Blocked IGMP packets flooding my logs -- IGMP snooping???

johnpoz

@spookymonkey said in Blocked IGMP packets flooding my logs -- IGMP snooping???:

constantly be bombarded by external IPs on various ports???

Yes the internet is a noisy place.. No different than when you had your soho router.. Your soho router wasn't just showing you it in a log..

random public IPs would be sending requests to my IP on port 53...

Prob looking for open dns resolver that they could use in a dns amplification attack.

johnpoz

BTW - I had set a sniff on my wan to look for the igmp.. And seeing it as well

10:06:37.270045 IP 10.205.128.1 > 224.0.0.1: igmp
10:08:42.277695 IP 10.205.128.1 > 224.0.0.1: igmp
10:10:47.288287 IP 10.205.128.1 > 224.0.0.1: igmp
10:12:52.297471 IP 10.205.128.1 > 224.0.0.1: igmp
10:14:57.307060 IP 10.205.128.1 > 224.0.0.1: igmp
10:17:02.317600 IP 10.205.128.1 > 224.0.0.1: igmp
10:19:07.327589 IP 10.205.128.1 > 224.0.0.1: igmp
10:21:12.336376 IP 10.205.128.1 > 224.0.0.1: igmp
10:23:17.346039 IP 10.205.128.1 > 224.0.0.1: igmp
10:25:22.356011 IP 10.205.128.1 > 224.0.0.1: igmp
10:27:27.366969 IP 10.205.128.1 > 224.0.0.1: igmp
10:29:32.376429 IP 10.205.128.1 > 224.0.0.1: igmp

That is on my WAN... but its a rfc1918 address.. But yeah coming from isp network.

mer

As @johnpoz says, the internet is noisy. A lot of people don't seem to understand that; especially your broadband connection. A cable is basically a shared segment with all of your neighbors :) Some things like FiOS I think are more point to point so you don't see your neighbors traffic.

224.0.0.1 or any other multicast address isn't really targeted at you, it's basically "routed/sent to anyone that has joined the multicast group".

If it hits your WAN interface and you don't have an active membership in that group, it gets dropped by the stack at some point, even without the firewall (just basic networking as long as the interface is not in promiscuous mode).

When I first got my broadband connection I just put a throwaway device and just packet captured for a bit to see what was out there.

pfSense is built on some good technology; starting with a "default deny" stance on WAN is a simple way to avoid a lot of nastiness.

johnpoz

Also to the 53 traffic - yup seeing that as well

But see more to ssh, telnet and 21 (ftp) and the always present sql 1433.. Lots of common ports that get scanned all the time.

mer

@johnpoz The only way that makes sense is ISP using that block of addresses on the "inside" of their network. It's not good sense, but a possibility.

Assuming your WAN is DHCP is it getting an address in the same space and gateway in that block too?

Looking at logs and periodic sniffing is a really good way for one to start banging heads over what should be common sense.

Edit:
antispoof on (interface) :)

johnpoz

@mer said in Blocked IGMP packets flooding my logs -- IGMP snooping???:

he only way that makes sense is ISP using that block of addresses on the "inside" of their network.

Yeah for sure - its just isp noise.. you should of seen the flood of dhcp traffic use to see before they cleaned that up..

Its noise - nothing more, nothing less. I sure don't log it. I only log common udp ports and SYN tcp traffic.

mer

@johnpoz Broadband to the home is teaching people not in the industry all kinds of new things. Easy to get too worked up over something that is the equivalent of "I'd like to talk about your car's extended warranty" phone call.
But it also useful to show someone "why" you lock things down. Took a while for my wife to understand, but it's fun listening to her call out others on "That's dumb, why would you do that".

johnpoz

@mer said in Blocked IGMP packets flooding my logs -- IGMP snooping???:

equivalent of "I'd like to talk about your car's extended warranty" phone call.

Hey I have gotten like 3 or 4 of those in a day sometimes - ticks me off. More so that they are getting ripped off with whatever data they are buying. I have not had to worry about a warranty or extended warranty in year and years. Since I only lease going on 10 years. They getting ripped off for data on who might be interested in a warranty that is for sure..

I hit a point in my life where I had my last car for 13 years.. And said F this, I want to drive new - and a lease kind of forces my hand to get a new one every 3 years. But those get annoying - more so then some noise on my wan ;) Lately they have switched to sexy time woman voice - heheh

The other noise on your wan sort of calls is the that your SS card has been used fraudulently..

Not sure why the phone companies don't crack down on those to be honest.. But hey they getting paid for the call for sure.. Even if only a fraction of penny per call, 100 million of those add up ;)

JKnott

@spookymonkey said in Blocked IGMP packets flooding my logs -- IGMP snooping???:

gateway is 99.241.10.1 so different from yours

I expected that. My point was to show it wasn't the gateway, which means it could be from another customer. If your subnet mask is /23, as mine is, then that address is not within your subnet, which is strange as multicasts are generally not passed through routers. Some traffic is normally visible on the WAN, but what you're describing doesn't sound normal. Perhaps you should call support and tell them what you see.

I can ping that address, but traceroute dies after 6 hops. The last hop I recognize is the Rogers office on Bloor at Jarvis and the last hop appears to be a Rogers management router, but nothing to indicate location. Rogers Etobicoke office is on Greensboro Dr., near Kipling & 401.

Do you see anything funny on IPv6? Also, Rogers has IPTV but that's usually carried on IPv6.

spookymonkey

@johnpoz okay good to know the IGMP stuff is likely just noise... but I don't think the other stuff that's being directed at my IP is just noise though, this is just in a space of a few minutes

mer

@spookymonkey /etc/services has mapping of port to service.
23 is telnet, 22 ssh, 5060 is a standard SIP port,
Potentially malicious, "script kiddies". It may not really be "directed" at you, more likely directed at "oh, there's an IP lets see what ports are open".

But that is the beauty of the default deny rule on WAN.

spookymonkey

@mer cool good to know about /etc/services .. I just setup a home lab recently to start studying for oscp so got lots of learning to do with linux :).. if these are botnets/script kiddies just running through tons of different scans/attacks on virtually all IPs (not just mine) at all minutes of the day then the internet is pretty [expletive] up lol...

mer

@spookymonkey said in Blocked IGMP packets flooding my logs -- IGMP snooping???:

then the internet is pretty [expletive] up lol...

Yes, Yes it is.
Biggest thing is ask questions. Lots of knowledge here, lots in different forums.
Lots of really good PF references around (OpenBSD mailing lists) that in general talk about good/proper network security.

For me, the biggest things are:
Start at default deny I personally like default deny on all interfaces (except lo), not just WAN, but others have different opinion which is fine.
Know what is on your network
Know what you want to allow

Network security, I believe "no dumb questions" so asking is never a bad thing.

Edit:
Oh, make sure you have some Windows machines on your home network and grab the traffic to see how chatty they are.

spookymonkey

@mer Thanks! I have a managed switch that I just setup with 802.1q VLANs and have each VLAN along with the physical LAN interface set to
block all IPV6
allow IPV4 http/https/ntp/dns
deny all IPV4*
with a couple exceptions for my wife's VPN for work so hopefully I didn't miss anything with this setup :S

I have a win10 machine I just got up and running in my proxmox box yesterday and have already noticed weird stuff getting blocked from pfBlockerNG and other random outbound traffic blocked in my firewall rules... I plan to eventually get a flip phone and ditch all the big tech garbage, but don't know how feasible that will be at this point!!!! Eventually when I learn about packet capturing/analysis, I'm sure I'll have much more to complain about...

mer

@spookymonkey It's been a while, but I started with default deny all-interfaces, skip lo0 then started adding allow rules. Suprisingly few are actually needed, less than a dozen. Windows Updates does some weird stuff to broadcast and port 0 but for normal operations the allowed list is pretty short.
You wind up seeing some "co-opting" of protocols (something that is normally TCP only Google decided to use it as UDP for something) so you need to adjust things.

Packet capture/analysis: google up Wireshark. Lots of good information. You can wind up banging your head, so pick one thing and trace it (NTP is a good one to start with I think). It's not just about the packets, it's about the contents of the packets and the protocols (TCP vs UDP) so get used to looking at specific bits in packets.
Can make your head hurt at times, but what you see on the wire is what you are working with.

pfSense and pretty much every other commercial solution has a "default deny in WAN, allow all out WAN". It's the best way to get things to work, but I think you need to keep an eye on the LAN side to make sure you don't leak things (my opinion figure out what is best for you).

Most important: have fun.