Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

Weird incoming connections (Fenrir)

Freewheeling spot to chew the fat on anything cryptostorm-related that doesn't fit elsewhere (i.e. support, howto, &c.). Criticism & praise & brainstorming & requests for explanation... this is where it goes when it's hot & ready for action! :-)
User avatar

Topic Author
Operandi
Posts: 88
Joined: Fri Nov 22, 2013 4:23 pm

Weird incoming connections (Fenrir)

Postby Operandi » Thu Oct 09, 2014 11:27 pm

Today I noticed an unusual amount of blocked connection attempts logged by Comodo Firewall. The connections in question seem to originate from an IP address in Denmark, and all have equal 30-second-long intervals between them. What bothers me is that this happens only when I'm connected to the darknet. Namely, Iceland:fenrir:windows node.

Any ideas what this could be?
Attachments
1.png


User avatar

Topic Author
Operandi
Posts: 88
Joined: Fri Nov 22, 2013 4:23 pm

Re: Weird incoming connections (Fenrir)

Postby Operandi » Thu Oct 09, 2014 11:49 pm

parityboy wrote:Were you running a torrent client at the time?

Hi, parityboy.

Nope, neither a BitTorrent client nor even eMule. And, as I said, these connections appear to be node-specific.

User avatar

parityboy
Site Admin
Posts: 1266
Joined: Wed Feb 05, 2014 3:47 am

Re: Weird incoming connections (Fenrir)

Postby parityboy » Fri Oct 10, 2014 5:05 am

@OP

Ok, so the regular intervals says that it's some kind of ping/heartbeat service trying to find out if a port is open or not. It might be a hit and hope; on paper, trying to connecting to the exit node on any port other than 443 UDP should fail BUT the exit node still has to permit replies from the Internet pertaining to connections originating from within the darknet, including UDP connections (like Bit Torrent traffic) which are harder to track than TCP connections. So it could be that those UDP packets are somehow finding their way to your machine.

However, there is another possibility. That IP address could be spoofed; in reality the only reliable way to hit a machine connected to the darknet is to be on the darknet yourself. It could well be that the originating machine actually belongs to a network member, and whatever software they are running is trying to get your machine to reply to that spoofed address, which likely is also controlled by said network member.

User avatar

Topic Author
Operandi
Posts: 88
Joined: Fri Nov 22, 2013 4:23 pm

Re: Weird incoming connections (Fenrir)

Postby Operandi » Fri Oct 10, 2014 10:30 pm

parityboy wrote:It could well be that the originating machine actually belongs to a network member

That's what I thought too. And, needless to say, that's quite unsettling.

I tried to connect to the Iceland node a few minutes ago, and the saga seems to continue. The ports and the source IP are different this time, but the destination IP is in the private "10.66.0.*" range again. Weird.

User avatar

Tealc
ForumHelper
Posts: 283
Joined: Tue Jan 28, 2014 12:38 am

Re: Weird incoming connections (Fenrir)

Postby Tealc » Sat Oct 11, 2014 1:43 am

Operandi wrote:
parityboy wrote:It could well be that the originating machine actually belongs to a network member

That's what I thought too. And, needless to say, that's quite unsettling.

I tried to connect to the Iceland node a few minutes ago, and the saga seems to continue. The ports and the source IP are different this time, but the destination IP is in the private "10.66.0.*" range again. Weird.


Have you reported this to support@cryptostorm.is ?

User avatar

cryptostorm_admin
ForumHelper
Posts: 74
Joined: Tue Jan 01, 2013 5:43 pm
Contact:

Re: Weird incoming connections (Fenrir)

Postby cryptostorm_admin » Sat Oct 11, 2014 1:58 am

Ok, our support folks flagged this for me to take a look at. I've also asked DF to see if he has any feedback also.

My very-fast quick review leads me to believe it's part of the standard background noise of scans one sees out in the unfiltered internet nowadays. Some of those scans will target static/dedicated IPs and blocks assigned to datacenters, and will avoid hitting DHCP blocks... or there's scan parameters based on geolocation, AS membership... really just about any criteria we can imagine, and some we can't.

I've not yet done a deeper check with researchers to see if these scans fit some pattern that's already recognised out there; I'll make it a priority to do so this evening or over the weekend. They do such things full-time and know more about it than a lowly network admin such as myself can match.

I can already guess what DF is going to say: "get me .pcaps from the machine in question, so I can look at the packets themselves to see what's up" - or something to that effect. So, yes, if you can catch one of these connection attempts in a packet dump, that's really ideal - and likely could help the researchers I'm going to ask, in terms of analysing the scan and comparing to known vectors out there.

I'm sorry I cannot look more closely at this right now, but perhaps DF is between tasks and will have a more substantive reply. In any event, I'll check back in later to see what's transpired.

Thank you,

~ cryptostorm_admin

User avatar

Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

swarm traffic?

Postby Pattern_Juggled » Sat Oct 11, 2014 2:13 am

This looks to me like a torrent client on a DHCP'd IP address, coming out of Denmark, that was likely talking with someone logged in thru Fenrir and now it's trying to find out if that peer is still around. Because this is UDP traffic, it's stateless - and the only hard identifier for the session (or "session" as there's really no such thing as UDP sessions - they're just streams of packets in a series) is a combination of source IP, destination IP, source port, and destination port. That's what the SNAT (or masquerade) system function uses, in Linux, to keep track of mux'd IPs at a hardware (or virtual) NIC.

Mostly that process goes well, but sometimes if someone drops on and off a machine it can result in the NIC forwarding packets along to its "best-guess" recipient within the routing table.

But this is all hypothetical, really - call it a hunch as much as anything. I'd also want to wireshark (or manually inspect) these packets before saying for sure what my conclusion is. I'd put a (small) bet on it simply being torrent traffic... but I'll reserve further judgement until more hard data is available.

Cheers,

~ pj

User avatar

marzametal
Posts: 520
Joined: Mon Aug 05, 2013 11:39 am

Re: Weird incoming connections (Fenrir)

Postby marzametal » Sat Oct 11, 2014 7:50 am

I blocked the whole ISP as a just in case... lol

User avatar

Topic Author
Operandi
Posts: 88
Joined: Fri Nov 22, 2013 4:23 pm

Re: Weird incoming connections (Fenrir)

Postby Operandi » Sun Oct 12, 2014 12:18 am

Tealc wrote:Have you reported this to support@cryptostorm.is ?

I haven't, but it seems that there's no need for that anymore.

cryptostorm_admin wrote:Ok, our support folks flagged this for me to take a look at. I've also asked DF to see if he has any feedback also. [...]

Thanks for looking into this. I'll try to do a Wireshark capture in case similar connections appear, then.

Pattern_Juggled wrote:This looks to me like a torrent client on a DHCP'd IP address, coming out of Denmark, that was likely talking with someone logged in thru Fenrir and now it's trying to find out if that peer is still around. [...]

Hmm... That could be the case. Thanks for the insight, pj.

marzametal wrote:I blocked the whole ISP as a just in case... lol

Which OS do you use, if I may ask?

User avatar

parityboy
Site Admin
Posts: 1266
Joined: Wed Feb 05, 2014 3:47 am

Re: Weird incoming connections (Fenrir)

Postby parityboy » Sun Oct 12, 2014 1:23 am

@thread

Well trust me to pick the worst-level possibilty, lol. :D Having thought about it, there's a very good chance that PJ is right and the activity is 100% innocent. I've been watching KTorrent logs to see if the behaviour is similar, but it doesn't seem to be. Different software is different. :)

User avatar

marzametal
Posts: 520
Joined: Mon Aug 05, 2013 11:39 am

Re: Weird incoming connections (Fenrir)

Postby marzametal » Sun Oct 12, 2014 2:18 pm

@Operandi
Windows 7 Home Premium 64bit (ISO file from Microsoft, I ditched the pre-installed version due to bloatware)
Windows 7 Firewall with Advanced Security
Windows Firewall Control (purely for the connection logs... otherwise, I'd have to rely solely on Event Viewer, ugh!)

User avatar

Topic Author
Operandi
Posts: 88
Joined: Fri Nov 22, 2013 4:23 pm

Re: Weird incoming connections (Fenrir)

Postby Operandi » Thu Jan 29, 2015 3:43 am

Since this is a (possibly) related issue, I decided to post about it here, instead of starting a whole new topic.

I haven't seen any more odd connections since then, but my network adapter started acting up recently: every so often the connection drops down completely, and all attempts to disable the adapter freeze half the system (even Wireshark stops responding if I try to start a capture). Ultimately, the machine can't even restart - the "Shutting down..." message just hangs there forever; the only way is to do a reset... And that's very similar to what happened just before those connections started popping out for the first time.

Now I think about finally getting a router, and I figured that this forum might be a good place to ask for advice.

So, is there any brand you guys would recommend? How about ASUS? Are their routers any good?

User avatar

parityboy
Site Admin
Posts: 1266
Joined: Wed Feb 05, 2014 3:47 am

Re: Weird incoming connections (Fenrir)

Postby parityboy » Thu Jan 29, 2015 4:04 am

@Operandi

What's your budget? Could you go for something like an EdgeRouter Lite? Or maybe one of the Draytek small business routers? I've heard good things about the ASUS routers, but I'd imagine the performance would pale compared to the other two.

User avatar

Topic Author
Operandi
Posts: 88
Joined: Fri Nov 22, 2013 4:23 pm

Re: Weird incoming connections (Fenrir)

Postby Operandi » Thu Jan 29, 2015 5:56 pm

parityboy wrote:What's your budget?

About $200.

Could you go for something like an EdgeRouter Lite?

It seems to be pretty good (especially price-wise), but I'd like to get a router with Wi-Fi capabilities (sorry, forgot to mention this right away).

Or maybe one of the Draytek small business routers?

Hmm... I doubt that the local shops carry any products by this company, but I'll look into this.

I've heard good things about the ASUS routers, but I'd imagine the performance would pale compared to the other two.

One of the reasons I consider ASUS is that they officially support DD-WRT firmware - and, I presume, painless flashing in general. Or is it a common thing for any router? </n00b>


Return to “general chat, suggestions, industry news”

Who is online

Users browsing this forum: Google [Bot] and 18 guests

Login