Re: Help: network abuse

To: debian-user@lists.debian.org
Subject: Re: Help: network abuse
From: Tim Woodall <debianuser@woodall.me.uk>
Date: Thu, 21 Dec 2023 12:44:33 +0000 (GMT)
Message-id: <[🔎] alpine.DEB.2.21.2312211237280.17222@einstein.home.woodall.me.uk>
In-reply-to: <[🔎] ZYQo93yeQTwjML_T@phcomp.co.uk>
References: <[🔎] ZYQo93yeQTwjML_T@phcomp.co.uk>

On Thu, 21 Dec 2023, Alain D D Williams wrote:

My home PC is receiving, for hours at a time, 12-30 kB/s input traffic. This is
unsolicited. I do not know what it is trying to achieve but suspect no good. It
is also eating my broadband allowance.

This does not show up in the Apache log files - the TCP connection does not succeed.

Sometimes my machine does send a packet in reply, there are 2 examples at the
foot of this email.

Questions:

? What is going on ?

? What can I do about it ?
 I do manually add some of the IPs to the f2b chain which will stop replies
 but that is about it.

My ISP refuses to do anything about it - I admit that I cannot see what they
could do, maybe filter packets with a source port of 80 or 443.

I also get attempts to break into ssh (port 22) - I am not worried about that.

I append a few lines of output of "tcpdump -n -i enp3s0" done today.
192.168.108.2 is the address of my desktop PC.

The connecting IPs below all belong to Amazon but this changes with time, China
is another common source of similar packets.

11:08:56.354303 IP 34.217.144.104.80 > 192.168.108.2.80: Flags [S], seq 19070976, win 51894, options [mss 1401,sackOK,TS val 1182532729 ecr 0,nop,wscale 7], length 0
11:08:56.354700 IP 34.217.144.104.80 > 192.168.108.2.80: Flags [S], seq 3665362944, win 51894, options [mss 1402,sackOK,TS val 4179952761 ecr 0,nop,wscale 7], length 0
11:08:56.360527 IP 52.195.179.12.80 > 192.168.108.2.80: Flags [S], seq 479395840, win 51894, options [mss 1412,sackOK,TS val 3391683448 ecr 0,nop,wscale 7], length 0
11:08:56.360696 IP 52.195.179.12.80 > 192.168.108.2.80: Flags [S], seq 1622147072, win 51894, options [mss 1410,sackOK,TS val 2887711608 ecr 0,nop,wscale 7], length 0
11:08:56.360950 IP 54.184.78.87.80 > 192.168.108.2.80: Flags [S], seq 3168796672, win 51894, options [mss 1404,sackOK,TS val 535364985 ecr 0,nop,wscale 7], length 0
11:08:56.364565 IP 52.195.179.12.80 > 192.168.108.2.80: Flags [S], seq 132317184, win 51894, options [mss 1407,sackOK,TS val 2350122105 ecr 0,nop,wscale 7], length 0
11:08:56.364708 IP 34.217.144.104.80 > 192.168.108.2.80: Flags [S], seq 1098776576, win 51894, options [mss 1405,sackOK,TS val 3426157689 ecr 0,nop,wscale 7], length 0
11:08:56.367975 IP 13.231.232.88.80 > 192.168.108.2.80: Flags [S], seq 3272540160, win 51894, options [mss 1413,sackOK,TS val 979961209 ecr 0,nop,wscale 7], length 0

2 days ago a similar capture. Note that the source port is 443 not 80:

09:47:31.416452 IP 5.45.73.147.443 > 192.168.108.2.80: Flags [S], seq 2724200448, win 51894, options [mss 1401,sackOK,TS val 862439534 ecr 0,nop,wscale 7], length 0
09:47:31.417861 IP 27.124.10.200.443 > 192.168.108.2.80: Flags [S], seq 925237248, win 51894, options [mss 1407,sackOK,TS val 756418658 ecr 0,nop,wscale 7], length 0
09:47:31.440892 IP 27.124.10.197.443 > 192.168.108.2.80: Flags [S], seq 3474063360, win 51894, options [mss 1404,sackOK,TS val 3970828642 ecr 0,nop,wscale 7], length 0
09:47:31.449393 IP 27.124.10.200.443 > 192.168.108.2.80: Flags [S], seq 2844721152, win 51894, options [mss 1407,sackOK,TS val 1831471202 ecr 0,nop,wscale 7], length 0
09:47:31.451430 IP 154.39.104.67.443 > 192.168.108.2.80: Flags [S], seq 2336358400, win 51894, options [mss 1415,sackOK,TS val 395513698 ecr 0,nop,wscale 7], length 0
09:47:31.451610 IP 27.124.10.225.443 > 192.168.108.2.80: Flags [S], seq 808976384, win 51894, options [mss 1414,sackOK,TS val 1960250978 ecr 0,nop,wscale 7], length 0
09:47:31.453372 IP 143.92.60.30.443 > 192.168.108.2.80: Flags [S], seq 3177512960, win 51894, options [mss 1408,sackOK,TS val 4033677410 ecr 0,nop,wscale 7], length 0
09:47:31.456937 IP 27.124.10.225.443 > 192.168.108.2.80: Flags [S], seq 1042087936, win 51894, options [mss 1415,sackOK,TS val 2011106914 ecr 0,nop,wscale 7], length 0
09:47:31.461961 IP 27.124.10.226.443 > 192.168.108.2.80: Flags [S], seq 3200516096, win 51894, options [mss 1403,sackOK,TS val 2314013026 ecr 0,nop,wscale 7], length 0

Examples where my machine sends a reply:

09:47:31.658790 IP 27.124.10.225.443 > 192.168.108.2.80: Flags [S], seq 612564992, win 51894, options [mss 1415,sackOK,TS val 2011106914 ecr 0,nop,wscale 7], length 0
09:47:31.659442 IP 192.168.108.2.80 > 154.39.104.67.443: Flags [S.], seq 3770299450, ack 1858732033, win 65160, options [mss 1460,sackOK,TS val 164888251 ecr 395513698,nop,wscale 7], length 0

09:47:31.756220 IP 5.45.73.147.443 > 192.168.108.2.80: Flags [S], seq 2992898048, win 51894, options [mss 1401,sackOK,TS val 862439534 ecr 0,nop,wscale 7], length 0
09:47:31.756272 IP 192.168.108.2.80 > 5.45.73.147.443: Flags [.], ack 1226309633, win 509, options [nop,nop,TS val 2085784149 ecr 994101358], length 0

You can try sending RST. That might make them give up.

There is not much else you can do.

I sometimes do a whois on a persistent offender and blacklist the entire
network. But I don't know if they stop as this happens before any
logging.

I'd suggest sending RST for at least a /24 rather than individual IPs.

Reply to:

Follow-Ups:
- Re: Help: network abuse
  - From: <tomas@tuxteam.de>
- Re: Help: network abuse
  - From: gene heskett <gheskett@shentel.net>

References:
- Help: network abuse
  - From: Alain D D Williams <addw@phcomp.co.uk>

Prev by Date: Re: difference in seconds between two formatted dates ...
Next by Date: Re: Help: network abuse
Previous by thread: Help: network abuse
Next by thread: Re: Help: network abuse
Index(es):
- Date
- Thread