Re: Strange route entry from China

2014-05-14 Thread Otto Moerbeek 
Op 14 mei 2014 om 07:48 heeft Johan Beisser j...@caustic.org het volgende 
geschreven:

 On Tue, May 13, 2014 at 10:31 PM, Johan Ryberg jo...@securit.se wrote:
 Yes, it's related to a SSH brute force attack.
 
 I have just never seen the the client IP in the routing table before. My
 IP does not exist in the routing table when I SSH to the host.
 
 The IP shouldn't be there, at all. But, according to the route flags
 ('D' in this case), it's in there due to a redirect.
 
 I have a hard time to understand the mechanism that added the IP to the
 table.
 
 Is this something that can be explained?
 
 My assumption is there was an ICMP redirect that added the IP to your table.
 
 Check to see if you're accepting redirects. By default, OpenBSD has them as 
 off.

There are more reasons dynamic route entries are createf. For example to record 
results of mtu path discovery.

 -Otto

Re: Strange route entry from China

2014-05-14 Thread Johan Beisser 
On Tue, May 13, 2014 at 11:57 PM, Otto Moerbeek o...@drijf.net wrote:

 Op 14 mei 2014 om 07:48 heeft Johan Beisser j...@caustic.org het volgende 
 geschreven:



 There are more reasons dynamic route entries are createf. For example to 
 record results of mtu path discovery.

That implies a successful TCP connection to the router itself, doesn't it?

Re: Strange route entry from China

2014-05-14 Thread Kevin Lyda 
On 14 May 2014 08:20, Johan Beisser j...@caustic.org wrote:

 On Tue, May 13, 2014 at 11:57 PM, Otto Moerbeek o...@drijf.net wrote:
 
  Op 14 mei 2014 om 07:48 heeft Johan Beisser j...@caustic.org het
volgende geschreven:
 

 
  There are more reasons dynamic route entries are createf. For example
to record results of mtu path discovery.

 That implies a successful TCP connection to the router itself, doesn't it?


Sure. But connecting to port 22 in order to fail to auth is a successful
TCP connection.

Kevin

Re: Strange route entry from China

2014-05-14 Thread Johan Beisser 
On Wed, May 14, 2014 at 12:40 AM, Kevin Lyda ke...@ie.suberic.net wrote:

 On 14 May 2014 08:20, Johan Beisser j...@caustic.org wrote:

 On Tue, May 13, 2014 at 11:57 PM, Otto Moerbeek o...@drijf.net wrote:
 
  Op 14 mei 2014 om 07:48 heeft Johan Beisser j...@caustic.org het
  volgende geschreven:
 
  There are more reasons dynamic route entries are createf. For example to
  record results of mtu path discovery.

 That implies a successful TCP connection to the router itself, doesn't it?


 Sure. But connecting to port 22 in order to fail to auth is a successful TCP
 connection.

Yes.

Path MTU implies the connection is held open for larger packets than
just during the handshake and SSH negotiation. Or am I
misunderstanding when MTU is negotiated?

Strange route entry from China

2014-05-13 Thread Johan Ryberg 
Hi,

Please forgive my ignorance.

I have a small lab and I noticed this IP in the routing table:
61.174.51.232, resolves to
232.51.174.61.dial.wz.zj.dynamic.163data.com.cn

# route -n show
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
default192.168.66.1   UGS739270 - 8 em0
61.174.51.232  192.168.66.1   UGHD   138722 - L  56 em0
127/8  127.0.0.1  UGRS   00 33144 8 lo0
127.0.0.1  127.0.0.1  UH 4 1244 33144 4 lo0
192.168.66/24  link#1 UC 10 - 4 em0
192.168.66.1   00:1b:17:bd:8d:11  UHLc   20 - 4 em0
224/4  127.0.0.1  URS00 33144 8 lo0



It came and disappeared quite fast.

The box are a more or less stock OpenBSD 5.5

Is it normal that entries like this comes and goes?

Best regards Johan

Re: Strange route entry from China

2014-05-13 Thread Amit Kulkarni 
On Tue, May 13, 2014 at 3:27 PM, Johan Ryberg jo...@securit.se wrote:

 Hi,

 Please forgive my ignorance.

 I have a small lab and I noticed this IP in the routing table:
 61.174.51.232, resolves to
 232.51.174.61.dial.wz.zj.dynamic.163data.com.cn

 # route -n show
 Routing tables

 Internet:
 DestinationGatewayFlags   Refs  Use   Mtu  Prio
 Iface
 default192.168.66.1   UGS739270 - 8 em0
 61.174.51.232  192.168.66.1   UGHD   138722 - L  56 em0
 127/8  127.0.0.1  UGRS   00 33144 8 lo0
 127.0.0.1  127.0.0.1  UH 4 1244 33144 4 lo0
 192.168.66/24  link#1 UC 10 - 4 em0
 192.168.66.1   00:1b:17:bd:8d:11  UHLc   20 - 4 em0
 224/4  127.0.0.1  URS00 33144 8 lo0



 It came and disappeared quite fast.

 The box are a more or less stock OpenBSD 5.5

 Is it normal that entries like this comes and goes?



Labs are prime targets for scanning for vulnerable machines.

Re: Strange route entry from China

2014-05-13 Thread Stuart McMurray 
On Tuesday, May 13, 2014, Amit Kulkarni amitk...@gmail.com wrote:

 On Tue, May 13, 2014 at 3:27 PM, Johan Ryberg jo...@securit.sejavascript:;
 wrote:

  Hi,
 
  Please forgive my ignorance.
 
  I have a small lab and I noticed this IP in the routing table:
  61.174.51.232, resolves to
  232.51.174.61.dial.wz.zj.dynamic.163data.com.cn
 
  # route -n show
  Routing tables
 
  Internet:
  DestinationGatewayFlags   Refs  Use   Mtu  Prio
  Iface
  default192.168.66.1   UGS739270 - 8
 em0
  61.174.51.232  192.168.66.1   UGHD   138722 - L  56
 em0
  127/8  127.0.0.1  UGRS   00 33144 8
 lo0
  127.0.0.1  127.0.0.1  UH 4 1244 33144 4
 lo0
  192.168.66/24  link#1 UC 10 - 4
 em0
  192.168.66.1   00:1b:17:bd:8d:11  UHLc   20 - 4
 em0
  224/4  127.0.0.1  URS00 33144 8
 lo0
 
 
 
  It came and disappeared quite fast.
 
  The box are a more or less stock OpenBSD 5.5
 
  Is it normal that entries like this comes and goes?
 
 
 
 Labs are prime targets for scanning for vulnerable machines.

 And, 163data.com.cn is a large source of shady activity.


-- 
J. Stuart McMurray

Re: Strange route entry from China

2014-05-13 Thread Johan Beisser 
 On May 13, 2014, at 18:47, Stuart McMurray kd5...@gmail.com wrote:
 
 
 And, 163data.com.cn is a large source of shady activity.


I blocked the bulk of China and Asia outright at the router. 

Quick solution, if not clean.

Re: Strange route entry from China

2014-05-13 Thread Johan Ryberg 
Yes, it's related to a SSH brute force attack.

I have just never seen the the client IP in the routing table before. My
IP does not exist in the routing table when I SSH to the host.

I have a hard time to understand the mechanism that added the IP to the
table.

Is this something that can be explained?

Best regards Johan

Den 14 maj 2014 04:09 skrev Johan Beisser j...@caustic.org:



  On May 13, 2014, at 18:47, Stuart McMurray kd5...@gmail.com wrote:
 
 
  And, 163data.com.cn is a large source of shady activity.


 I blocked the bulk of China and Asia outright at the router.

 Quick solution, if not clean.

Re: Strange route entry from China

2014-05-13 Thread Johan Beisser 
On Tue, May 13, 2014 at 10:31 PM, Johan Ryberg jo...@securit.se wrote:
 Yes, it's related to a SSH brute force attack.

 I have just never seen the the client IP in the routing table before. My
 IP does not exist in the routing table when I SSH to the host.

The IP shouldn't be there, at all. But, according to the route flags
('D' in this case), it's in there due to a redirect.

 I have a hard time to understand the mechanism that added the IP to the
 table.

 Is this something that can be explained?

My assumption is there was an ICMP redirect that added the IP to your table.

Check to see if you're accepting redirects. By default, OpenBSD has them as off.