44net-request@hamradio.ucsd.edu wrote:
Subject: [44net] incoming traffic. From: John Ronan jpronans@gmail.com Date: 02/09/2014 05:10 PM
To: AMPRNet working group 44net@hamradio.ucsd.edu
Hi All,
I've seeing continuous traffic coming in from amprgw.sysnet.ucsd.edu. from 5.135.135.42 to 44.155.6.1 port 80 over my tunnel. Anyone else seeing the same?
I've disabled my tunnel for the moment as I don't have the time at the moment to chase it down.
Regards John EI7IG
It is not specifically from that address. It appears to be a distributed attack on http servers, at least to network 44. I see the same incoming stream of connects to several hosts in my subnet, all from a different source IP. Sometimes after several hours it stops and starts from another IP.
I have crafted iptables rules that block it effectively:
iptables -A firewall -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A firewall -p tcp --syn -m recent --name tcp --set iptables -A firewall -p tcp --syn -m recent --name tcp --update --seconds 30 --hitcount 15 -j DROP iptables -A firewall -p tcp --dport 80 --syn -j ACCEPT iptables -A firewall -p tcp --dport 443 --syn -j ACCEPT iptables -A firewall -p tcp -j DROP
It just drops any source IP that sends more than 15 connects in 30 seconds. Adjust for the port numbers that you want to accept (80 and 443 in this example)
There is also an internet-wide scan from source address 64.78.174.63 with traffic like this:
21:04:33.762663 64.78.174.63 -> 44.137.40.2 TCP 52 [TCP Port numbers reused] http > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
I see it on another server outside net-44 as well. It is blocked by the same rule but I have just firewalled the entire 64.78.160.0/20 net as this does not look like someone I want to deal with.
Rob
On 09/02/14 20:12, Rob Janssen wrote:
(Please trim inclusions from previous messages) _______________________________________________ 44net-request@hamradio.ucsd.edu wrote:
Subject: [44net] incoming traffic. From: John Ronan jpronans@gmail.com Date: 02/09/2014 05:10 PM
To: AMPRNet working group 44net@hamradio.ucsd.edu
Hi All,
I've seeing continuous traffic coming in from amprgw.sysnet.ucsd.edu. from 5.135.135.42 to 44.155.6.1 port 80 over my tunnel. Anyone else seeing the same?
I've disabled my tunnel for the moment as I don't have the time at the moment to chase it down.
Regards John EI7IG
It is not specifically from that address. It appears to be a distributed attack on http servers, at least to network 44. I see the same incoming stream of connects to several hosts in my subnet, all from a different source IP. Sometimes after several hours it stops and starts from another IP.
I have crafted iptables rules that block it effectively:
iptables -A firewall -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A firewall -p tcp --syn -m recent --name tcp --set iptables -A firewall -p tcp --syn -m recent --name tcp --update --seconds 30 --hitcount 15 -j DROP iptables -A firewall -p tcp --dport 80 --syn -j ACCEPT iptables -A firewall -p tcp --dport 443 --syn -j ACCEPT iptables -A firewall -p tcp -j DROP
It just drops any source IP that sends more than 15 connects in 30 seconds. Adjust for the port numbers that you want to accept (80 and 443 in this example)
There is also an internet-wide scan from source address 64.78.174.63 with traffic like this:
21:04:33.762663 64.78.174.63 -> 44.137.40.2 TCP 52 [TCP Port numbers reused] http > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
I see it on another server outside net-44 as well. It is blocked by the same rule but I have just firewalled the entire 64.78.160.0/20 net as this does not look like someone I want to deal with.
Rob
Hi Rob/all, Well as long as it wasn't just me the packets were hitting, I'm happier :). I guess your 'firewall' is a chain you created yourself? Either that or my iptables/kernel is quite a bit older than yours.
Thats a nice/handy ruleset actually, thanks for the reply.
Oh, apologies for my slowness in replying, birthday party (my own) Saturday meant I was recovering yesterday.
Regards John EI7IG
-
John Ronan -
Rob Janssen