search

dndx / phantun

Transforms UDP stream into (fake) TCP streams that can go through Layer 3 & Layer 4 (NAPT) firewalls/NATs.
Apache License 2.0
1.67k stars 134 forks source link

Client log:Unknown TCP packages #28

Closed Handsome1080P closed 2 years ago

Handsome1080P commented 2 years ago

Client got a lot of this logs,I don't know it's normal or not.

INFO fake_tcp > Unknown TCP packet from 10.221.0.1:30289, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:29569, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:37892, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:37892, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:37892, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:37892, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:52463, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:35476, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:37892, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:37892, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:37892, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:37892, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:60392, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:63529, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:37892, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:37892, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:37892, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:37892, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:34216, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:58855, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:37892, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:37892, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:37892, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:37892, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:26415, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:51151, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:37892, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:37892, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:37892, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:37892, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:36858, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:19034, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:37892, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:37892, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:37892, sending RST INFO fake_tcp > Unknown TCP packet from 10.221.0.1:37892, sending RST

dndx commented 2 years ago

Is this the client or server? Seems that there is something that is attempting to connect to Phantun, you can tcpdump to figure out what it is.

It shouldn't affect the performance of Phantun, but certainly annoying.

Handsome1080P commented 2 years ago

It's client log,I using tcpdump to capture the Phantun interface but not see some unusual logs.Only server ip to the client peer ip and client peer ip to server ip.

Handsome1080P commented 2 years ago

It's client log,I using tcpdump to capture the Phantun interface but not see some unusual logs.Only server ip to the client peer ip and client peer ip to server ip.

Only got this log from tcpdump.This tunnel I have not set the ipv6 address,but there are some ipv6 connection logs.But the another one I using ipv6 will get the same unknown tcp packages logs too.The two phantun one using ipv4 endpoint,one using ipv6 endpoint and different ports.So its so weird.

11:35:03.208074 IP (tos 0x0, ttl 50, id 0, offset 0, flags [DF], proto TCP (6), length 45) server_ip.25565 > 10.221.0.2.55350: Flags [.], cksum 0x4700 (correct), seq 543164463:543164468, ack 1856256, win 65535, length 5 11:35:04.753562 IP6 (flowlabel 0x361bf, hlim 1, next-header UDP (17) payload length: 345) fe80::898d:d31a:959f:b940.65116 > ff12::8384.21027: [udp sum ok] UDP, length 337

dndx commented 2 years ago

IPv6 packets are auto ignored so they should not be a problem. You log says the unknown TCP packets are from 10.221.0.1:37892 but the dump does not seems to be from that address. Maybe something else is connecting to Phantun from the machine that is running it (10.221.0.1 in this case)?

How often do those Unknown TCP packet logs appear? Do they appear consistently or just sometimes? It will be helpful if you can capture one of these actual packets that's causing RST and the RST with it.

Handsome1080P commented 2 years ago

IPv6 packets are auto ignored so they should not be a problem. You log says the unknown TCP packets are from 10.221.0.1:37892 but the dump does not seems to be from that address. Maybe something else is connecting to Phantun from the machine that is running it (10.221.0.1 in this case)?

How often do those Unknown TCP packet logs appear? Do they appear consistently or just sometimes? It will be helpful if you can capture one of these actual packets that's causing RST and the RST with it.

I have set the tcpdump filter to RST to background,I will show u if there is a result.The unknown tcp packages logs appear irregular.

dndx commented 2 years ago

If that is the case then it is probably no cause for alarm. Occasional RSTs shouldn't cause any performance issue anyway.

I suspect it is something trying to connect to Phantun on the local machine, but only capture can tell what it actually is.

Handsome1080P commented 2 years ago

If that is the case then it is probably no cause for alarm. Occasional RSTs shouldn't cause any performance issue anyway.

I suspect it is something trying to connect to Phantun on the local machine, but only capture can tell what it actually is.

It's true,there are some spam ips try to connect my client,== .It seems IGMP,I will try to use Iptables reject them

root@cisco:~# tcpdump -i phan2 -vv tcp[tcpflags] == 'tcp-rst' tcpdump: listening on phan2, link-type RAW (Raw IP), capture size 262144 bytes 12:13:35.376710 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 239.255.255.250.1900 > 10.221.0.1.20759: Flags [R], cksum 0xbc12 (correct), seq 1294816069, win 65535, length 0 12:13:35.379287 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 239.255.255.250.1900 > 10.221.0.1.34939: Flags [R], cksum 0x84ae (correct), seq 1294816069, win 65535, length 0 12:13:35.385842 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) igmp.mcast.net.0 > 10.221.0.1.37892: Flags [R], cksum 0x30e7 (correct), seq 1, win 65535, length 0 12:13:36.377919 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) igmp.mcast.net.0 > 10.221.0.1.37892: Flags [R], cksum 0x30e7 (correct), seq 1, win 65535, length 0 12:13:45.398074 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) igmp.mcast.net.0 > 10.221.0.1.37892: Flags [R], cksum 0x30e7 (correct), seq 1, win 65535, length 0 12:13:45.721922 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) igmp.mcast.net.0 > 10.221.0.1.37892: Flags [R], cksum 0x30e7 (correct), seq 1, win 65535, length 0

dndx commented 2 years ago

Looks like https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol. It shouldn't cause any harm

If you are really annoyed you can drop all multicast IP addresses on iptables when forwarding to Phantun.

Handsome1080P commented 2 years ago

Looks like https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol. It shouldn't cause any harm

If you are really annoyed you can drop all multicast IP addresses on iptables when forwarding to Phantun.

thx a lot