9 Feb
2014
9 Feb
'14
2:12 p.m.
44net-request(a)hamradio.ucsd.edu wrote:
Subject:
[44net] incoming traffic.
From:
John Ronan <jpronans(a)gmail.com>
Date:
02/09/2014 05:10 PM
To:
AMPRNet working group <44net(a)hamradio.ucsd.edu>
Hi All,
I've seeing continuous traffic coming in from amprgw.sysnet.ucsd.edu. from
5.135.135.42 to 44.155.6.1 port 80 over my tunnel. Anyone else seeing the same?
I've disabled my tunnel for the moment as I don't have the time at the moment to
chase it down.
Regards
John
EI7IG
It is not specifically from that address. It appears to be a distributed
attack on http servers, at least
to network 44. I see the same incoming stream of connects to several hosts in my subnet,
all from
a different source IP. Sometimes after several hours it stops and starts from another
IP.
I have crafted iptables rules that block it effectively:
iptables -A firewall -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A firewall -p tcp --syn -m recent --name tcp --set
iptables -A firewall -p tcp --syn -m recent --name tcp --update --seconds 30 --hitcount 15
-j DROP
iptables -A firewall -p tcp --dport 80 --syn -j ACCEPT
iptables -A firewall -p tcp --dport 443 --syn -j ACCEPT
iptables -A firewall -p tcp -j DROP
It just drops any source IP that sends more than 15 connects in 30 seconds.
Adjust for the port numbers that you want to accept (80 and 443 in this example)
There is also an internet-wide scan from source address 64.78.174.63 with traffic like
this:
21:04:33.762663 64.78.174.63 -> 44.137.40.2 TCP 52 [TCP Port numbers reused] http >
http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
I see it on another server outside net-44 as well.
It is blocked by the same rule but I have just firewalled the entire 64.78.160.0/20 net as
this does not look like someone I want to deal with.
Rob
10 Feb
10 Feb
3:01 a.m.
New subject: 44Net Digest, Vol 3, Issue 31
On 09/02/14 20:12, Rob Janssen wrote:
(Please trim inclusions from previous messages)
_______________________________________________
44net-request(a)hamradio.ucsd.edu wrote:
Hi Rob/all,
Well as long as it wasn't just me the packets were hitting, I'm happier
:). I guess your 'firewall' is a chain you created yourself? Either
that or my iptables/kernel is quite a bit older than yours.
Thats a nice/handy ruleset actually, thanks for the reply.
Oh, apologies for my slowness in replying, birthday party (my own)
Saturday meant I was recovering yesterday.
Regards
John
EI7IG
Subject:
[44net] incoming traffic.
From:
John Ronan <jpronans(a)gmail.com>
Date:
02/09/2014 05:10 PM
To:
AMPRNet working group <44net(a)hamradio.ucsd.edu>
Hi All,
I've seeing continuous traffic coming in from amprgw.sysnet.ucsd.edu.
from 5.135.135.42 to 44.155.6.1 port 80 over my tunnel. Anyone else
seeing the same?
I've disabled my tunnel for the moment as I don't have the time at
the moment to chase it down.
Regards
John
EI7IG
It is not specifically from that address. It appears to be a
distributed attack on http servers, at least
to network 44. I see the same incoming stream of connects to several
hosts in my subnet, all from
a different source IP. Sometimes after several hours it stops and
starts from another IP.
I have crafted iptables rules that block it effectively:
iptables -A firewall -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A firewall -p tcp --syn -m recent --name tcp --set
iptables -A firewall -p tcp --syn -m recent --name tcp --update
--seconds 30 --hitcount 15 -j DROP
iptables -A firewall -p tcp --dport 80 --syn -j ACCEPT
iptables -A firewall -p tcp --dport 443 --syn -j ACCEPT
iptables -A firewall -p tcp -j DROP
It just drops any source IP that sends more than 15 connects in 30
seconds.
Adjust for the port numbers that you want to accept (80 and 443 in
this example)
There is also an internet-wide scan from source address 64.78.174.63
with traffic like this:
21:04:33.762663 64.78.174.63 -> 44.137.40.2 TCP 52 [TCP Port numbers
reused] http > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256
SACK_PERM=1
I see it on another server outside net-44 as well.
It is blocked by the same rule but I have just firewalled the entire
64.78.160.0/20 net as this does not look like someone I want to deal
with.
Rob
3939
days inactive
3940
days old
1 comments
2 participants
participants (2)
-
John Ronan -
Rob Janssen