VPNFilter attack?

[bbunge]

Found the following in my log today:

Jun 20 05:06:47 vpnserver1[25324]: 185.200.118.77:52854 TLS: Initial packet from [AF_INET]185.200.118.77:52854 (via [AF_INET]71.50.195.135%eth0), sid=12121212 12121212
Jun 20 05:07:47 vpnserver1[25324]: 185.200.118.77:52854 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jun 20 05:07:47 vpnserver1[25324]: 185.200.118.77:52854 TLS Error: TLS handshake failed
Jun 20 05:07:47 vpnserver1[25324]: 185.200.118.77:52854 SIGUSR1[soft,tls-error] received, client-instance restarting

Was this a failed VPNFilter attack? No corrresponding event in network protection.

bb

 

[kfp]

No. That IP (block) is regularly doing port scanning.

If you find it annoying try using a non-standard port for OpenVPN (change from default 1194). One step further would be using an IP block list and use something like Skynet to block those ranges.

 

[RMerlin]

Switching to UDP might also help reducing noise, port scanners tend to focus on TCP in general.

 

[ColinTaylor]

Switching to UDP might also help reducing noise, port scanners tend to focus on TCP in general.

Indeed. But the probes from this particular subnet are unusual in that they are probing UDP ports 443 and 1194 (and other TCP ports). Which probably explains why there's been multiple posts about this subnet in recent days.

 

[sfx2000]

Indeed. But the probes from this particular subnet are unusual in that they are probing UDP ports 443 and 1194 (and other TCP ports). Which probably explains why there's been multiple posts about this subnet in recent days.

Somebody must be really, really patient to be scanning UDP

That being said - everything points to a certain netblock, so adding a rule to drop 185.200.118.0/24 should stop the chatter in the logs.

You could always call their NOC - http://www.as9009.net

which is M247...

 

[ColinTaylor]

That being said - everything points to a certain netblock, so adding a rule to drop 185.200.118.0/24 should stop the chatter in the logs.

Indeed. I posted the code to do that here.

 

[bbunge]

For now I turned off OpenVPN server. Other attacks as logged by Trendmicro continue. Eight today which is higher than normal.
Not a friendly place the internet is...

Sent from my P01M using Tapatalk

 

[xtropodx]

I had a read of this too: https://www.snbforums.com/threads/router-log-am-i-under-attack.27453/

Probably not an active attack, just port scanning...

How can you tell if it's not just port scanning...

And following looks similar, but if someone could chime in & confirm that'd be great, as it looks suspicious.

EDIT: forum isn't allowing me to post the stuff from the log, I'm getting a
"Sorry, you have been blocked" 44bea073e9bb520f" error message

EDIT: I've uploaded some of the log into file instead.
EDIT: nope, even that doesn't want to work . Selecting 20kb *.txt file just won't uploaded.

Let's try this instead:
https://www.dropbox.com/s/8z7luuy4e0s0prv/partiallog.txt?dl=0

 

[ColinTaylor]

How can you tell if it's not just port scanning...

And following looks similar, but if someone could chime in & confirm that'd be great, as it looks suspicious.

What are we meant to be looking at? There's nothing of interest in your log.

EDIT: I think I see the confusion. The messages in post #1 relate to attempts to connect to the router's VPN server. The messages in your log are from your router's VPN client. It is deliberately restarting itself because there has been no traffic through the tunnel for the prescribed period of time.

 

[coxhaus]

I would block all of 185.0.0.0/8. I do. It takes me under a minute to block all of 185.0.0.0 with my router.

A Class A IP address is only 16,000,000 IP addresses.

 

[HowIFix]

I have an Illuminati conspiracy theory, that the creator of the VPNFilter is a router company and the company is the one with the most affected router or the one with fewer affected routers (there are 2) and they blamed X country, because they are enemies of the world and if you ask why they did that, I hope you know the answer.

 

[xtropodx]

What are we meant to be looking at?

Well I guess that's just it, I'm not savy with this stuff & from what it looks like to me,

Aug 17 08:44:11 ovpn-client1[2703]: TCP/UDP: Preserving recently used remote address: [AF_INET]168.1.75.38:1197

Is accessing my router? And then, changing stuff??

Aug 17 08:44:14 ovpn-client1[2703]: OPTIONS IMPORT: --ifconfig/up options modified

I have no idea. These codes/abbreviations etc in logs aren't most user friendly thing in the world .

 

[ColinTaylor]

I have no idea. These codes/abbreviations etc in logs aren't most user friendly thing in the world .

Did you see the information I added to my post #9? Those messages are from your VPN client connecting to PIA's VPN server.

 

[xtropodx]

Yeah. So basically nothing to worry about then

 

[sfx2000]

I have an Illuminati conspiracy theory, that the creator of the VPNFilter is a router company and the company is the one with the most affected router or the one with fewer affected routers (there are 2) and they blamed X country, because they are enemies of the world and if you ask why they did that, I hope you know the answer.

I think the biggest frustration with VPNFilter is there is no clear discussion behind the specific mechanisms - most of the vendors have been obtuse about exactly how it works.

The OEM's might have some information under non-disclosure, but for independent free and open source projects, it's really about just battening down hatches and praying for the best.

 

[sfx2000]

How can you tell if it's not just port scanning...

It's all context - there's a lot of door knocking out there, mostly these days it's cloud based, and they scan all the time looking for opportunities.

Common sense dictates certain actions - limit open services exposed to the WAN, use good passwords, and don't use default passwords.

 

[sfx2000]

Other attacks as logged by Trendmicro continue

TrendMicro cries wolf far to often... not everything is an "attack".

It's good software, and a great company, but they classifies routine things as "danger Will Robinson" and this can be a problem...