1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

VPNFilter attack?

Discussion in 'ASUSWRT - Official' started by bbunge, Jun 20, 2018.

  1. bbunge

    bbunge Senior Member

    Joined:
    Aug 11, 2014
    Messages:
    484
    Found the following in my log today:

    Jun 20 05:06:47 vpnserver1[25324]: 185.200.118.77:52854 TLS: Initial packet from [AF_INET]185.200.118.77:52854 (via [AF_INET]71.50.195.135%eth0), sid=12121212 12121212
    Jun 20 05:07:47 vpnserver1[25324]: 185.200.118.77:52854 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Jun 20 05:07:47 vpnserver1[25324]: 185.200.118.77:52854 TLS Error: TLS handshake failed
    Jun 20 05:07:47 vpnserver1[25324]: 185.200.118.77:52854 SIGUSR1[soft,tls-error] received, client-instance restarting

    Was this a failed VPNFilter attack? No corrresponding event in network protection.

    bb
     
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. kfp

    kfp Very Senior Member

    Joined:
    Jun 26, 2014
    Messages:
    641
    No. That IP (block) is regularly doing port scanning.

    If you find it annoying try using a non-standard port for OpenVPN (change from default 1194). One step further would be using an IP block list and use something like Skynet to block those ranges.
     
  4. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    27,225
    Location:
    Canada
    Switching to UDP might also help reducing noise, port scanners tend to focus on TCP in general.
     
  5. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    5,715
    Location:
    UK
    Indeed. But the probes from this particular subnet are unusual in that they are probing UDP ports 443 and 1194 (and other TCP ports). Which probably explains why there's been multiple posts about this subnet in recent days.
     
  6. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    12,676
    Location:
    San Diego, CA
    Somebody must be really, really patient to be scanning UDP :D

    That being said - everything points to a certain netblock, so adding a rule to drop 185.200.118.0/24 should stop the chatter in the logs.

    You could always call their NOC - http://www.as9009.net

    which is M247...
     
    Last edited: Jun 20, 2018
  7. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    5,715
    Location:
    UK
    Indeed. I posted the code to do that here.;)
     
  8. bbunge

    bbunge Senior Member

    Joined:
    Aug 11, 2014
    Messages:
    484
    For now I turned off OpenVPN server. Other attacks as logged by Trendmicro continue. Eight today which is higher than normal.
    Not a friendly place the internet is...

    Sent from my P01M using Tapatalk
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!