Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
I thought I might ask here
« previous
next »
Print
Pages: [
1
]
Author
Topic: I thought I might ask here (Read 3305 times)
meyergru
Hero Member
Posts: 1700
Karma: 167
IT Aficionado
I thought I might ask here
«
on:
November 09, 2021, 01:53:21 pm »
I wondered what those blocked entries in my firewall log are (see attachment):
WAN in TCP from 2603:10b0:b14:89d8:0:1:4b:73f3 port 443 to 2100::xxxxxx port yyyy tcpflags PA
All come from IPs within 2603:10b0::/32 (owned my Microsoft, apparently MS Azure), source port 443 and they have PSH and ACK flags set (which makes it hard to even create a rule to let those packets pass, because you have to use advanced options).
I would not bother about this, if it were not for the fact that the destination IPs are only Windows PCs in my network - and those are correct SLAAC temporary addresses only (not a random scan) which would be hard to guess.
Digging a little into the matter, I found that the sender IPs apparently do not react to anything and I can see no outgoing packets to those IP addresses originating from my PC (on any port). The incoming TCP payload is gibberish...
I wonder how my temporary IPv6 leak to whatever machines send these packets - is this a residue of a legit Microsoft service (like Windows update) or an indication of some malware that is already on my Windows machines, phoning home to some Azure-based command-and-control servers, but not getting answered because my firewall blocks it?
Does somebody know what this is?
«
Last Edit: November 09, 2021, 05:17:55 pm by meyergru
»
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
Fright
Hero Member
Posts: 1777
Karma: 164
Re: I thought I might ask here
«
Reply #1 on:
November 12, 2021, 06:23:53 am »
maybe something interesting will be in the client's dns cache after loading?
You can also try to sniff outgoing traffic at the time the client is loaded - maybe something will be seen in the SNI header?
Logged
meyergru
Hero Member
Posts: 1700
Karma: 167
IT Aficionado
Re: I thought I might ask here
«
Reply #2 on:
November 12, 2021, 08:50:07 am »
I sniffed the traffic and there was no outgoing connection to those IPs. I then tried to disable the network interface of the affected PCs and afterward re-enabled them. This has the effect of changing the temporary IPv6. Afterwards, the new IPv6 got contacted.
Then, I disabled the Windows update service (net wuauservice stop) and repeated the same routine - afterwards, not a single contact in 5 minutes. So I assume that this is an artifact of the background intellgent transfer service (BITS). For now, I am content that OpnSense blocks such traffic, because I have found no way of completely disabling my PCs (and bandwidth) being used to help Microsoft deliver their updates to other customers.
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
I thought I might ask here