koldfront

Hosts sending 2 or 6 NULL bytes #net

🕣︎ - 2019-08-16

Recently, like the last month or so, my server has been receiving packets from various, seemingly arbitrary, hosts, containing either 2 or 6 NULL bytes.

They hit mostly port 22 (ssh), 53 (dns), 80 (http), 443 (https) and imaps (993). I only have a very limited number of ports open in the router, so they might be hitting more ports.

Looking at them with ngrep(8), it looks like this:

$ sudo ngrep -x -q '^\x00\x00*$'
interface: enp4s0 (192.168.1.0/255.255.255.0)
filter: ((ip || ip6) || (vlan && (ip || ip6)))
match: ^\x00\x00*$
 
T 88.208.41.159:42560 -> 192.168.1.101:22 [S] #32
  00 00                                                 ..
 
T 78.140.142.55:44230 -> 192.168.1.101:80 [S] #41
  00 00                                                 ..
 
T 78.140.141.247:47152 -> 192.168.1.101:53 [S] #46
  00 00                                                 ..
 
T 5.11.81.197:48256 -> 192.168.1.101:443 [S] #62
  00 00                                                 ..
 
T 54.36.150.116:41070 -> 192.168.1.101:443 [R] #404
  00 00 00 00 00 00                                     ......

I'm not quite sure to make of it. The sources seem to change, sometimes they're mostly from Japan, sometimes from China, sometimes from AWS, other times from various hosting companies.

Anyone know what this is?

Add comment

How to in excruciating detail…

To avoid spam many websites make you fill out a CAPTCHA, or log in via an account at a corporation such as Twitter, Facebook, Google or even Microsoft GitHub.

I have chosen to use a more old school method of spam prevention.

To post a comment here, you need to:

  • Configure a newsreader¹ to connect to the server koldfront.dk on port 1119 using nntps (nntp over TLS).
  • Open the newsgroup called lantern.koldfront and post a follow up to the article.
¹ Such as Thunderbird, Pan, slrn, tin or Gnus (part of Emacs).

Or, you can fill in this form:

+=