What kind of an attack is this ?

[linuxyogi]

My ISP provides Internet connection using Ethernet. Its simply a LAN connection so using a router is not mandatory from connectivity point of view.

I took this connection 3 months back. Before this I was using DSL which as you know requires router.

While using this broadband connection just out out of curiosity I every now and then typed dmesg |tail and saw ufw blocking a lot of UDP stuff coming from different sources.

Day before yesterday I installed this router. Now when I do dmesg|tail I still see incoming UDP packets although much less in number.

Code:

[ 1222.623582] [UFW BLOCK] IN=enp0s7 OUT= MAC=40:61:86:tu:3c:a2:d0:c5:54:de:56:16:08:00 SRC=95.211.213.46 DST=192.168.0.100 LEN=131 TOS=0x00 PREC=0x00 TTL=116 ID=29763 PROTO=UDP SPT=56828 DPT=7881 LEN=111

Please explain ^^ that. The above output is from my Manjaro installation. I am dual booting Lubuntu and Manjaro. It doesn't matter because I am seeing the same thing on both distros.

[TheFu]

Is the public IP yours or not? Appears to be in Amsterdam at a cloud server provider.

Usually UDP packets getting through a firewall should be
* DNS
* VPN
* SIP
* NTP

How is it getting through the dlink? Did your system initiate the connection?

[linuxyogi]

Is the public IP yours or not? Appears to be in Amsterdam at a cloud server provider.

Are you asking about 95.211.213.46 ? No its not my IP.

Usually UDP packets getting through a firewall should be
* DNS
* VPN
* SIP
* NTP

How is it getting through the dlink? Did your system initiate the connection?

I have set these 2 DNS addresses on my router 128.199.248.105, 106.186.17.181 (OpenNIC).

I have no idea if the connection was initiated from my system.

[TheFu]

Are there any outbound packets sent to 95.211.213.46?
After all, if you don't allow UDP inbound through the dlink (and most people shouldn't), then the firewall there should block all inbound traffic, unless it is a response from an outbound request from the system on your LAN. Right? Am I missing something?

I've seen ad tracking networks initiate outbound traffic (thank you javascript) to get the firewall open, but didn't know they could use UDP. That would be my guess at this point, lacking any other proof.

I have heard of firewalls failing (allowing a few packets through) when really busy - but those were under heavy attack and for DoD contractors. Doubtful you are under that sort of attack.

[linuxyogi]

Are there any outbound packets sent to 95.211.213.46?

Sorry never had to find out so I don't know the command. What will print that ?

After all, if you don't allow UDP inbound through the dlink (and most people shouldn't), then the firewall there should block all inbound traffic, unless it is a response from an outbound request from the system on your LAN. Right? Am I missing something?

However, I have heard of firewalls failing (allowing a few packets through) when really busy - but those were under heavy attack and for DoD contractors.

I used DSL for like 8 years and I noticed this same thing. I don't know if routers can be trusted from a security point of view. I don't understand why people keep sying dont connect to the Internet directly. IMHO iptables is far superior to a router firewall.

[TheFu]

Linux-based routers run iptables ... uh ... just like your Linux desktop. Same code. ufw is just a CLI interface into iptables.
BSD-based routers run pf ... and are generally considered better since BSD gets slow, but doesn't crash under load.

We all need a router to protect our networks. Security is layered, right? Belts AND suspenders.

The same firewall that logs the blocked inbound connections can log outbound requests. There is a setting to make that happen - you can do it either on the firewall OR on your system. I'd google "log all traffic ufw" - if that doesn't return anything - s/ufw/iptables/ and google again.

[linuxyogi]

Linux-based routers run iptables ... uh ... just like your Linux desktop. Same code. ufw is just a CLI interface into iptables.
BSD-based routers run pf ... and are generally considered better since BSD gets slow, but doesn't crash under load.

We all need a router to protect our networks. Security is layered, right? Belts AND suspenders.

The same firewall that logs the blocked inbound connections can log outbound requests. There is a setting to make that happen - you can do it either on the firewall OR on your system. I'd google "log all traffic ufw" - if that doesn't return anything - s/ufw/iptables/ and google again.

Found the command in the ufw man page.

Code:

$ sudo ufw logging HIGH

Code:

$ sudo ufw status verbose
Status: active
Logging: on (high) << this was low before

Yes, the routers runs Linux too but we hardly update the firmware. On the the other hand we get kernel updates regularly. May be this a stupid question but don't you think it matters ? Totally agreed about the 2 layered security approach.

Since everything is getting logged now I will keep checking and write back.

[SeijiSensei]

If you ran something like dd-wrt or tomato on your router you could update your firmware as needed.

[linuxyogi]

If you ran something like dd-wrt or tomato on your router you could update your firmware as needed.

It seems like dd-wrt has no support for my router Dlink Dir 600 L

[linuxyogi]

@TheFU

Changing ufw's logging mode to high didn't work. The idea was to find if there was any outbound request

sent to 95.211.213.46 from my LAN but ufw is set to "default deny incoming".
Therefore doesn't log outbound connections on my configuration.

I guess each of us is facing the same situation. I mean few packets will penetrate the router.

I have never used pfsense I will have to try someday to see how it performs.

If you read my first post I was not really hoping to stop these packets from coming

I wanted to know when I see ufw blocking a UDP packet what does that mean.

What kind of an attack is that ?

I guess its not that easy. May one needs to be a hacker to know that.