PfSense trying shady connections?
-
That netblock is owned by a domain registrar, Afilias. I'll bet a nose full of nickels that it's being queried by pfBlocker for some reason. Turn off pfBlocker to verify.
-
How many nickels can you fit in your nose? Not very many I would gather ;)
I would be willing to bet 100x that amount it either pfblocker or something else.. behind pfsense, if your saying NOTHING behind pfsense was on then yeah pfblocker would be the only thing. pfsense without any packages would not make any such queries or attempts.. What were the ports that being blocked? if your running default resolver vs forwarder then you might see some odd ball queries to nameservers root, and such but those would be on 53..
-
Another guess:
ntp.
If pfsense is configured to use pool.ntp.org, there are some sites that resolve to some strange places. I spent a few hours once convinced that I had a raspberry pi installation hacked to be a bitcoin miner (because it kept trying to access an IP address related to bitcoin mining) – until I stopped and realized it was using the port for NTP. Changing the default NTP server to a "known" server instead of a DNS pool resolved the issue for me.
(I also reformatted the pi's sdcard just to be safe.)
-
Thank you everyone for the fast reply and friendliness :)
Unfortunately there's no port mentioned in the mails and I'm not finding the event in the router log, probably I'm logging too much stuff because 2712 lines span only the last 15 minutes :o I should probably install a centralized syslog.
NTP is configured with the default address: 0.pfsense.pool.ntp.org
The rate of connection attempts drastically reduced during the day, tonight I got 7 mails in just short of 1 hour, with multiple attempts each. Last mail was 1:11, then radio silence until 19:52 (it's 21:35 now), a single attempt to 199.19.56.1. I'm removing pfBlockerNG now.
DNS Forwarder is disabled, resolver is enabled. I don't remember changing anything here, just whitelisted a couple of countries from pfBlocker.
Anyway, being pfSense not the gateway nor dns server, nothing on the lan should ask it to resolve addresses, so why is it going out on its own, excluding NTP? Will report back tomorrow with news, either was pfBlocker (is it safe?) or something else…
If you have any idea on how to track the responsible process (connection doesn't seem to be logged in pfSense' own system log), I'm all ears :)
-
NTP can be ruled out by switching from the default pool to a specific address from the pool. pfBlocker can be disabled. I'll be really surprised if the hits keep happening after these changes.
-
Leaving NTP as is now, we'll see if attempts stop without pfBlocker
-
@campusantu:
The IPs resolve to a0.org.afilias-nst.info.
Can someone please explain what is going on?
Duh. I can't believe I overlooked this.
Isn't a0.org-afilias-nst.info a root server for the .org TLD? If so, ANYTHING trying to get a DNS resolution for a *.org name would be causing hits to that machine.
-
Yes but then why those IP seems to be THAT bad, source of spam and control center of call-home malware, just because they resolve to some random .org? Plus, I'm not getting errors from any other host
-
hehe … wow... Anyone who thinks the pfBlockerNG pkg is making requests on its own to any IP other than to MaxMind or Alexa is smoking something good… please share :) The pkg will only make request to URLs that the user adds as Lists/Feeds...
http://afilias.info/about-us
Afilias is the world’s second largest Internet domain name registry, with more than 20 million names under management. Afilias powers a wide variety of top-level domains, and will soon support hundreds of new TLDs (top level domains) now preparing for launch, including TLDs for cities, brands, communities and generic terms. Afilias’ specialized technology makes Internet addresses more accessible and useful through a wide range of applications, including Internet domain registry services, Managed DNS and Mobile & Web services like goMobi
and DeviceAtlas.
and the kicker:Afilias' DNS system provides for the resolution for billions of queries for over 20M domain names today on a globally diverse and secure platform.
And apart from what TrendMicro says, those IPs are not listed in any Blocklists or Threat Intel Sources that I can find…
-
Toss this in the bin of "My brand firewall says I'm getting DDOS'd by RST packets at a rate of one per minute."? Overly sensitive "feel good" "look I'm blocking stuff"?
-
Never used it, so unfortunately it's just plain ignorance, you don't want that shared, do you? ;)
While I'm still not sure why in the entire network only pfSense is being blocked for that, is the list you mentioned viewable/editable? I uninstalled pfBlocker and plan not to reinstall it for 24/48h just to confirm it's that, so I can't see myself. Sure enough I didn't add that url to any list, must be one of the defaults, just want to confirmToss this in the bin of "My brand firewall says I'm getting DDOS'd by RST packets at a rate of one per minute."? Overly sensitive "feel good" "look I'm blocking stuff"?
I'd gladly accept that, I was curious about why. Plus, it wouldn't be the first time a server gets hacked and a link/ISO replaced with another one…
Thanks :)
-
it's not pfblocker. It's DNS.
I'm assuming that you have pfsense configured as default, meaning that it'll be a DNS Resolver (and not a forwarder.) So, when pfsense (or any machine using pfsense for DNS) wants to resolve a FQDN that ends with ".org", this is what happens:
First, "unbound" (the name of the program that's doing DNS resolution) will query the "root servers" to find out the name of a machine that can resolve domain names that end with .org. Those root servers are configured within unbound (but not seen in the interface.) One of those root servers sees that you want to resolving something.org, so it points you to the authority for ".org" In somewhat readable format, that response looks like this:
;; AUTHORITY SECTION: org. 639 IN SOA a0.org.afilias-nst.info. noc.afilias-nst.info. 2012137076 1800 900 604800 86400See that hostname? Look familiar?
That just tells unbound to ask a0.org.afilias-nst.info or noc.afilias-nst.info for more information (as they are authorities for all domain names that end with .org.)
There's nothing going wrong here. It's working fine. If unbound is blocked from contacting a0.org.afilias-nst.info, it'll just ask noc.afilias-nst.info instead.
BTW, in an extremely odd twist of being right for the wrong reasons: It really IS ntp causing that alert. ntp is trying to resolve "0.pfsense.ntp.org", which kicks off the sequence through DNS.
-
@campusantu:
I uninstalled pfBlocker and plan not to reinstall it for 24/48h just to confirm it's that, so I can't see myself.
Lets just say that I kinda have an understanding about the inerds of the pfBlockerNG package code… and if there was some hidden malicious IP being requested by the package itself I would know. Any non-believers can goto gitHub and review all the open sourced package code and let me know so it can be removed :^)
As for Lists/Feeds... You can add additional IP and DNSBL Feeds to the package, and these are the only URLs that the package will pull, except for MaxMind (Used for the GeoIP database) and Alexa (Used for DNSBL Whitelisting)...
In looking at these IPs with tcpiputils.com [ 199.19.56.1 and 199.249.120.1 ]
http://www.tcpiputils.com/browse/ip-address/199.19.56.1
http://www.tcpiputils.com/browse/ip-address/199.249.120.1199.19.56.1 is listing 1 Mail server and 3 Name Servers at that IP.
199.249.120.1 is listing 2 Mail servers and 3 Name Servers at that IP.So something on your LAN is making requests to these IPs. I assume that since you installed pfSense, that your using the DNS Resolver. If its in "Resolver" mode, than DNS requests are going out to the 13 Root DNS servers for DNS Resolution which then goes down the tree to find the correct DNS Resolution for each request.
Your "ASUS" was probably set to your ISP DNS server, or Google DNS which uses their own DNS cache for lookups so it may be that it resolved differently and was not previously noticable.
If you can run a packet capture and review the those pcaps you will find out whats going on exactly in your network, as of right now, its all speculation.
I have sent TrendMicro and Afilias a tweet to see if they have listed those two IPs in err… Will post back once I hear something...
-
I'm assuming that you have pfsense configured as default, meaning that it'll be a DNS Resolver (and not a forwarder.)
Yes, as already said but probably was lost in the messages. I superficially assumed it would ask the router instead of trying itself, gave little weight to the dns section when skimming through settings. Seems like at 2am I'm not that awake anymore.. Can you guess what time is it here now? ;D
Lets just say that I kinda have an understanding about the inerds of the pfBlockerNG package code… and if there was some hidden malicious IP being requested by the package itself I would know. Any non-believers can goto gitHub and review all the open sourced package code and let me know so it can be removed :^)
I thought more about a modified ISO, like what happened with linux mint months ago, I know pfSense and its packages are extensively used so someone would have found out already :)
So something on your LAN is making requests to these IPs. I assume that since you installed pfSense, that your using the DNS Resolver. If its in "Resolver" mode, than DNS requests are going out to the 13 Root DNS servers for DNS Resolution which then goes down the tree to find the correct DNS Resolution for each request.
Well then I guess it's pfSense itself since nothing relies on it. It's the new guy in the block :P
Your "ASUS" was probably set to your ISP DNS server, or Google DNS which uses their own DNS cache for lookups so it may be that it resolved differently and was not previously noticable.
If you can run a packet capture and review the those pcaps you will find out whats going on exactly in your network, as of right now, its all speculation.
Yep, Google DNS. Will run wireshark when I'll have time, maybe during the weekend.
I'll wait for your response about the tweet, and report back when I run wireshark.
Thank you all for the help :)
-
Lets just say that I kinda have an understanding about the inerds of the pfBlockerNG package code…
The iNerd, coming soon from Apple! ;D
-
So this feel good tool your running on your router that says it blocks stuff to bad places.. It doesn't even list what port it blocked??
-
So this feel good tool your running on your router that says it blocks stuff to bad places.. It doesn't even list what port it blocked??
Erm… Nope. I'd hope it says something more in the logs, but the record was already out of it. I'll get a request blocked when I'm home, to see if it gets there. Keep in mind it's not the standard router firewall
-
If it does not list the port the traffic is going to to its completely pointless to even log it as blocked.. And if they are blocking the netblocks that the root servers are on that is a huge problem.. I would open a ticket with them about that for sure.
-
Lets just say that I kinda have an understanding about the inerds of the pfBlockerNG package code…
Really? :)
-
If it does not list the port the traffic is going to to its completely pointless to even log it as blocked.. And if they are blocking the netblocks that the root servers are on that is a huge problem.. I would open a ticket with them about that for sure.
Ok so the connection doesn't get logged on syslog, seems like the AiProtection is just entirely separate. I'll look into opening the ticket or opening a pull request for the port to be added to the mailed details. Meanwhile I found the IP mentioned in other threads on this forum and on twitter and google, saying it's a botnet sinkhole, even if the posts are quite old. Still not convinced they're not bad , even if it's not pfSense fault :P
Edit: took a look at merlinwrt sources, seems like that part comes from a precompiled module, so pull request is a no-go
