I thought I might ask here

Started by meyergru, November 09, 2021, 01:53:21 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 09, 2021, 01:53:21 PM Last Edit: November 09, 2021, 05:17:55 PM by meyergru
I wondered what those blocked entries in my firewall log are (see attachment):

WAN in TCP from 2603:10b0:b14:89d8:0:1:4b:73f3 port 443 to 2100::xxxxxx port yyyy tcpflags PA

All come from IPs within 2603:10b0::/32 (owned my Microsoft, apparently MS Azure), source port 443 and they have PSH and ACK flags set (which makes it hard to even create a rule to let those packets pass, because you have to use advanced options).

I would not bother about this, if it were not for the fact that the destination IPs are only Windows PCs in my network - and those are correct SLAAC temporary addresses only (not a random scan) which would be hard to guess.

Digging a little into the matter, I found that the sender IPs apparently do not react to anything and I can see no outgoing packets to those IP addresses originating from my PC (on any port). The incoming TCP payload is gibberish...

I wonder how my temporary IPv6 leak to whatever machines send these packets - is this a residue of a legit Microsoft service (like Windows update) or an indication of some malware that is already on my Windows machines, phoning home to some Azure-based command-and-control servers, but not getting answered because my firewall blocks it?

Does somebody know what this is?
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
November 12, 2021, 06:23:53 AM #1
maybe something interesting will be in the client's dns cache after loading?
You can also try to sniff outgoing traffic at the time the client is loaded - maybe something will be seen in the SNI header?
November 12, 2021, 08:50:07 AM #2
I sniffed the traffic and there was no outgoing connection to those IPs. I then tried to disable the network interface of the affected PCs and afterward re-enabled them. This has the effect of changing the temporary IPv6. Afterwards, the new IPv6 got contacted.

Then, I disabled the Windows update service (net wuauservice stop) and repeated the same routine - afterwards, not a single contact in 5 minutes. So I assume that this is an artifact of the background intellgent transfer service (BITS). For now, I am content that OpnSense blocks such traffic, because I have found no way of completely disabling my PCs (and bandwidth) being used to help Microsoft deliver their updates to other customers.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages1
User actions