Router on tilt?
It was about 10 o’clock – in the evening – when searching data on the intenet on both my mobile phone and a tablet, that all of a sudden the connections dropped for no appearent reason; my Andoid phone complained that the wiFi connection was unstable. A slow down normally means there is an attempt running to break into some service at my site, but that would not cause the Wifi to beconme unstable, just that traffic slows down tremendously and that sites cannot be found because name resolution slows down too much. So there was something else going on.
Going up to theatic it became immediately clear that indeed there was something going on: every two seconds a beep of the Alpha system signalled a mail coming in – from the SYSLOG daemon, triggered by the router.
It turned out that a number of name servers tried to access the router (given the address) in a stream of UDP-messages that caused the router (by its configuration) to block them as being DoS attacks, similar to
Charon2: [DOS][Block][udp_RP_flood, timeout=10] [(address:53 -> )82.161.236.244:port][UDP][HLen=(Headerlength), TLen=(Transport-length)]
Given the originating port (53) marks the requests were sent by a name server (port 53 is the default port for DNS), I checked the addresses, and all were, indeed, name srvices: From my ISP, a few others, and Google. The way to get this stopped was shutting down the WAN interface (the ‘dirty side’ of the router); closing port 53 would be useless, since the router blocked the access: the requests didn’t make it into the LAN. After re-enabling the port all was back to normal.
Since SYSLOGD has been set up to log this type of request not just the the logfile but to OPCOM as well, it’s an easy trip to track it all down. And I found that the whole sequence started by a flood of UDP packets – twice – from a secured port:
%%%%%%%%%%% OPCOM 17-OCT-2014 19:49:23.80 %%%%%%%%%%%
Message from user SYSTEM on DIANA
Message from syslogd@charon.intra.grootersnet.nl at Oct 17 19:49:23 ...
Charon2: [DOS][Block][udp_RP_flood, timeout=10][82.94.234.15:443->82.161.236.244:39146][UDP][HLen=20, TLen=65]
%%%%%%%%%%% OPCOM 17-OCT-2014 19:49:25.33 %%%%%%%%%%%
Message from user SYSTEM on DIANA
Message from syslogd@charon.intra.grootersnet.nl at Oct 17 19:49:24 ...
Charon2: [DOS][Block][udp_RP_flood, timeout=10][82.94.234.15:443->82.161.236.244:39146][UDP][HLen=20, TLen=1378]
This address is the Google cache at my ISP….
The very next moment comes a mail message, and from that moment on, the trouble starts and name services start firing their request. In the beginning, the Google Cache service hops in a few times but that doesn’t show up later on; as well as incoming mail messages (but operator.log doesn’t show the originating address – I’ll have to dig the PMAS or SYSLOGD logs for them). Then it stops after I disabled the WAN interface, about 30 minutes after it all started.
The log shows that the router spewed out a message every 2 seconds, but the instability started when the number op available channels droipped too far so new connections could not be established.
This may have caused the instability of the Wifi connection – as signalled by my phone. But as it turned out, it was not the interface that was unstable, but a far too budy router….
This is one of those cases that is hard – if not impossible – to reproduce, but even so, I’ll mention it to the manufacturer.