Strange route entry from China

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Strange route entry from China

Johan Ryberg
Hi,

Please forgive my ignorance.

I have a small lab and I noticed this IP in the routing table:
61.174.51.232, resolves to
232.51.174.61.dial.wz.zj.dynamic.163data.com.cn

# route -n show
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            192.168.66.1       UGS        7    39270     -     8 em0
61.174.51.232      192.168.66.1       UGHD       1    38722     - L  56 em0
127/8              127.0.0.1          UGRS       0        0 33144     8 lo0
127.0.0.1          127.0.0.1          UH         4     1244 33144     4 lo0
192.168.66/24      link#1             UC         1        0     -     4 em0
192.168.66.1       00:1b:17:bd:8d:11  UHLc       2        0     -     4 em0
224/4              127.0.0.1          URS        0        0 33144     8 lo0



It came and disappeared quite fast.

The box are a more or less stock OpenBSD 5.5

Is it normal that entries like this comes and goes?

Best regards Johan

Reply | Threaded
Open this post in threaded view
|

Re: Strange route entry from China

Amit Kulkarni-5
On Tue, May 13, 2014 at 3:27 PM, Johan Ryberg <[hidden email]> wrote:

> Hi,
>
> Please forgive my ignorance.
>
> I have a small lab and I noticed this IP in the routing table:
> 61.174.51.232, resolves to
> 232.51.174.61.dial.wz.zj.dynamic.163data.com.cn
>
> # route -n show
> Routing tables
>
> Internet:
> Destination        Gateway            Flags   Refs      Use   Mtu  Prio
> Iface
> default            192.168.66.1       UGS        7    39270     -     8 em0
> 61.174.51.232      192.168.66.1       UGHD       1    38722     - L  56 em0
> 127/8              127.0.0.1          UGRS       0        0 33144     8 lo0
> 127.0.0.1          127.0.0.1          UH         4     1244 33144     4 lo0
> 192.168.66/24      link#1             UC         1        0     -     4 em0
> 192.168.66.1       00:1b:17:bd:8d:11  UHLc       2        0     -     4 em0
> 224/4              127.0.0.1          URS        0        0 33144     8 lo0
>
>
>
> It came and disappeared quite fast.
>
> The box are a more or less stock OpenBSD 5.5
>
> Is it normal that entries like this comes and goes?
>
>
>
Labs are prime targets for scanning for vulnerable machines.

Reply | Threaded
Open this post in threaded view
|

Re: Strange route entry from China

Stuart McMurray
On Tuesday, May 13, 2014, Amit Kulkarni <[hidden email]> wrote:

> On Tue, May 13, 2014 at 3:27 PM, Johan Ryberg <[hidden email]<javascript:;>>
> wrote:
>
> > Hi,
> >
> > Please forgive my ignorance.
> >
> > I have a small lab and I noticed this IP in the routing table:
> > 61.174.51.232, resolves to
> > 232.51.174.61.dial.wz.zj.dynamic.163data.com.cn
> >
> > # route -n show
> > Routing tables
> >
> > Internet:
> > Destination        Gateway            Flags   Refs      Use   Mtu  Prio
> > Iface
> > default            192.168.66.1       UGS        7    39270     -     8
> em0
> > 61.174.51.232      192.168.66.1       UGHD       1    38722     - L  56
> em0
> > 127/8              127.0.0.1          UGRS       0        0 33144     8
> lo0
> > 127.0.0.1          127.0.0.1          UH         4     1244 33144     4
> lo0
> > 192.168.66/24      link#1             UC         1        0     -     4
> em0
> > 192.168.66.1       00:1b:17:bd:8d:11  UHLc       2        0     -     4
> em0
> > 224/4              127.0.0.1          URS        0        0 33144     8
> lo0
> >
> >
> >
> > It came and disappeared quite fast.
> >
> > The box are a more or less stock OpenBSD 5.5
> >
> > Is it normal that entries like this comes and goes?
> >
> >
> >
> Labs are prime targets for scanning for vulnerable machines.
>
> And, 163data.com.cn is a large source of shady activity.


--
J. Stuart McMurray

Reply | Threaded
Open this post in threaded view
|

Re: Strange route entry from China

Johan Beisser
>> On May 13, 2014, at 18:47, Stuart McMurray <[hidden email]> wrote:
>>
>>
>> And, 163data.com.cn is a large source of shady activity.


I blocked the bulk of China and Asia outright at the router.

Quick solution, if not clean.

Reply | Threaded
Open this post in threaded view
|

Re: Strange route entry from China

Johan Ryberg
Yes, it's related to a SSH brute force attack.

I have just never seen the the "client" IP in the routing table before. My
IP does not exist in the routing table when I SSH to the host.

I have a hard time to understand the mechanism that added the IP to the
table.

Is this something that can be explained?

Best regards Johan

Den 14 maj 2014 04:09 skrev "Johan Beisser" <[hidden email]>:

>
>
> >> On May 13, 2014, at 18:47, Stuart McMurray <[hidden email]> wrote:
> >>
> >>
> >> And, 163data.com.cn is a large source of shady activity.
>
>
> I blocked the bulk of China and Asia outright at the router.
>
> Quick solution, if not clean.

Reply | Threaded
Open this post in threaded view
|

Re: Strange route entry from China

Johan Beisser
On Tue, May 13, 2014 at 10:31 PM, Johan Ryberg <[hidden email]> wrote:
> Yes, it's related to a SSH brute force attack.
>
> I have just never seen the the "client" IP in the routing table before. My
> IP does not exist in the routing table when I SSH to the host.

The IP shouldn't be there, at all. But, according to the route flags
('D' in this case), it's in there due to a redirect.

> I have a hard time to understand the mechanism that added the IP to the
> table.
>
> Is this something that can be explained?

My assumption is there was an ICMP redirect that added the IP to your table.

Check to see if you're accepting redirects. By default, OpenBSD has them as off.

Reply | Threaded
Open this post in threaded view
|

Re: Strange route entry from China

Otto Moerbeek
Op 14 mei 2014 om 07:48 heeft Johan Beisser <[hidden email]> het volgende geschreven:

> On Tue, May 13, 2014 at 10:31 PM, Johan Ryberg <[hidden email]> wrote:
>> Yes, it's related to a SSH brute force attack.
>>
>> I have just never seen the the "client" IP in the routing table before. My
>> IP does not exist in the routing table when I SSH to the host.
>
> The IP shouldn't be there, at all. But, according to the route flags
> ('D' in this case), it's in there due to a redirect.
>
>> I have a hard time to understand the mechanism that added the IP to the
>> table.
>>
>> Is this something that can be explained?
>
> My assumption is there was an ICMP redirect that added the IP to your table.
>
> Check to see if you're accepting redirects. By default, OpenBSD has them as off.

There are more reasons dynamic route entries are createf. For example to record results of mtu path discovery.

 -Otto

Reply | Threaded
Open this post in threaded view
|

Re: Strange route entry from China

Johan Beisser
On Tue, May 13, 2014 at 11:57 PM, Otto Moerbeek <[hidden email]> wrote:
>
> Op 14 mei 2014 om 07:48 heeft Johan Beisser <[hidden email]> het volgende geschreven:
>

>
> There are more reasons dynamic route entries are createf. For example to record results of mtu path discovery.

That implies a successful TCP connection to the router itself, doesn't it?

Reply | Threaded
Open this post in threaded view
|

Re: Strange route entry from China

Kevin Lyda
On 14 May 2014 08:20, "Johan Beisser" <[hidden email]> wrote:
>
> On Tue, May 13, 2014 at 11:57 PM, Otto Moerbeek <[hidden email]> wrote:
> >
> > Op 14 mei 2014 om 07:48 heeft Johan Beisser <[hidden email]> het
volgende geschreven:
> >
>
> >
> > There are more reasons dynamic route entries are createf. For example
to record results of mtu path discovery.
>
> That implies a successful TCP connection to the router itself, doesn't it?
>

Sure. But connecting to port 22 in order to fail to auth is a successful
TCP connection.

Kevin

Reply | Threaded
Open this post in threaded view
|

Re: Strange route entry from China

Johan Beisser
On Wed, May 14, 2014 at 12:40 AM, Kevin Lyda <[hidden email]> wrote:

>
> On 14 May 2014 08:20, "Johan Beisser" <[hidden email]> wrote:
>>
>> On Tue, May 13, 2014 at 11:57 PM, Otto Moerbeek <[hidden email]> wrote:
>> >
>> > Op 14 mei 2014 om 07:48 heeft Johan Beisser <[hidden email]> het
>> > volgende geschreven:
>> >
>> > There are more reasons dynamic route entries are createf. For example to
>> > record results of mtu path discovery.
>>
>> That implies a successful TCP connection to the router itself, doesn't it?
>>
>
> Sure. But connecting to port 22 in order to fail to auth is a successful TCP
> connection.

Yes.

Path MTU implies the connection is held open for larger packets than
just during the handshake and SSH negotiation. Or am I
misunderstanding when MTU is negotiated?