OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Intrusion Detection and Prevention »
  • I thought I might ask here
« previous next »
  • Print
Pages: [1]

Author Topic: I thought I might ask here  (Read 3300 times)

meyergru

  • Hero Member
  • *****
  • Posts: 1683
  • Karma: 165
  • IT Aficionado
    • View Profile
    • congenio
I thought I might ask here
« on: November 09, 2021, 01:53:21 pm »
I wondered what those blocked entries in my firewall log are (see attachment):

WAN in TCP from 2603:10b0:b14:89d8:0:1:4b:73f3 port 443 to 2100::xxxxxx port yyyy tcpflags PA

All come from IPs within 2603:10b0::/32 (owned my Microsoft, apparently MS Azure), source port 443 and they have PSH and ACK flags set (which makes it hard to even create a rule to let those packets pass, because you have to use advanced options).

I would not bother about this, if it were not for the fact that the destination IPs are only Windows PCs in my network - and those are correct SLAAC temporary addresses only (not a random scan) which would be hard to guess.

Digging a little into the matter, I found that the sender IPs apparently do not react to anything and I can see no outgoing packets to those IP addresses originating from my PC (on any port). The incoming TCP payload is gibberish...

I wonder how my temporary IPv6 leak to whatever machines send these packets - is this a residue of a legit Microsoft service (like Windows update) or an indication of some malware that is already on my Windows machines, phoning home to some Azure-based command-and-control servers, but not getting answered because my firewall blocks it?

Does somebody know what this is?
« Last Edit: November 09, 2021, 05:17:55 pm by meyergru »
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+

Fright

  • Hero Member
  • *****
  • Posts: 1777
  • Karma: 164
    • View Profile
Re: I thought I might ask here
« Reply #1 on: November 12, 2021, 06:23:53 am »
maybe something interesting will be in the client's dns cache after loading?
You can also try to sniff outgoing traffic at the time the client is loaded - maybe something will be seen in the SNI header?
Logged

meyergru

  • Hero Member
  • *****
  • Posts: 1683
  • Karma: 165
  • IT Aficionado
    • View Profile
    • congenio
Re: I thought I might ask here
« Reply #2 on: November 12, 2021, 08:50:07 am »
I sniffed the traffic and there was no outgoing connection to those IPs. I then tried to disable the network interface of the affected PCs and afterward re-enabled them. This has the effect of changing the temporary IPv6. Afterwards, the new IPv6 got contacted.

Then, I disabled the Windows update service (net wuauservice stop) and repeated the same routine - afterwards, not a single contact in 5 minutes. So I assume that this is an artifact of the background intellgent transfer service (BITS). For now, I am content that OpnSense blocks such traffic, because I have found no way of completely disabling my PCs (and bandwidth) being used to help Microsoft deliver their updates to other customers.
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Intrusion Detection and Prevention »
  • I thought I might ask here
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2