Re: Help: network abuse

[David Christensen]

On 12/21/23 04:00, Alain D D Williams wrote:
My home PC is receiving, for hours at a time, 12-30 kB/s input traffic. This is
unsolicited. I do not know what it is trying to achieve but suspect no good. It
is also eating my broadband allowance.
This does not show up in the Apache log files - the TCP connection does not 
succeed.

Sometimes my machine does send a packet in reply, there are 2 examples at the
foot of this email.

Questions:

• What is going on ?

• What can I do about it ?
   I do manually add some of the IPs to the f2b chain which will stop replies
   but that is about it.

My ISP refuses to do anything about it - I admit that I cannot see what they
could do, maybe filter packets with a source port of 80 or 443.

I also get attempts to break into ssh (port 22) - I am not worried about that.

I append a few lines of output of "tcpdump -n -i enp3s0" done today.
192.168.108.2 is the address of my desktop PC.

The connecting IPs below all belong to Amazon but this changes with time, China
is another common source of similar packets.

11:08:56.354303 IP 34.217.144.104.80 > 192.168.108.2.80: Flags [S], seq 
19070976, win 51894, options [mss 1401,sackOK,TS val 1182532729 ecr 0,nop,wscale 
7], length 0
11:08:56.354700 IP 34.217.144.104.80 > 192.168.108.2.80: Flags [S], seq 
3665362944, win 51894, options [mss 1402,sackOK,TS val 4179952761 ecr 0,nop,wscale 
7], length 0
11:08:56.360527 IP 52.195.179.12.80 > 192.168.108.2.80: Flags [S], seq 
479395840, win 51894, options [mss 1412,sackOK,TS val 3391683448 ecr 0,nop,wscale 
7], length 0
11:08:56.360696 IP 52.195.179.12.80 > 192.168.108.2.80: Flags [S], seq 
1622147072, win 51894, options [mss 1410,sackOK,TS val 2887711608 ecr 0,nop,wscale 
7], length 0
11:08:56.360950 IP 54.184.78.87.80 > 192.168.108.2.80: Flags [S], seq 
3168796672, win 51894, options [mss 1404,sackOK,TS val 535364985 ecr 0,nop,wscale 
7], length 0
11:08:56.364565 IP 52.195.179.12.80 > 192.168.108.2.80: Flags [S], seq 
132317184, win 51894, options [mss 1407,sackOK,TS val 2350122105 ecr 0,nop,wscale 
7], length 0
11:08:56.364708 IP 34.217.144.104.80 > 192.168.108.2.80: Flags [S], seq 
1098776576, win 51894, options [mss 1405,sackOK,TS val 3426157689 ecr 0,nop,wscale 
7], length 0
11:08:56.367975 IP 13.231.232.88.80 > 192.168.108.2.80: Flags [S], seq 
3272540160, win 51894, options [mss 1413,sackOK,TS val 979961209 ecr 0,nop,wscale 
7], length 0

2 days ago a similar capture. Note that the source port is 443 not 80:

09:47:31.416452 IP 5.45.73.147.443 > 192.168.108.2.80: Flags [S], seq 
2724200448, win 51894, options [mss 1401,sackOK,TS val 862439534 ecr 0,nop,wscale 
7], length 0
09:47:31.417861 IP 27.124.10.200.443 > 192.168.108.2.80: Flags [S], seq 
925237248, win 51894, options [mss 1407,sackOK,TS val 756418658 ecr 0,nop,wscale 
7], length 0
09:47:31.440892 IP 27.124.10.197.443 > 192.168.108.2.80: Flags [S], seq 
3474063360, win 51894, options [mss 1404,sackOK,TS val 3970828642 ecr 0,nop,wscale 
7], length 0
09:47:31.449393 IP 27.124.10.200.443 > 192.168.108.2.80: Flags [S], seq 
2844721152, win 51894, options [mss 1407,sackOK,TS val 1831471202 ecr 0,nop,wscale 
7], length 0
09:47:31.451430 IP 154.39.104.67.443 > 192.168.108.2.80: Flags [S], seq 
2336358400, win 51894, options [mss 1415,sackOK,TS val 395513698 ecr 0,nop,wscale 
7], length 0
09:47:31.451610 IP 27.124.10.225.443 > 192.168.108.2.80: Flags [S], seq 
808976384, win 51894, options [mss 1414,sackOK,TS val 1960250978 ecr 0,nop,wscale 
7], length 0
09:47:31.453372 IP 143.92.60.30.443 > 192.168.108.2.80: Flags [S], seq 
3177512960, win 51894, options [mss 1408,sackOK,TS val 4033677410 ecr 0,nop,wscale 
7], length 0
09:47:31.456937 IP 27.124.10.225.443 > 192.168.108.2.80: Flags [S], seq 
1042087936, win 51894, options [mss 1415,sackOK,TS val 2011106914 ecr 0,nop,wscale 
7], length 0
09:47:31.461961 IP 27.124.10.226.443 > 192.168.108.2.80: Flags [S], seq 
3200516096, win 51894, options [mss 1403,sackOK,TS val 2314013026 ecr 0,nop,wscale 
7], length 0

Examples where my machine sends a reply:

09:47:31.658790 IP 27.124.10.225.443 > 192.168.108.2.80: Flags [S], seq 
612564992, win 51894, options [mss 1415,sackOK,TS val 2011106914 ecr 0,nop,wscale 
7], length 0
09:47:31.659442 IP 192.168.108.2.80 > 154.39.104.67.443: Flags [S.], seq 
3770299450, ack 1858732033, win 65160, options [mss 1460,sackOK,TS val 164888251 
ecr 395513698,nop,wscale 7], length 0

09:47:31.756220 IP 5.45.73.147.443 > 192.168.108.2.80: Flags [S], seq 
2992898048, win 51894, options [mss 1401,sackOK,TS val 862439534 ecr 0,nop,wscale 
7], length 0
09:47:31.756272 IP 192.168.108.2.80 > 5.45.73.147.443: Flags [.], ack 
1226309633, win 509, options [nop,nop,TS val 2085784149 ecr 994101358], length 0


On 12/21/23 05:10, Alain D D Williams wrote:
> ... I do run a web server at home, but there is only a little/personal
> stuff, it does not receive much real traffic, I do not want it to.
> Most of my web presence is hosted elsewhere.


On 12/21/23 06:58, Alain D D Williams wrote:
> I have been with my ISP for 14 years (moved to get IPv6), for various
> reasons I cannot change to a tariff that will give me [more bandwidth]
> (their support has also fallen through the floor) - I need to change
> (& the landline) and then I prolly would not care [about probe
> bandwidth consumption].


On 12/21/23 06:58, Alain D D Williams wrote:
> They might be trying to hijack an existing TCP connection or, even
> simpler, cause my machine problems by having many, many 1/2 set up TCP
> connections (which uses memory until they expire).


On 12/21/23 07:24, Alain D D Williams wrote:
> ... I have [a firewall].
>
> The issue is broadband usage - ie before it hits the firewall.


On 12/21/23 07:50, Alain D D Williams wrote:
> I am looking at incoming packets with tcpdump. This sees packets
> *before* they are filtered by iptables.

> [My firewall is] hand rolled. Reasonably complicated (over 300 rules)
> as it deals with: internet, VPN, DMZ, internal network for virtual
> machines.
>
> It is NOT a firewall issue.

> My firewall *cannot* deal with packets before they hit my machine.
> They only hit my machine after they have arrived over broadband.
>
> The only thing that I might be able to do is to somehow prevent
> discovery that my machine is listening on port 80 -- that would mean
> somehow distinguishing between a genuine visitor and one that is
> mapping the Internet to later pass that map somewhere else which
> generates the unwanted traffic that I see.

> How do I distinguish between wanted & unwanted connections. The only
> thing that I can think of is to DROP incoming packets if the source
> port is 80 or 443 - which would disrupt the mapping process.
>
> However: if the mapping process uses normal TCP (ie high/random port
> number) this would do little.


On 12/21/23 10:04, Alain D D Williams wrote:
> The words "web server" is ambiguous. It can mean my machine, ie can me
> the Apache process. The packets are hitting the machine (evidence
> tcpdump) but not the process (as the TCP startup does not complete).


Some of the lines of tcpdump(8) output may indicate a SYN flood attack:

https://en.wikipedia.org/wiki/Syn_flood


It sounds like your Internet connection is VDSL over POTS?  Do you have 
a residential gateway device with the modem, a few (4?) Ethernet LAN 
ports, Wi-Fi access point, a switch, DHCP server, NAT, router, firewall, 
etc..?  If not, please describe the device that connects your home to 
the Internet and how it is connected to your Debian home PC.


Perhaps you could set up a DMZ, move services into the DMZ,  and provide 
a VPN connection to the DMZ for your Internet users.  Then you could 
close all of the incoming WAN ports except VPN.


It might be possible to put the VPN endpoint into a VPS, create an SSH 
tunnel out from the httpd server to the VPS, and close all of the WAN 
incoming ports.


David