10:16.358 0.000 TCP 123.113.190.94:16883 -> 44.60.44.135:80 1 40 1 2017-05-05 14:10:16.358 0.000 TCP 123.113.190.94:16883 -> 44.60.44.1:80 1 40 1 2017-05-05 12:31:27.950 0.000 TCP 123.113.190.94:9379 -> 44.60.44.7:31 1 40 1 2017-05-05 12:31:27.950 0.000 TCP 123.113.190.94:9379 -> 44.60.44.11:31 1 40 1 2017-05-05 12:31:27.950 0.000 TCP 123.113.190.94:9379 -> 44.60.44.10:31 1 40 1 2017-05-05 12:31:27.951 0.000 TCP 123.113.190.94:9379 -> 44.60.44.2:31 1 40 1 2017-05-05 12:31:27.952 0.000 TCP 123.113.190.94:9379 -> 44.60.44.3:31 1 40 1 2017-05-05 12:31:27.953 0.000 TCP 123.113.190.94:9379 -> 44.60.44.14:31 1 40 1 2017-05-05 12:31:27.954 0.000 TCP 123.113.190.94:9379 -> 44.60.44.13:31 1 40 1 2017-05-05 12:31:27.975 0.000 TCP 123.113.190.94:9379 -> 44.60.44.1:31 1 40 1 2017-05-05 12:31:27.978 0.000 TCP 123.113.190.94:9379 -> 44.60.44.130:31 1 40 1 2017-05-05 12:31:27.979 0.000 TCP 123.113.190.94:9379 -> 44.60.44.131:31 1 40 1 2017-05-05 12:31:27.979 0.000 TCP 123.113.190.94:9379 -> 44.60.44.134:31 1 40 1 2017-05-05 12:31:27.981 0.000 TCP 123.113.190.94:9379 -> 44.60.44.133:31 1 40 1 2017-05-05 12:31:27.981 0.000 TCP 123.113.190.94:9379 -> 44.60.44.132:31 1 40 1 2017-05-05 12:31:27.999 0.000 TCP 123.113.190.94:9379 -> 44.60.44.129:31 1 40 1 2017-05-05 12:31:28.034 0.000 TCP 123.113.190.94:9379 -> 44.60.44.128:31 1 40 1 2017-05-05 12:31:28.035 0.000 TCP 123.113.190.94:9379 -> 44.60.44.135:31 1 40 1

<snip>...there's much more...and 31 is an uncommon port these days for legitimate use...

inetnum: 123.112.0.0 - 123.127.255.255 netname: UNICOM-BJ descr: China Unicom Beijing province network descr: China Unicom country: CN

- Lynwood KB3VWG

Brian Kantor

6:12 p.m.

According to SANS, tcp port 31 is often used by the "Agent 31", "Hackers Paradise", and "Masters Paradise" trojans. - Brian

On Sat, May 06, 2017 at 12:50:09PM -0400, lleachii--- via 44Net wrote:

...

<snip>...there's much more...and 31 is an uncommon port these days for legitimate use...

Charles J. Hargrove

7:48 p.m.

It's a good thing I TCP DENY all address ranges and ports except the ones that I want to come through. My JNOS ports are also non-standard.

On 5/6/2017 1:12 PM, Brian Kantor wrote:

...

(Please trim inclusions from previous messages) _______________________________________________ According to SANS, tcp port 31 is often used by the "Agent 31", "Hackers Paradise", and "Masters Paradise" trojans.

Brian

On Sat, May 06, 2017 at 12:50:09PM -0400, lleachii--- via 44Net wrote:

...
<snip>...there's much more...and 31 is an uncommon port these days for legitimate use...

-- Charles J. Hargrove - N2NOV NYC ARECS/RACES Citywide Radio Officer/Skywarn Coord. NYC-ARECS/RACES Net Mon. @ 8:30PM 449.025/123.0 PL http://www.nyc-arecs.org and http://www.nyc-skywarn.org NY-NBEMS Net Saturdays @ 10AM & USeast-NBEMS Net Wednesdays @ 7PM on 7.036 Mhz USB/1500 hz waterfall spot; Olivia 8/500 check-ins "Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it wafts across the electrified borders." - Ronald Reagan "The more corrupt the state, the more it legislates." - Tacitus "Molann an obair an fear" - Irish Saying (The work praises the man.) "No matter how big and powerful government gets, and the many services it provides, it can never take the place of volunteers." - Ronald Reagan

3313

Age (days ago)

3313

Last active (days ago)

44net@mailman.ampr.org

3 comments

3 participants

tags (0)

participants (3)

Brian Kantor
Charles J. Hargrove
lleachii＠aol.com