• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Unusual security problem: am I being used in an ipv6 botnet/DDoS?

Started by zebrax0r, March 17, 2013, 04:04:20 AM

Previous topic - Next topic

zebrax0r

Hi all.

First time poster. Please be kind.

I recently signed up for a HE tunnel for IPv6 for something fun to do/something interesting. In my own country, we have a provider known as AARNET who provide an IPv6 tunnel broker, but it goes down fairly often, so I thought I'd try HE out, despite it being quite a distance away/higher in latency.

Anyway - even before I was using HE, around 3 or 4 weeks ago, I started noticing some odd behaviour on my internet connection. I have a 120Mbit/sec downlink + 2.5Mbit/sec uplink DOCSIS 3.0 cable connection. On top of which I use an ipv6 tunnel inside a UNIX based host (Solaris 11.1 at the moment, but have used Ubuntu 12.10 in the past) to talk to IPv6-only USENET hosts for file/binary news post transfers.

Anyway - I began to notice extremely high upload utilisation a few weeks ago, so much so that it was hurting the amount of internet quota I had available to me (they charge/count uploads AND downloads here against monthly quota (!).

So, I set forth to find out what was going on. Basic setup is:

DOCSIS 3.0 Router in "dumb modem/bridged" mode --> Cisco Linksys E3000 in full router mode with SPI Firewall "on" + NAT --> Hosts behind this [IPv6 tunnel nailed up on one of them]

Nothing special or uncommon.

So, when I have the tunnel nailed up, I find piles and piles of unusual IP addresses, lots of traffic flowing through the tunnel and heaps of foreign IP blocks (china, RU, UK etc), even if I am not transferring any data.

I got to thinking "Is this a botnet sitting atop my tunnel? If so, how?", also started to wonder if I was participating in a DDoS somehow.

Anyway - for the life of me, I cannot find evidence that the hosts (running on VM's and zones, not bare metal!) are compromised, but, every time I bring them up, all this traffic makes me wonder! I'm using tools like iftop and WireShark to look at it all, and maybe NetFlows soon if I get really unhappy.

I'm quite aware that, by definition of an IPv6 address space, the concept of NAT disappears - so my host might be "out there naked".

Does anyone else have a simiar IPv6/tunnel story? I'd love to know if what I am seeing is something anyone else has seen before!

Thanks, all.

z

kasperd

Quote from: zebrax0r on March 17, 2013, 04:04:20 AMNAT --> Hosts behind this [IPv6 tunnel nailed up on one of them]
Depending on the NAT this can be unreliable. If possible, it is usually better to run the tunnel endpoint on the same device, which does NAT. I know this is unrelated to your question, and I am not recommending you change it, unless it becomes a problem for you. However if it does become a problem, keep it in mind.

Quote from: zebrax0r on March 17, 2013, 04:04:20 AMNothing special or uncommon.
Right, your setup sounds quite ordinary.

Quote from: zebrax0r on March 17, 2013, 04:04:20 AMSo, when I have the tunnel nailed up, I find piles and piles of unusual IP addresses, lots of traffic flowing through the tunnel and heaps of foreign IP blocks (china, RU, UK etc), even if I am not transferring any data.
In my experience 90% of the time this turns out to be due to a bittorrent client on the LAN.

Quote from: zebrax0r on March 17, 2013, 04:04:20 AMevery time I bring them up, all this traffic makes me wonder!
What does the traffic look like? Is it TCP, UDP, ICMPv6, or something else? What port numbers are being used? Is it initiated from inside or outside your network.

If the traffic is initiated from outside your network, there must be some packets arriving even when the receiving VM is down.

Quote from: zebrax0r on March 17, 2013, 04:04:20 AMI'm quite aware that, by definition of an IPv6 address space, the concept of NAT disappears - so my host might be "out there naked".
Right, but you can still have a firewall. The firewall can be stateful or stateless. The major difference is, with IPv6 the firewall doesn't modify the packets, it just inspects the packets and decide which go through, and which receive an ICMPv6 error message.

zebrax0r

Quote from: kasperd on March 17, 2013, 06:18:31 AM
In my experience 90% of the time this turns out to be due to a bittorrent client on the LAN.

...and you were right. The LHT/PEX type tracker options were floating wads and wads of "junk data" across my WAN as a distributed BT-tracker, despite not having any active torrents!

Thank you for your input. Most appreciated.

z