search

gsliepen / tinc

a VPN daemon
http://tinc-vpn.org/
Other
1.97k stars 285 forks source link

Received UDP packet from unknown source 127.0.0.1 port 655 #415

Open ptorrent opened 2 years ago

ptorrent commented 2 years ago

Hello there,

I've a flood on port 655 from127.0.0.1 on tinc. Do you know from where it could come ?

2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655
2022-09-02 10:25:10 tinc[2857]: Received UDP packet from unknown source 127.0.0.1 port 655

If i add this iptable rules:

iptables -I INPUT -i lo -p udp --dport 655 -j DROP

I don't have this log anymore. Can I have problem if I block udp from localhost ?

My config:

TCPOnly=yes

Version 1.1pre16

gsliepen commented 2 years ago

If you are using TCPOnly=yes anyway, then blocking UDP should not be an issue. Is there only one tinc daemon running on that host or are there multiple?

ptorrent commented 2 years ago

There is 2 daemon running on it on different port. Is that a problem ?

The second deamon has TCPOnly set to yes

gsliepen commented 2 years ago

Is the first or the second daemon run running on port 655?

ptorrent commented 2 years ago

No, the first one on 655 and the second one port 21245

This is the config of the seconde one

Name = x10
AddressFamily = ipv4
Interface = rdbinterface
StrictSubnets = yes
TCPOnly = yes
Broadcast = no
Port = 21245
ConnectTo = x1
ConnectTo = x2
ConnectTo = x3
ConnectTo = x4
ConnectTo = x5
ConnectTo = x6
ConnectTo = x7
gsliepen commented 2 years ago

Could you check in the logs of the first one if it's sending packets to the second? You might need to increase the debug level.

ptorrent commented 2 years ago

I will add this log in the second tinc daemon and let you know (actually we don't have logs on this deamon).

By looking into the log of the first tinc deamon I saw that:

UDP address of NODEXXXX set to 127.0.0.1 port 655

We're using HTTPS tunnel (it's why you see 127.0.0.1 as source address). If a second Node use the HTTPS tunnel, you will have 2 nodes from the same address right ? It can be a problem ?

2022-09-02 19:03:58 tinc[2857]: UDP address of NODEX17 set to [remoteip] port 655
2022-09-02 19:04:05 tinc[2857]: UDP address of NODEX8 set to [remoteip] port 655
2022-09-02 19:04:30 tinc[2857]: UDP address of NODEX10 set to [remoteip] port 655
2022-09-02 19:04:48 tinc[2857]: UDP address of NODEX2 set to 127.0.0.1 port 655
2022-09-02 19:05:23 tinc[2857]: UDP address of NODEX1 set to 127.0.0.1 port 655
2022-09-02 19:06:02 tinc[2857]: UDP address of NODEX2 set to 127.0.0.1 port 655
2022-09-02 19:07:18 tinc[2857]: UDP address of NODEX2 set to 127.0.0.1 port 655
2022-09-02 19:07:33 tinc[2857]: UDP address of NODEX1 set to 1[remoteip] port 655
2022-09-02 19:08:32 tinc[2857]: UDP address of NODEX2 set to 127.0.0.1 port 655
2022-09-02 19:08:33 tinc[2857]: UDP address of NODEX3 set to [remoteip] port 655
2022-09-02 19:08:34 tinc[2857]: UDP address of NODEX11 set to [remoteip] port 655
2022-09-02 19:09:05 tinc[2857]: UDP address of NODEX4 set to [remoteip] port 655
2022-09-02 19:09:43 tinc[2857]: UDP address of NODEX1 set to [remoteip] port 655
2022-09-02 19:09:45 tinc[2857]: UDP address of NODEX13 set to [remoteip] port 655
2022-09-02 19:09:47 tinc[2857]: UDP address of NODEX2 set to 127.0.0.1 port 655
2022-09-02 19:09:54 tinc[2857]: UDP address of NODEX9 set to [remoteip] port 655
2022-09-02 19:09:58 tinc[2857]: UDP address of NODEX12 set to [remoteip] port 655
2022-09-02 19:10:03 tinc[2857]: UDP address of NODEX5 set to [remoteip] port 655
2022-09-02 19:10:25 tinc[2857]: UDP address of NODEX6 set to [remoteip] port 655
2022-09-02 19:10:52 tinc[2857]: UDP address of NODEX2 set to [remoteip] port 655
2022-09-02 19:10:59 tinc[2857]: UDP address of NODEX10 set to [remoteip] port 655
2022-09-02 19:11:07 tinc[2857]: UDP address of NODEX11 set to [remoteip] port 655
2022-09-02 19:11:55 tinc[2857]: UDP address of NODEX2 set to [remoteip] port 655
2022-09-02 19:12:26 tinc[2857]: UDP address of NODEX10 set to [remoteip] port 655
2022-09-02 19:12:52 tinc[2857]: UDP address of NODEX1 set to [remoteip] port 655
2022-09-02 19:13:09 tinc[2857]: UDP address of NODEX2 set to 127.0.0.1 port 655
2022-09-02 19:13:16 tinc[2857]: UDP address of NODEX8 set to [remoteip] port 655
2022-09-02 19:13:16 tinc[2857]: UDP address of NODEX7 set to [remoteip] port 655
2022-09-02 19:13:20 tinc[2857]: UDP address of NODEX8 set to [remoteip] port 655
2022-09-02 19:14:08 tinc[2857]: UDP address of NODEX9 set to [remoteip] port 655
2022-09-02 19:14:25 tinc[2857]: UDP address of NODEX2 set to 127.0.0.1 port 655
2022-09-02 19:14:27 tinc[2857]: UDP address of NODEX10 set to [remoteip] port 655
2022-09-02 19:14:46 tinc[2857]: UDP address of NODEX3 set to [remoteip] port 655
2022-09-02 19:14:59 tinc[2857]: UDP address of NODEX8 set to [remoteip] port 655
2022-09-02 19:15:06 tinc[2857]: UDP address of NODEX1 set to 127.0.0.1 port 655
2022-09-02 19:15:22 tinc[2857]: UDP address of NODEX14 set to [remoteip] port 655
2022-09-02 19:15:39 tinc[2857]: UDP address of NODEX2 set to 127.0.0.1 port 655
2022-09-02 19:15:47 tinc[2857]: UDP address of NODEX1 set to 127.0.0.1 port 655
2022-09-02 19:16:53 tinc[2857]: UDP address of NODEX2 set to 127.0.0.1 port 655
2022-09-02 19:17:15 tinc[2857]: UDP address of NODEX8 set to [remoteip] port 655
2022-09-02 19:17:48 tinc[2857]: UDP address of NODEX5 set to [remoteip] port 655
2022-09-02 19:18:07 tinc[2857]: UDP address of NODEX2 set to 127.0.0.1 port 655
2022-09-02 19:19:21 tinc[2857]: UDP address of NODEX2 set to 127.0.0.1 port 655
2022-09-02 19:20:30 tinc[2857]: UDP address of NODEX8 set to [remoteip] port 655
2022-09-02 19:20:35 tinc[2857]: UDP address of NODEX2 set to 127.0.0.1 port 655
2022-09-02 19:21:42 tinc[2857]: UDP address of NODEX15 set to [remoteip] port 655
2022-09-02 19:21:49 tinc[2857]: UDP address of NODEX2 set to 127.0.0.1 port 655
2022-09-02 19:22:01 tinc[2857]: UDP address of NODEX1 set to 127.0.0.1 port 655
2022-09-02 19:23:05 tinc[2857]: UDP address of NODEX2 set to 127.0.0.1 port 655
2022-09-02 19:23:24 tinc[2857]: UDP address of NODEX8 set to [remoteip] port 655
2022-09-02 19:24:10 tinc[2857]: UDP address of NODEX16 set to [remoteip] port 655
2022-09-02 19:24:19 tinc[2857]: UDP address of NODEX2 set to 127.0.0.1 port 655
2022-09-02 19:24:36 tinc[2857]: UDP address of NODEX7 set to [remoteip] port 655
2022-09-02 19:24:57 tinc[2857]: UDP address of NODEX10 set to [remoteip] port 655
2022-09-02 19:25:14 tinc[2857]: UDP address of NODEX7 set to [remoteip] port 655

By the way, it that normal to have this log with TCPOnly=yes ?

Thanks for your answer and support !