Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] who hammers at my ipv6 if ?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3689
Location: Hamburg

PostPosted: Sat May 28, 2016 3:51 pm    Post subject: [solved] who hammers at my ipv6 if ? Reply with quote

AT my server I do observe peaks liek the following :
Code:
12:00:01 AM     IFACE   rxpck/s   txpck/s    rxkB/s    txkB/s   rxcmp/s   txcmp/s  rxmcst/s   %ifutil
02:03:01 AM    enp3s0   2652.77   1738.83   2804.44   1861.37      0.00      0.00      0.00      2.30
04:07:01 AM    enp3s0   4937.92   1504.53   6254.33   1423.79      0.00      0.00      0.00      5.12
04:08:01 AM    enp3s0  11637.23   2592.90  15777.55   2581.52      0.00      0.00      0.00     12.92
04:09:01 AM    enp3s0   8845.03   2587.22  11699.57   2714.80      0.00      0.00      0.00      9.58
which correlates to a high rx input at my ipv6 address (statistics from my provider). Those traffic is usually blocked by my firewall. (straight ip(6)tables script).

Now I was wondering whether it makes sense at all to try to get the originating ip address(es) and independent from that, how could that be achieved w/ an ip6tables rule set ?


Last edited by toralf on Thu Jun 02, 2016 7:02 pm; edited 1 time in total
Back to top
View user's profile Send private message
dataking
Apprentice
Apprentice


Joined: 20 Apr 2005
Posts: 251

PostPosted: Wed Jun 01, 2016 10:52 pm    Post subject: Reply with quote

toraff wrote:
Now I was wondering whether it makes sense at all to try to get the originating ip address(es) and independent from that, how could that be achieved w/ an ip6tables rule set ?

IMHO, "most people" will gain little value in collecting IPs (v6 OR v4) that are banging at their (firewall) door. I personally find it mildly interesting to capture those IPs, then pull "interesting" metrics about those IP: what country they're reporting as, what org they might belong to, etc......basically anything DNS, GeoIP, WhoIs or anything else might tell me about them YMMV.

But, as long as they aren't getting past your firewall/perimeter, it probably doesn't matter a whole lot after that.

It just so happens, the FW product I use silently drops IPv6, so I don't even bother tracking who might happen past. Again, YMMV.

As far as how that could be achieved, you'd have to create a LOG'ging ip6tables (or nftables(???)) rule to log the traffic. Then you could whip up some scripts to do "interesting" things with that data.
_________________
-= the D@7@k|n& =-
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3689
Location: Hamburg

PostPosted: Thu Jun 02, 2016 12:35 pm    Post subject: Reply with quote

Well, yes, I'd need the LOG target, but I do wonder how to get the traffic amount. Maybe this isn't achievable at all for me
?
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1747

PostPosted: Thu Jun 02, 2016 4:16 pm    Post subject: Reply with quote

You can check firewall's statistics with
iptables -nvL

It can be any rule. You can create a rule with the same target as your policy, so it will be matched and counted separately, without doing anything fancy.
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3689
Location: Hamburg

PostPosted: Thu Jun 02, 2016 7:01 pm    Post subject: Reply with quote

indeed - thx.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum