hairpin attempts
Michael Butler
imb at protected-networks.net
Fri Oct 4 23:05:45 UTC 2019
On 10/4/19 5:53 PM, Randy Bush wrote:
> for some months, our border routers log attempts to connect from the
> outside using a source address that is internal to my network. e.g.
>
> Oct 3 06:48:12 r0 7833: Oct 3 06:48:11.267: %FMANFP-6-IPACCESSLOGP: SIP0: fman_fp_image: list serial-in4 denied udp 147.28.0.223(3465) -> 147.28.0.222(53), 1 packet
>
> some days, we see a *lot* of this. anyone else seeing similar?
I also see them. The pattern is the same with a source IP one higher
than destination, destination port is always DNS/UDP. Over the last few
hours, for example:
ipfw: 500 Deny UDP 202.12.127.73:62057 202.12.127.72:53 in via fxp0
ipfw: 500 Deny UDP 202.12.127.186:28518 202.12.127.185:53 in via fxp0
ipfw: 500 Deny UDP 202.12.127.145:22501 202.12.127.144:53 in via fxp0
ipfw: 500 Deny UDP 202.12.127.195:65470 202.12.127.194:53 in via fxp0
ipfw: 500 Deny UDP 202.12.127.240:64810 202.12.127.239:53 in via fxp0
ipfw: 500 Deny UDP 202.12.127.246:33497 202.12.127.245:53 in via fxp0
ipfw: 500 Deny UDP 202.12.127.140:11008 202.12.127.139:53 in via fxp0
ipfw: 500 Deny UDP 202.12.127.178:3616 202.12.127.177:53 in via fxp0
ipfw: 500 Deny UDP 202.12.127.189:3316 202.12.127.188:53 in via fxp0
ipfw: 500 Deny UDP 202.12.127.157:23692 202.12.127.156:53 in via fxp0
ipfw: 500 Deny UDP 202.12.127.254:31943 202.12.127.253:53 in via fxp0
ipfw: 500 Deny UDP 202.12.127.173:18489 202.12.127.172:53 in via fxp0
ipfw: 500 Deny UDP 202.12.127.242:36058 202.12.127.241:53 in via fxp0
My anti-spoofing rules throw them on the floor since they can't possibly
originate on this interface so I haven't investigated further,
imb
More information about the NANOG
mailing list