Re: Unknown process modifying routing table
On Feb 06 12:18:40, ja...@jmp-e.com wrote: > I've disabled my VPN on the machine as well as dhclient, connecting via a > fixed static IP address and DNS servers. That would be a much aeasier environment to debug this. So please show your hostname.if, mygate and your routing table right after boot, and the log of script -c 'route -n monitor' route.log at least up to the first change.
Re: Unknown process modifying routing table
On Sat, Feb 06, 2021 at 02:16:20PM +0100, Otto Moerbeek wrote: > On Sat, Feb 06, 2021 at 12:18:40PM +, James wrote: > > > I've disabled my VPN on the machine as well as dhclient, connecting via a > > fixed static IP address and DNS servers. My routing table is still being > > modifed by PID 0 (which I assume to be the kernel) every 30 minutes or so. > > Ntpd is also disabled. > > > > I have also caught my machine communicating to one the of the IPs via TCP > > and have a pcap dump from wireshark. No actual data was sent other than a > > TCP timestamp. > > > > > If your default route is a VPN, > > > please show how you establish the VPN to be your default route. > > > > > The default route is established mannually in a script that is run after the > > VPN starts. Essentially it does the following: > > > > route add $VPN_HOST $DEFAULT_GW > > > > route change default $VPN_HOST > > > > > > I do not belive the VPN to be the cause of this problem. > > > > > > Any tips on debugging the kernel to track the cause of these route changes > > would be greatly appreciated. > > > > > > Thanks, > > > > The kernel uses the routing table to store things like PMTU discovery > data and ARP entries, > Also showing the route -n monitor output will help to identify what is going on. -- :wq Claudio
Re: Unknown process modifying routing table
I've disabled my VPN on the machine as well as dhclient, connecting via a fixed static IP address and DNS servers. My routing table is still being modifed by PID 0 (which I assume to be the kernel) every 30 minutes or so. Ntpd is also disabled. I have also caught my machine communicating to one the of the IPs via TCP and have a pcap dump from wireshark. No actual data was sent other than a TCP timestamp. If your default route is a VPN, please show how you establish the VPN to be your default route. The default route is established mannually in a script that is run after the VPN starts. Essentially it does the following: route add $VPN_HOST $DEFAULT_GW route change default $VPN_HOST I do not belive the VPN to be the cause of this problem. Any tips on debugging the kernel to track the cause of these route changes would be greatly appreciated. Thanks,
Re: Unknown process modifying routing table
On Sat, Feb 06, 2021 at 12:18:40PM +, James wrote: > I've disabled my VPN on the machine as well as dhclient, connecting via a > fixed static IP address and DNS servers. My routing table is still being > modifed by PID 0 (which I assume to be the kernel) every 30 minutes or so. > Ntpd is also disabled. > > I have also caught my machine communicating to one the of the IPs via TCP > and have a pcap dump from wireshark. No actual data was sent other than a > TCP timestamp. > > > If your default route is a VPN, > > please show how you establish the VPN to be your default route. > > > The default route is established mannually in a script that is run after the > VPN starts. Essentially it does the following: > > route add $VPN_HOST $DEFAULT_GW > > route change default $VPN_HOST > > > I do not belive the VPN to be the cause of this problem. > > > Any tips on debugging the kernel to track the cause of these route changes > would be greatly appreciated. > > > Thanks, > The kernel uses the routing table to store things like PMTU discovery data and ARP entries, -Otto
Re: Unknown process modifying routing table
On Jan 26 15:10:03, ja...@jmp-e.com wrote: > > Hi all, > > My routing table is being modified by an unknown process. > > I have system accounting enabled and I'm monitoring route changes > but the PID of the process reported by `route monitor` is always 0 > for these unknown changes. > > I've seen my default route (VPN) being deleted and new routes being > added for specific IPs. I'm out of ideas how to find out what process > is modifying my routing table. If your default route is a VPN, please show how you establish the VPN to be your default route. > Here are the logs: > > bash-5.0# route -n show > Routing tables > > Internet: > DestinationGatewayFlags Refs Use Mtu Prio Iface > default10.0.0.1 UGS 15 635 - 8 pair1 > 224/4 127.0.0.1 URS00 32768 8 lo0 > 10.0.0/24 10.0.0.2 UCn10 - 4 pair1 > 10.0.0.1 xx:xx:xx:xx:xx:xx UHLch 20 76 - 3 pair1 > 10.0.0.2 xx:xx:xx:xx:xx:xx UHLl 0 251 - 1 pair1 > 10.0.0.255 10.0.0.2 UHb00 - 1 pair1 > 10.2.0.1 10.0.0.1 UGHD 1 599 - L 8 pair1 > 13.35.193.117 10.0.0.1 UGHD 1 616 - L 8 pair1 > 13.224.227.64 10.0.0.1 UGHD 1 611 - L 8 pair1 > 52.48.109.111 10.0.0.1 UGHD 1 614 - L 8 pair1 > 52.84.91.7 10.0.0.1 UGHD 1 574 - L 8 pair1 > 99.84.5.23010.0.0.1 UGHD 1 620 - L 8 pair1 > 104.16.9.251 10.0.0.1 UGHD 0 289 1350 8 pair1 > 104.16.241.18 10.0.0.1 UGHD 1 610 - L 8 pair1 > 104.18.26.20 10.0.0.1 UGHD 1 609 - L 8 pair1 > 104.21.22.28 10.0.0.1 UGHD 1 617 - L 8 pair1 > 108.177.120.13610.0.0.1 UGHD 1 625 - L 8 pair1 > 127/8 127.0.0.1 UGRS 00 32768 8 lo0 > 127.0.0.1 127.0.0.1 UHhl 8 7322 32768 1 lo0 > 140.82.121.3 10.0.0.1 UGHD 1 636 - L 8 pair1 > 142.250.186.12910.0.0.1 UGHD 1 604 - L 8 pair1 > 157.230.120.63 10.0.0.1 UGHD 1 596 - L 8 pair1 > 172.67.203.118 10.0.0.1 UGHD 1 607 - L 8 pair1 > 172.217.169.86 10.0.0.1 UGHD 1 632 - L 8 pair1 > 185.199.111.15410.0.0.1 UGHD 2 633 - L 8 pair1 > 216.58.206.132 10.0.0.1 UGHD 1 624 - L 8 pair1 > 216.58.212.227 10.0.0.1 UGHD 1 629 - L 8 pair1 > The routes for 216.58.212.227, 216.58.206.132, 185.199.111.154, > 172.217.169.86, 172.67.203.118, 157.230.120.63, 142.250.186.129, > 140.82.121.3, 108.177.120.136, 104.21.22.28, 104.18.26.20, > 104.16.241.18, 104.16.9.251, 99.84.5.230, 52.48.109.111, 52.84.5.230, > 13.224.227.64, 13.35.193.117 are completely unknown and not added by > myself. These are probably added by your VPN setup. Jan
Unknown process modifying routing table
Hi all, My routing table is being modified by an unknown process. I have system accounting enabled and I'm monitoring route changes but the PID of the process reported by `route monitor` is always 0 for these unknown changes. I've seen my default route (VPN) being deleted and new routes being added for specific IPs. I'm out of ideas how to find out what process is modifying my routing table. Here are the logs: bash-5.0# route -n show Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default10.0.0.1 UGS 15 635 - 8 pair1 224/4 127.0.0.1 URS00 32768 8 lo0 10.0.0/24 10.0.0.2 UCn10 - 4 pair1 10.0.0.1 xx:xx:xx:xx:xx:xx UHLch 20 76 - 3 pair1 10.0.0.2 xx:xx:xx:xx:xx:xx UHLl 0 251 - 1 pair1 10.0.0.255 10.0.0.2 UHb00 - 1 pair1 10.2.0.1 10.0.0.1 UGHD 1 599 - L 8 pair1 13.35.193.117 10.0.0.1 UGHD 1 616 - L 8 pair1 13.224.227.64 10.0.0.1 UGHD 1 611 - L 8 pair1 52.48.109.111 10.0.0.1 UGHD 1 614 - L 8 pair1 52.84.91.7 10.0.0.1 UGHD 1 574 - L 8 pair1 99.84.5.23010.0.0.1 UGHD 1 620 - L 8 pair1 104.16.9.251 10.0.0.1 UGHD 0 289 1350 8 pair1 104.16.241.18 10.0.0.1 UGHD 1 610 - L 8 pair1 104.18.26.20 10.0.0.1 UGHD 1 609 - L 8 pair1 104.21.22.28 10.0.0.1 UGHD 1 617 - L 8 pair1 108.177.120.13610.0.0.1 UGHD 1 625 - L 8 pair1 127/8 127.0.0.1 UGRS 00 32768 8 lo0 127.0.0.1 127.0.0.1 UHhl 8 7322 32768 1 lo0 140.82.121.3 10.0.0.1 UGHD 1 636 - L 8 pair1 142.250.186.12910.0.0.1 UGHD 1 604 - L 8 pair1 157.230.120.63 10.0.0.1 UGHD 1 596 - L 8 pair1 172.67.203.118 10.0.0.1 UGHD 1 607 - L 8 pair1 172.217.169.86 10.0.0.1 UGHD 1 632 - L 8 pair1 185.199.111.15410.0.0.1 UGHD 2 633 - L 8 pair1 216.58.206.132 10.0.0.1 UGHD 1 624 - L 8 pair1 216.58.212.227 10.0.0.1 UGHD 1 629 - L 8 pair1 Internet6: DestinationGatewayFlags Refs Use Mtu Prio Iface ::/96 ::1UGRS 0 0 32768 8 lo0 ::1::1UHhl 10 32 32768 1 lo0 :::0.0.0.0/96 ::1UGRS 0 0 32768 8 lo0 2002::/24 ::1UGRS 0 0 32768 8 lo0 2002:7f00::/24 ::1UGRS 0 0 32768 8 lo0 2002:e000::/20 ::1UGRS 0 0 32768 8 lo0 2002:ff00::/24 ::1UGRS 0 0 32768 8 lo0 fe80::/10 ::1UGRS 0 0 32768 8 lo0 fec0::/10 ::1UGRS 0 0 32768 8 lo0 fe80::1%lo0fe80::1%lo0UHl0 0 32768 1 lo0 ff01::/16 ::1UGRS 5 5 32768 8 lo0 ff01::%lo0/32 fe80::1%lo0Um 0 1 32768 4 lo0 ff02::/16 ::1UGRS 5 5 32768 8 lo0 ff02::%lo0/32 fe80::1%lo0Um 0 1 32768 4 lo0 The routes for 216.58.212.227, 216.58.206.132, 185.199.111.154, 172.217.169.86, 172.67.203.118, 157.230.120.63, 142.250.186.129, 140.82.121.3, 108.177.120.136, 104.21.22.28, 104.18.26.20, 104.16.241.18, 104.16.9.251, 99.84.5.230, 52.48.109.111, 52.84.5.230, 13.224.227.64, 13.35.193.117 are completely unknown and not added by myself. bash-5.0# route monitor got message of size 176 on Tue Jan 26 13:13:16 2021 RTM_DELETE: Delete Route: len 176, priority 8, table 0, if# 8, name pair1, pid: 0, seq 0, errno 0 flags: fmask: use:0 mtu:0expire:0 locks: inits: sockaddrs: 172.67.203.118 10.0.0.1 xx:xx:xx:xx:xx:xx 10.0.0.2 got message of size 176 on Tue Jan 26 13:13:16 2021 RTM_DELETE: