[Freedombox-discuss] Large amount of traffic apparently related to ntp.
A. F. Cano
afc54 at comcast.net
Fri Oct 4 03:46:45 BST 2024
On Thu, Oct 03, 2024 at 01:44:26PM -0700, Sunil Mohan Adapa wrote:
> Hi,
>
> The address seems to belong to a customer of Verizon in New Jersey. I doubt
> if this related to NTP (pool- is the way Verizon gives names to each of the
> IP they own).
You're correct.
> To understand what the traffic is about, it would help to know the endpoint
> of the connection on the FreedomBox side. You can get this by running 'ss -n
> | grep <ip_address>'. Also check 'journalctl -f' to see if these are attempts
$ ss -n | grep 108.50.237.254 (the IP address that shows up in iftop)
tcp ESTAB 0 415 [::ffff:73.29.228.182]:443 [::ffff:108.50.237.254]:52119
> for a brute-force login (which are common on internet facing servers, for
> which we have protections).
More interestingly, I see plenty of these:
Oct 03 22:28:25 fbx kernel: STATE_INVALID_DROP: IN=enp1s0 OUT= MAC=00:0d:b9:3f:92:a8:38:38:a6:47:66:97:08:00 SRC=23.88.44.223 DST=<my external IP> LEN=44 TOS=0x00 PREC=0x00 TTL=55 ID=3797 PROTO=TCP SPT=80 DPT=27437 WINDOW=16384 RES=0x00 ACK SYN URGP=0
The SRC IP is different for every entry. Probably faked, or if real
maybe part of a DDOS. Sometimes the SRC and DST address are in IPV6.
I suppose nothing can be done about this.
> --
> Sunil
Thanks for taking the time to clarify.
Augustine
More information about the Freedombox-discuss
mailing list