I just found this in my spam folder.
The probes come in on many ports, so they are just looking for something open I suppose.
I'll look into that INVALID tag, it's something I'm not familiar with (yet).
On Fri, Feb 28, 2020 at 3:29 PM Trevor Cordes trevor@tecnopolis.ca wrote:
On 2020-02-27 Scott Toderash wrote:
[10192947.300008] UDP: bad checksum. From 1.2.3.4:10398 to 3.4.5.6:5060 ulen 237
I started getting some of this yesterday on one host.
I think that there is a way to use regex and fail2ban to block flood attacks like this. Does anyone have the recipe?
It comes in on various ports. This example is port 5060 but the host does not have anything listening there.
I think just simple iptables -j DROP for those would be more efficient than fail2ban. The only thing fail2ban would buy you is if the hitters are also hitting valid ports with valid packets and you want to preemptively block them. I wouldn't think it was worth it.
iptables -A earlychain -p all -m conntrack --ctstate INVALID -j DROP iptables -A earlychain -p all -m state --state INVALID -j DROP
Not sure if those catch invalid checksum... but they should? If the traffic is confined to certain ports, just -p udp --dport xxxx -j DROP them.
In any event, besides the kernel log (which is probably settable), even letting the kernel drop them post-iptables isn't really taking up many resources.
You should capture some of the packets to see what the content is! Might be interesting.
And 5060 is sip... you sure you aren't running some voip that is getting handled in a wonky way? Is the source IP somewhere in CN or from legit IPs you might have business with?