[Sks-devel] Unusual traffic for key 0x69D2EAD9 and 0xB33B4659

2019-01-12 Thread Shengjing Zhu 
Hi,

While I rescued my key server back this night, I found the unusual
traffic for key 0x69D2EAD9 and 0xB33B4659. It caused load to my server
when it tried to sync up with the network.

Request counted in 2h:

   178 0xB33B4659
186 0x69D2EAD9
290 0x2016349F5BC6F49340FCCAF99F9169F4B33B4659
336 0x1013D73FECAC918A0A25823986CE877469D2EAD9

Requests come from pool.sks-keyservers.net. Compare to the server
number behind the pool,  I think these requests are quite unusual.
Does anyone know what happens to these two keys?

-- 
Regards,
Shengjing Zhu

___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] Unusual traffic for key 0x69D2EAD9 and 0xB33B4659

2019-01-12 Thread brent s. 
On 1/12/19 2:15 PM, Shengjing Zhu wrote:
> Hi,
> 
> While I rescued my key server back this night, I found the unusual
> traffic for key 0x69D2EAD9 and 0xB33B4659. It caused load to my server
> when it tried to sync up with the network.
> 
> Request counted in 2h:
> 
>178 0xB33B4659
> 186 0x69D2EAD9
> 290 0x2016349F5BC6F49340FCCAF99F9169F4B33B4659
> 336 0x1013D73FECAC918A0A25823986CE877469D2EAD9
> 
> Requests come from pool.sks-keyservers.net. Compare to the server
> number behind the pool,  I think these requests are quite unusual.
> Does anyone know what happens to these two keys?
> 

they're for FreePBX and have caused at least one other issue:

https://lists.gnu.org/archive/html/sks-devel/2018-07/msg00077.html

based on this:

https://www.dslreports.com/forum/r30661088-PBX-FreePBX-for-the-Raspberry-Pi~start=810

it would SEEM they're part of the FreePBX installation process, but it's
possible that something from normal operation even fetches the key
operationally and frequently.

i see three possible situations:

0.) a recent update was made to FreePBX that fetches the key, even if it
exists in the keyring or a key refresh is called (very likely)
1.) a random attack targeting you specifically is ocurring and they just
randomly picked that key ID (a little likely, but not very)
2.) the key has been compromised and is being used as part of a botnet
for some purpose (extremely unlikely)

i'll see if i can find out from the freepbx source/the project devs.

will reply when i have further info.


meanwhile, can you let us know if those requests are all coming from the
same IP or allocation block?

-- 
brent saner
https://square-r00t.net/
GPG info: https://square-r00t.net/gpg-info



signature.asc
Description: OpenPGP digital signature
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] Unusual traffic for key 0x69D2EAD9 and 0xB33B4659

2019-01-12 Thread Shengjing Zhu 
Sorry for top replying. I'm using mobile phone.

Requests are coming from different network, at least hundreds IP.

And it seems my server(pgp.ustc.edu.cn) is down again... I'll check it when
I got home. If it's caused by the two keys.. I may blacklist them...

brent s.  于 2019年1月13日周日 04:45写道:

> On 1/12/19 2:15 PM, Shengjing Zhu wrote:
> > Hi,
> >
> > While I rescued my key server back this night, I found the unusual
> > traffic for key 0x69D2EAD9 and 0xB33B4659. It caused load to my server
> > when it tried to sync up with the network.
> >
> > Request counted in 2h:
> >
> >178 0xB33B4659
> > 186 0x69D2EAD9
> > 290 0x2016349F5BC6F49340FCCAF99F9169F4B33B4659
> > 336 0x1013D73FECAC918A0A25823986CE877469D2EAD9
> >
> > Requests come from pool.sks-keyservers.net. Compare to the server
> > number behind the pool,  I think these requests are quite unusual.
> > Does anyone know what happens to these two keys?
> >
>
> they're for FreePBX and have caused at least one other issue:
>
> https://lists.gnu.org/archive/html/sks-devel/2018-07/msg00077.html
>
> based on this:
>
>
> https://www.dslreports.com/forum/r30661088-PBX-FreePBX-for-the-Raspberry-Pi~start=810
>
> it would SEEM they're part of the FreePBX installation process, but it's
> possible that something from normal operation even fetches the key
> operationally and frequently.
>
> i see three possible situations:
>
> 0.) a recent update was made to FreePBX that fetches the key, even if it
> exists in the keyring or a key refresh is called (very likely)
> 1.) a random attack targeting you specifically is ocurring and they just
> randomly picked that key ID (a little likely, but not very)
> 2.) the key has been compromised and is being used as part of a botnet
> for some purpose (extremely unlikely)
>
> i'll see if i can find out from the freepbx source/the project devs.
>
> will reply when i have further info.
>
>
> meanwhile, can you let us know if those requests are all coming from the
> same IP or allocation block?
>
> --
> brent saner
> https://square-r00t.net/
> GPG info: https://square-r00t.net/gpg-info
>
> ___
> Sks-devel mailing list
> Sks-devel@nongnu.org
> https://lists.nongnu.org/mailman/listinfo/sks-devel
>
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] Unusual traffic for key 0x69D2EAD9 and 0xB33B4659

2019-01-12 Thread brent s. 
On 1/13/19 12:15 AM, Shengjing Zhu wrote:
> Sorry for top replying. I'm using mobile phone.
> 
> Requests are coming from different network, at least hundreds IP.
> 
> And it seems my server(pgp.ustc.edu.cn ) is down
> again... I'll check it when I got home. If it's caused by the two keys..
> I may blacklist them...
> 

i've asked on FreePBX's channel and emailed the organization directly
(via their key's UID info) but have not yet gotten a response from
either. it IS the weekend, so it may be a bit...

meanwhile you may want to firewall off your HKP port(s) (recon port
should still be fine to keep open, but someone correct me if not) and
disable the forwarding for HKPS (if you have it).


-- 
brent saner
https://square-r00t.net/
GPG info: https://square-r00t.net/gpg-info



signature.asc
Description: OpenPGP digital signature
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] Unusual traffic for key 0x69D2EAD9 and 0xB33B4659

2019-01-12 Thread Gabor Kiss 
> Request counted in 2h:
> 
>178 0xB33B4659
> 186 0x69D2EAD9
> 290 0x2016349F5BC6F49340FCCAF99F9169F4B33B4659
> 336 0x1013D73FECAC918A0A25823986CE877469D2EAD9

I checked my logs. 15% of the recent 18k requests were related to these keys.
They belong to:

FreePBX Module Signing (This is the master key to sign FreePBX Modules) 

FreePBX Mirror 1 (Module Signing - 2014/2015) 

I guess there was some software upgrade on ten thousands of Asterix nodes.
Looks normal.

Gabor

___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] Unusual traffic for key 0x69D2EAD9 and 0xB33B4659

2019-01-12 Thread brent s. 
On 1/13/19 1:49 AM, Gabor Kiss wrote:
>> Request counted in 2h:
>>
>>178 0xB33B4659
>> 186 0x69D2EAD9
>> 290 0x2016349F5BC6F49340FCCAF99F9169F4B33B4659
>> 336 0x1013D73FECAC918A0A25823986CE877469D2EAD9
> 
> I checked my logs. 15% of the recent 18k requests were related to these keys.
> They belong to:
> 
> FreePBX Module Signing (This is the master key to sign FreePBX Modules) 
> 
> FreePBX Mirror 1 (Module Signing - 2014/2015) 
> 
> I guess there was some software upgrade on ten thousands of Asterix nodes.
> Looks normal.
> 
> Gabor

last stable release was may 2018, so i'm not sure on that personally.
i'd expect a lot MORE if that were the case.[0] it's... a really popular
piece of software. i even used it when i managed some VoIP systems.

it's just at the amount where it's inordinately high, but low enough to
make me not think it was something like a new release.



[0] "With over 1 MILLION production systems worldwide and 20,000 new
systems installed monthly, ..."
https://www.freepbx.org/

-- 
brent saner
https://square-r00t.net/
GPG info: https://square-r00t.net/gpg-info



signature.asc
Description: OpenPGP digital signature
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel