Firewall UDP ? Attack !! Or Normal ?
-
@steveits said in Firewall UDP ? Attack !! Or Normal ?:
Are you using a VPN to connect out from/on pfSense
In that case, the case is closed.
The IP you get from a VPN is never .... "not new, made for you, and has no usage history".
IP are recycled among users, have a history, and because it's from an VPN ISP, it has been used for horrible things, or worse.
If your IP was used just before you got it by you by some bad-ass 'let's go attack all 3 letter agencies" hacker-wannabee, then yeah, you will see a lot of activity on your IP. Some one want to know where you are, as they didn't figured out yet some one else is hiding behind the IP.If you want a clean(er) IP from a VPN ISP ? That's possible. I bet the more expensive ones proposes more proposes (read : less abused) IP's.
If you use a VPN IP, then follow this excellent advise :
@steveits said in Firewall UDP ? Attack !! Or Normal ?:
(and I definitely wouldn't log it)
Btw : I'm still curious about what the traffic actually is, what it contains. But if its TLS wrapped up, or, has no payload at all, again, ditch it. Live is already to short.
-
@gertjan said in Firewall UDP ? Attack !! Or Normal ?:
I'm still curious about what the traffic actually is
Yeah same here - he did post a pcap with the payload.. I posted what I saw in some of them.. It is odd traffic to be sure. And the TTLs on the packets are also odd.. From the TTLs you would think traceroute, but they don't seem to be changing correctly, and the port not changing - unless he was missing the parts of the traffic in his sniff.
-
Ok I will try to explain as best as possible, and sorry for my bad English (I really only speak Spanish)
Well I have a year running everything fine in pfsense using an internet provider.
but 1 month ago I decided to add a new internet provider for redundancy purposes.
Well, this is the situation, the fiber that I receive from this Internet provider is directly connected to Proxmox (I have several Pfsense here)
I created a new pfsense for this new internet provider, they offer me the ip 1.2.3.4/29, I configured everything and everything was fine, the service went up without problem... I created the firewall rule normally as I am used to...
I started noticing strange traffic to the same port 33434 but I ignored it.
when it came time to actually use this redundancy and my ISP 1 Failed.
I moved about 200 clients to My New Pfsense with the new wan/29 as they started telling me they felt a bit slow.
which was very strange because in the previous pfsense with the previous isp they had the exact same internet speed and it was never slow.
Well, in the end I moved all this client to the old pfsense with my old Wan and everything works great.
Now Monitoring the incoming traffic of my WAN interface (TO MY MAIN IP) a lot of packets arrive at port 33434 UDP As you could see in the previous photo abc exceeds 30mbps which is very high for normal internet traffic.
Well, I investigated, I used my other WAN to do an nslookup to my New IP And I discovered the following in name: it shows vpn2.med.com.do
so I did another nslookup to this name vpn2.med.com.do and it shows me the following IP 179.51.66.42
As you can see, something is not right, so I told my new isp about this, but I still haven't gotten a response.
the thing is that this service is impossible to use in this way.
That's why at the beginning of the publication I asked this, is it normal? or am I under a ddos attack?
In case you are wondering, where does this traffic come from because they come from everywhere, at the beginning I only saw a network 157.185.0.0/16 now I see any IP pointing to 33434 or 33224
By the way, here I leave my dashboard in case it is important.
@stephenw10 I would like to hear your opinion on this.
I did a nat just to capture this on my pc directly.
-
@silence said in Firewall UDP ? Attack !! Or Normal ?:
am I under a ddos attack?
A DoS attack is usually much higher volume and I would think be on other ports like 80/443. Normally a DoS attack's goal is to connect to some service (like a web server or DNS server) and make the service respond, to keep the server busy.
I think your ISP needs to answer the questions:
- can they block the traffic?
- was your IP being used by someone else, perhaps a VPN provider?
A similar example is that most phone companies won't immediately re-use a phone number. They wait a while so the new customer doesn't get calls for the old customer.
Random traffic probing any IP connected to the Internet is normal; they are scanning all IPs on the Internet looking for servers to exploit. A high volume of traffic coming to one specific port is not normal.
I would definitely not log each packet, that's just unnecessary CPU time and SSD write life wear.
-
@steveits said in Firewall UDP ? Attack !! Or Normal ?:
was your IP being used by someone else, perhaps a VPN provider?
Investigating myself, it seems to me that if the old owner of the IP offered vpn service and apparently all his clients try to connect.
-
@steveits said in Firewall UDP ? Attack !! Or Normal ?:
can they block the traffic?
I am more interested in the case of nslookup
I did the same process with the other ip of my service of /29 and there are only 2 ip of this that show this behavior when I do nslookup
I am sure that if you solve this... I should no longer receive this type of traffic and it is much better than canceling my rule, because I am really interested in registering all types of UDP in my wan
-
@silence The incorrect reverse DNS/PTR record isn't going to hurt you though, it is just incorrect. Unless you have a mail server on your LAN, in which case some/many mail servers on the Internet demand the forward and reverse DNS lookups match, in an effort to block spammers.
To log other UDP, you could make a rule above that rule:
block UDP on WAN:33224, do not log
block UDP on WAN, log -
@silence
Yupp
Something seems a bit fishy with the PTR's
$ host 1.2.3.4 4.3.2.1.in-addr.arpa domain name pointer vpn2.med.com.do. $ host 179.51.66.42 42.66.51.179.in-addr.arpa domain name pointer vpn2.med.com.do. $ host vpn2.med.com.do vpn2.med.com.do has address 179.51.66.42
Do you own (use) both of these ip's , i mean primary line vs secondary ?
-
@bingo600 said in Firewall UDP ? Attack !! Or Normal ?:
1.2.3.4
This is my real wan ip can you put 1.2.3.4 please? XD
-
@silence said in Firewall UDP ? Attack !! Or Normal ?:
@bingo600 said in Firewall UDP ? Attack !! Or Normal ?:
1.2.3.4
This is my real wan ip can you put 1.2.3.4 please? XD
Done ...
It wasn't me that posted a tonn of those "real" IP's in the pict here
https://forum.netgate.com/post/1028590 -
@bingo600 said in Firewall UDP ? Attack !! Or Normal ?:
It wasn't me that posted a tonn of those "real" IP's in the pict here
lol sorry, So what else can I do?
-
@silence
I would start by getting the DNS reverse pointer that is in error fixed.
Should your "real ip" reverse resolve to that : vpn2.med.com.do name ?
Else contact theALTICE orTRICOM ISP that controls the PA range you have been assigned , to get that fixed.
That might not stop the noise, as PTR's usually aren't used much But it's still an error, if it's not your domain.Edit: have them fix the .200 PTR too.
And see if the noise is gone.
My guess is that it probably isn't ...
The name it resolves to : vpn2.med.com.do
Might indicate that someone might be trying to connect to the IP address (hardcoded) for vpn usage.If that is what is happening , you should ask the ISP for another /29 range.
-
@bingo600 said in Firewall UDP ? Attack !! Or Normal ?:
Should your "real ip" reverse resolve to that : vpn2.med.com.do name ?
here it should show something like reserved-ipwan-200.tricom.net
-
@silence could you please PM me (send me a private message) Click my avatar and start conversation. With what you actual IP is - I would like to look up the ptr for it, and other info I can glean from this IP. Also are you saying this vpn2.med.com.do is suppose to point to your real IP, and its pointing to some other IP..
I did stop for a few beers tonight with buddy - so that might be my problem, but still confused about your traces and what is suppose to point to what from a fqdn or ptr point of view ;)
If your seeing 33Mbps to your IP no matter what the port is from just "noise" that seems excessive for sure. But as others have mentioned - when some ISP gives you an IP - it could come with baggage. You don't know what that IP was used for in the past, and you could have other users or companies still trying to hit it, etc. that other port 33224 is that udp or tcp - that is unassigned.. It's not a port actually assigned to anything specific.. So yeah that is odd traffic for sure. But that 200.88 IP is a do (CompañÃa Dominicana de TelÃfonos S. A) IP.. Which at least the region of the world I believe your in.
-
@johnpoz said in Firewall UDP ? Attack !! Or Normal ?:
@silence could you please PM me (send me a private message) Click my avatar and start conversation. With what you actual IP is - I would like to look up the ptr for it, and other info I can glean from this IP. Also are you saying this vpn2.med.com.do is suppose to point to your real IP, and its pointing to some other IP..
I did stop for a few beers tonight with buddy - so that might be my problem, but still confused about your traces and what is suppose to point to what from a fqdn or ptr point of view ;)
If your seeing 33Mbps to your IP no matter what the port is from just "noise" that seems excessive for sure. But as others have mentioned - when some ISP gives you an IP - it could come with baggage. You don't know what that IP was used for in the past, and you could have other users or companies still trying to hit it, etc. that other port 33224 is that udp or tcp - that is unassigned.. It's not a port actually assigned to anything specific.. So yeah that is odd traffic for sure. But that 200.88 IP is a do (CompañÃa Dominicana de TelÃfonos S. A) IP.. Which at least the region of the world I believe your in.
Done.
-
@silence I do not see how the PTR would be cause of the traffic. What seems likely is they use to have your old IP.. They changed it at some point, but never got the PTR removed..
But they still have something pointing to this old IP (now your IP) vs using the fqdn, if they used the fqdn they would point to what that forward points too
;; ANSWER SECTION:
vpn2.med.com.do. 3150 IN A 179.51.66.42Its prob a good thing that the PTR was not updated, because it gives you a clue to why the traffic is still being sent to your IP.
I would contact the domain owners for med.com.do - they might be able to help get their customers/clients/whoever might be pointing to that old IP (now your ip).
-
@johnpoz said in Firewall UDP ? Attack !! Or Normal ?:
I would contact the domain owners for med.com.do
Done.
-
@silence Or could be when the ISP was changing the PTRs on the IP they F'd it up and put it on yours vs where it was suppose to go..
And this med.com.do never had anything to ever with your IP..
But will be interesting if you hear from them.. Let us know..
-
@johnpoz said in Firewall UDP ? Attack !! Or Normal ?:
Or could be when the ISP was changing the PTRs on the IP they F'd it up and put it on yours vs where it was suppose to go..
And this med.com.do never had anything to ever with your IP..
But will be interesting if you hear from them.. Let us know..Yes, I am trying to get in contact with the owner of med.com.do and with my isp, I will keep this thread informed, because whatever this is it does cause a problem.
-
@silence I do show the current PTR for where that vpn2 fqdn points to be set..
;; QUESTION SECTION:
;42.66.51.179.in-addr.arpa. IN PTR;; ANSWER SECTION:
42.66.51.179.in-addr.arpa. 38400 IN PTR vpn2.med.com.do.