Re: Strange route entry from China
Op 14 mei 2014 om 07:48 heeft Johan Beisser j...@caustic.org het volgende geschreven: On Tue, May 13, 2014 at 10:31 PM, Johan Ryberg jo...@securit.se wrote: Yes, it's related to a SSH brute force attack. I have just never seen the the client IP in the routing table before. My IP does not exist in the routing table when I SSH to the host. The IP shouldn't be there, at all. But, according to the route flags ('D' in this case), it's in there due to a redirect. I have a hard time to understand the mechanism that added the IP to the table. Is this something that can be explained? My assumption is there was an ICMP redirect that added the IP to your table. Check to see if you're accepting redirects. By default, OpenBSD has them as off. There are more reasons dynamic route entries are createf. For example to record results of mtu path discovery. -Otto
Re: Strange route entry from China
On Tue, May 13, 2014 at 11:57 PM, Otto Moerbeek o...@drijf.net wrote: Op 14 mei 2014 om 07:48 heeft Johan Beisser j...@caustic.org het volgende geschreven: There are more reasons dynamic route entries are createf. For example to record results of mtu path discovery. That implies a successful TCP connection to the router itself, doesn't it?
Re: Strange route entry from China
On 14 May 2014 08:20, Johan Beisser j...@caustic.org wrote: On Tue, May 13, 2014 at 11:57 PM, Otto Moerbeek o...@drijf.net wrote: Op 14 mei 2014 om 07:48 heeft Johan Beisser j...@caustic.org het volgende geschreven: There are more reasons dynamic route entries are createf. For example to record results of mtu path discovery. That implies a successful TCP connection to the router itself, doesn't it? Sure. But connecting to port 22 in order to fail to auth is a successful TCP connection. Kevin
Re: Strange route entry from China
On Wed, May 14, 2014 at 12:40 AM, Kevin Lyda ke...@ie.suberic.net wrote: On 14 May 2014 08:20, Johan Beisser j...@caustic.org wrote: On Tue, May 13, 2014 at 11:57 PM, Otto Moerbeek o...@drijf.net wrote: Op 14 mei 2014 om 07:48 heeft Johan Beisser j...@caustic.org het volgende geschreven: There are more reasons dynamic route entries are createf. For example to record results of mtu path discovery. That implies a successful TCP connection to the router itself, doesn't it? Sure. But connecting to port 22 in order to fail to auth is a successful TCP connection. Yes. Path MTU implies the connection is held open for larger packets than just during the handshake and SSH negotiation. Or am I misunderstanding when MTU is negotiated?
Strange route entry from China
Hi, Please forgive my ignorance. I have a small lab and I noticed this IP in the routing table: 61.174.51.232, resolves to 232.51.174.61.dial.wz.zj.dynamic.163data.com.cn # route -n show Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default192.168.66.1 UGS739270 - 8 em0 61.174.51.232 192.168.66.1 UGHD 138722 - L 56 em0 127/8 127.0.0.1 UGRS 00 33144 8 lo0 127.0.0.1 127.0.0.1 UH 4 1244 33144 4 lo0 192.168.66/24 link#1 UC 10 - 4 em0 192.168.66.1 00:1b:17:bd:8d:11 UHLc 20 - 4 em0 224/4 127.0.0.1 URS00 33144 8 lo0 It came and disappeared quite fast. The box are a more or less stock OpenBSD 5.5 Is it normal that entries like this comes and goes? Best regards Johan
Re: Strange route entry from China
On Tue, May 13, 2014 at 3:27 PM, Johan Ryberg jo...@securit.se wrote: Hi, Please forgive my ignorance. I have a small lab and I noticed this IP in the routing table: 61.174.51.232, resolves to 232.51.174.61.dial.wz.zj.dynamic.163data.com.cn # route -n show Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default192.168.66.1 UGS739270 - 8 em0 61.174.51.232 192.168.66.1 UGHD 138722 - L 56 em0 127/8 127.0.0.1 UGRS 00 33144 8 lo0 127.0.0.1 127.0.0.1 UH 4 1244 33144 4 lo0 192.168.66/24 link#1 UC 10 - 4 em0 192.168.66.1 00:1b:17:bd:8d:11 UHLc 20 - 4 em0 224/4 127.0.0.1 URS00 33144 8 lo0 It came and disappeared quite fast. The box are a more or less stock OpenBSD 5.5 Is it normal that entries like this comes and goes? Labs are prime targets for scanning for vulnerable machines.
Re: Strange route entry from China
On Tuesday, May 13, 2014, Amit Kulkarni amitk...@gmail.com wrote: On Tue, May 13, 2014 at 3:27 PM, Johan Ryberg jo...@securit.sejavascript:; wrote: Hi, Please forgive my ignorance. I have a small lab and I noticed this IP in the routing table: 61.174.51.232, resolves to 232.51.174.61.dial.wz.zj.dynamic.163data.com.cn # route -n show Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default192.168.66.1 UGS739270 - 8 em0 61.174.51.232 192.168.66.1 UGHD 138722 - L 56 em0 127/8 127.0.0.1 UGRS 00 33144 8 lo0 127.0.0.1 127.0.0.1 UH 4 1244 33144 4 lo0 192.168.66/24 link#1 UC 10 - 4 em0 192.168.66.1 00:1b:17:bd:8d:11 UHLc 20 - 4 em0 224/4 127.0.0.1 URS00 33144 8 lo0 It came and disappeared quite fast. The box are a more or less stock OpenBSD 5.5 Is it normal that entries like this comes and goes? Labs are prime targets for scanning for vulnerable machines. And, 163data.com.cn is a large source of shady activity. -- J. Stuart McMurray
Re: Strange route entry from China
On May 13, 2014, at 18:47, Stuart McMurray kd5...@gmail.com wrote: And, 163data.com.cn is a large source of shady activity. I blocked the bulk of China and Asia outright at the router. Quick solution, if not clean.
Re: Strange route entry from China
Yes, it's related to a SSH brute force attack. I have just never seen the the client IP in the routing table before. My IP does not exist in the routing table when I SSH to the host. I have a hard time to understand the mechanism that added the IP to the table. Is this something that can be explained? Best regards Johan Den 14 maj 2014 04:09 skrev Johan Beisser j...@caustic.org: On May 13, 2014, at 18:47, Stuart McMurray kd5...@gmail.com wrote: And, 163data.com.cn is a large source of shady activity. I blocked the bulk of China and Asia outright at the router. Quick solution, if not clean.
Re: Strange route entry from China
On Tue, May 13, 2014 at 10:31 PM, Johan Ryberg jo...@securit.se wrote: Yes, it's related to a SSH brute force attack. I have just never seen the the client IP in the routing table before. My IP does not exist in the routing table when I SSH to the host. The IP shouldn't be there, at all. But, according to the route flags ('D' in this case), it's in there due to a redirect. I have a hard time to understand the mechanism that added the IP to the table. Is this something that can be explained? My assumption is there was an ICMP redirect that added the IP to your table. Check to see if you're accepting redirects. By default, OpenBSD has them as off.