Conspiracy, Coincidence, Conundrum



  • I am not sure which sub-forum to post this in but since this is from the firewall log, I am choosing to post it under Firewalling.

    I have had pfSense up and running for about 3 months. Ever since then, 60% of my firewall log is filled with the following entry.
    Jun 9 19:47:21 WAN   64.132.38.206:4500   <redacted ip="">:4500 UDP

    Initially, I just thought it was annoying to see this message every 4 seconds. Now, I am beginning to wonder if this is a sustained and malicious attempted attack on my system.

    I looked up the source IP address, 64.132.38.206, and it seems to be located in Austin, TX. Now, here’s a theory for you conspiracy theorists. pfSense, I believe, is also located in Austin, TX. At least Electric Sheep Fencing, the copyright owners of pfSense is. Is this a coincidence?

    Theories aside, I am trying to figure out if this is just a misconfigured host or a truly malicious one. How does one attempt to curtail its activity?

    Thanks!


    </redacted>



  • Here's your source http://us.ncsoft.com/en/

    Do a WHO IS on the IP…... ::)



  • Indeed that IP belongs to NCsoft Corp, not us. We never attempt to connect to anyone.

    It's likely the IP you have used to be used by them for a site to site VPN (UDP 4500 is ISAKMP NAT-T). The fact it keeps trying something that gets no response over and over and over suggests that's almost certainly the case. Something malicious wouldn't keep trying repeatedly when it gets no response.



  • Thanks for the responses. My apologies if my attempt to generate curiosity in this issue came across as implying there was anything nefarious with pfSense.

    I will be contacting NCSoft Corp regarding this matter but here is something curious. I rebooted my modem to force it to acquire another IP address. I verified that the IP addressed did indeed change. I still see the same spew in my firewall log against my new IP.

    Argh!



  • Sure you don't have something on your network connecting out to them that's triggering that in response? Having it follow to a different IP would basically rule out a site to site VPN unless it was connecting to a dynamic DNS hostname you now have.



  • Those Cellphone Femtocells connect via port 4500 (but usually the IP is from a cell carriers block of IP's).



  • I am sure but not positive that there isn't anything on my network trying to connect out. If there was, wouldn't the firewall allow the connection and not block it?

    Dynamic DNS hostname sounds very plausible. I will disable that and force a IP address renew and reply back.

    Not sure what Femtocells are. I will look them up.



  • @pfSenseRocks:

    I am sure but not positive that there isn't anything on my network trying to connect out. If there was, wouldn't the firewall allow the connection and not block it?

    Dynamic DNS hostname sounds very plausible. I will disable that and force a IP address renew and reply back.

    Not sure what Femtocells are. I will look them up.

    Yes the firewall would allow it if the connection was initiated from inside.

    Femtocells are great when you need them. Verizon Wireless calls it a network extender.

    My belief is that someone has a misconfigured  device pointed at you.



  • If it were a reply to something initiated inside, yes it would be allowed. If it were a different connection triggered by a connection initiated inside, then no.

    Having a dynamic DNS hostname, it would definitely be interesting to see if it follows you without the hostname being updated.



  • How does one release and renew the WAN client IP lease in pfSense? I want to force a new IP address to be handed out by my ISP. If I use a commercially available home router and use the GUI to do this, I get a new IP address every time. With pfSense, dhclient <interface>gives me the same WAN IP. Even a reboot of my pfSense box and/or the cable modem doesn't help. The IP address seems very sticky. In fact, even after switching between the commercially available home router and pfSense, still always gives me the same WAN IP.

    Thanks!</interface>



  • Take a look at the lease time of your DHCP-assigned WAN IP address. You can try to power down your modem for a longer time and hope that you'll get a new IP address when you reconnect.

    In some cases, this might not work reliably. Some users of cable modem have reported success with altering the MAC address fo their modems…but this might lead to different issues.



  • Thanks for the reply, Klaws. Turns out that my ISPs DHCP servers remembers MACs for a long time–7 days. They weren't very helpful when I asked them to force an IP change. I tried to use MAC spoofing (pfSense 2.03) but I couldn't get internet connectivity. Changing hardware was my quickest alternative to get rid of the NCSoft connection attempts. I did so.

    While changing out my hardware, I decided to put pfSense 2.1 into production usage. Got rid of the NCSoft annoyance.

    2.1 works better in general as well.


Log in to reply