koldfront

Hosts sending 2 or 6 NULL bytes #net

Recently, like the last month or so, my server has been receiving packets from various, seemingly arbitrary, hosts, containing either 2 or 6 NULL bytes.

They hit mostly port 22 (ssh), 53 (dns), 80 (http), 443 (https) and imaps (993). I only have a very limited number of ports open in the router, so they might be hitting more ports.

Looking at them with ngrep(8), it looks like this:

$ sudo ngrep -x -q '^\x00\x00*$'
interface: enp4s0 (192.168.1.0/255.255.255.0)
filter: ((ip || ip6) || (vlan && (ip || ip6)))
match: ^\x00\x00*$
 
T 88.208.41.159:42560 -> 192.168.1.101:22 [S] #32
  00 00                                                 ..
 
T 78.140.142.55:44230 -> 192.168.1.101:80 [S] #41
  00 00                                                 ..
 
T 78.140.141.247:47152 -> 192.168.1.101:53 [S] #46
  00 00                                                 ..
 
T 5.11.81.197:48256 -> 192.168.1.101:443 [S] #62
  00 00                                                 ..
 
T 54.36.150.116:41070 -> 192.168.1.101:443 [R] #404
  00 00 00 00 00 00                                     ......

I'm not quite sure to make of it. The sources seem to change, sometimes they're mostly from Japan, sometimes from China, sometimes from AWS, other times from various hosting companies.

Anyone know what this is?

Add comment?

Title:

Name:

Email (won't be displayed online):

Text:

0.0124 s
webcustodian@koldfront.dk