Hosts sending 2 or 6 NULL bytes #net
Recently, like the last month or so, my server has been receiving packets from various, seemingly arbitrary, hosts, containing either 2 or 6 NULL bytes.
They hit mostly port 22 (ssh), 53 (dns), 80 (http), 443 (https) and imaps (993). I only have a very limited number of ports open in the router, so they might be hitting more ports.
Looking at them with ngrep(8), it looks like this:
$ sudo ngrep -x -q '^\x00\x00*$' interface: enp4s0 (192.168.1.0/255.255.255.0) filter: ((ip || ip6) || (vlan && (ip || ip6))) match: ^\x00\x00*$ Â T 88.208.41.159:42560 -> 192.168.1.101:22 [S] #32 00 00 .. Â T 78.140.142.55:44230 -> 192.168.1.101:80 [S] #41 00 00 .. Â T 78.140.141.247:47152 -> 192.168.1.101:53 [S] #46 00 00 .. Â T 5.11.81.197:48256 -> 192.168.1.101:443 [S] #62 00 00 .. Â T 54.36.150.116:41070 -> 192.168.1.101:443 [R] #404 00 00 00 00 00 00 ......
I'm not quite sure to make of it. The sources seem to change, sometimes they're mostly from Japan, sometimes from China, sometimes from AWS, other times from various hosting companies.
Anyone know what this is?
Add comment
How to in excruciating detail…
To avoid spam many websites make you fill out a CAPTCHA, or log in via an account at a corporation such as Twitter, Facebook, Google or even Microsoft GitHub.
I have chosen to use a more old school method of spam prevention.
To post a comment here, you need to:
- Configure a newsreader¹ to connect to the server
- Open the newsgroup called
¹ Such as Thunderbird, Pan, slrn, tin or Gnus (part of Emacs).koldfront.dk
on port1119
using nntps (nntp over TLS).lantern.koldfront
and post a follow up to the article.Or, you can fill in this form: