router under attack on L2TP tunnel?

RouterOS General
1

never seen this before.

feb/27 20:47:03 l2tp,debug,packet L2TPDBG===>: rcvd control message from 146.88.240.4:1701 to xxx.xxx.138.202:1701
feb/27 20:47:03 l2tp,debug,packet L2TPDBG===>: tunnel-id=0, session-id=0, ns=0, nr=0
feb/27 20:47:03 l2tp,debug,packet L2TPDBG===>: (M) Message-Type=SCCRQ
feb/27 20:47:03 l2tp,debug,packet L2TPDBG===>: (M) Protocol-Version=0x01:00
feb/27 20:47:03 l2tp,debug,packet L2TPDBG===>: (M) Host-Name=“2.am”
feb/27 20:47:03 l2tp,debug,packet L2TPDBG===>: (M) Framing-Capabilities=0x1
feb/27 20:47:03 l2tp,debug,packet L2TPDBG===>: (M) Assigned-Tunnel-ID=35
feb/27 20:47:03 l2tp,info first L2TP UDP packet received from 146.88.240.4
feb/27 20:47:03 l2tp,info L2TPDBG===>: first L2TP UDP packet received from 146.88.240.4
feb/27 20:47:03 l2tp,debug L2TPDBG===>: tunnel 35 entering state: wait-ctl-conn
feb/27 20:47:03 l2tp,debug,packet L2TPDBG===>: sent control message to 146.88.240.4:1701 from xxx.xxx.138.202:1701
feb/27 20:47:03 l2tp,debug,packet L2TPDBG===>: tunnel-id=35, session-id=0, ns=0, nr=1
feb/27 20:47:03 l2tp,debug,packet L2TPDBG===>: (M) Message-Type=SCCRP
feb/27 20:47:03 l2tp,debug,packet L2TPDBG===>: (M) Protocol-Version=0x01:00
feb/27 20:47:03 l2tp,debug,packet L2TPDBG===>: (M) Framing-Capabilities=0x1
feb/27 20:47:03 l2tp,debug,packet L2TPDBG===>: (M) Bearer-Capabilities=0x0
feb/27 20:47:03 l2tp,debug,packet L2TPDBG===>: Firmware-Revision=0x1
feb/27 20:47:03 l2tp,debug,packet L2TPDBG===>: (M) Host-Name=“IND cable”
feb/27 20:47:03 l2tp,debug,packet L2TPDBG===>: Vendor-Name=“MikroTik”
feb/27 20:47:03 l2tp,debug,packet L2TPDBG===>: (M) Assigned-Tunnel-ID=35
feb/27 20:47:03 l2tp,debug,packet L2TPDBG===>: (M) Receive-Window-Size=4
feb/27 20:47:04 l2tp,debug,packet L2TPDBG===>: sent control message to 146.88.240.4:1701 from xxx.xxx.138.202:1701
feb/27 20:47:04 l2tp,debug,packet L2TPDBG===>: tunnel-id=35, session-id=0, ns=0, nr=1
feb/27 20:47:04 l2tp,debug,packet L2TPDBG===>: (M) Message-Type=SCCRP
feb/27 20:47:04 l2tp,debug,packet L2TPDBG===>: (M) Protocol-Version=0x01:00
feb/27 20:47:04 l2tp,debug,packet L2TPDBG===>: (M) Framing-Capabilities=0x1
feb/27 20:47:04 l2tp,debug,packet L2TPDBG===>: (M) Bearer-Capabilities=0x0
feb/27 20:47:04 l2tp,debug,packet L2TPDBG===>: Firmware-Revision=0x1
feb/27 20:47:04 l2tp,debug,packet L2TPDBG===>: (M) Host-Name=“IND cable”
feb/27 20:47:04 l2tp,debug,packet L2TPDBG===>: Vendor-Name=“MikroTik”
feb/27 20:47:04 l2tp,debug,packet L2TPDBG===>: (M) Assigned-Tunnel-ID=35
feb/27 20:47:04 l2tp,debug,packet L2TPDBG===>: (M) Receive-Window-Size=4 feb/27 20:47:27 l2tp,debug L2TPDBG===>: tunnel 35 received no replies, disconnecting
feb/27 20:47:27 l2tp,debug L2TPDBG===>: tunnel 35 entering state: dead

2

The source IP resolves to https://www.arbor-observatory.com/, which declares itself as a security research organization.

So it is a warning for you, highlighting that your L2TP server is open to the whole internet without IPsec encryption, intentionally or unintentionally, and the only barrier between you and a real attacker is the username and password at the L2TP level and the robustness of the RouterOS L2TP stack itself. I.e. if there eventually is a vulnerability in the L2TP stack, which allows to establish a connection without knowledge of the username and password, the attacker can make use of it.

Depending on settings (in RouterOS case, the ones in /ppp profile, L2TP itself either doesn’t encrypt the payload at all or uses MPPE which is not very strong, so a man in the middle can read your VPN communication if you intentionally run L2TP connections without IPsec encryption.

If you do use IPsec encryption of L2TP, it means it is not configured properly and thus incoming L2TP connection requests are accepted even if they arrive outside an IPsec SA.

3

I had a tunnel between 2 MTs but it failed after a version upgrade so I thought I had deleted it but obviously left this interface on.
I turned off the L2TP server as as soon as I saw the log entries and did the same IP trace you did (findip-address.com).

Thanks for the reply, do you have a blog or vimeo / youtube channel where you give examples of programming?
Your posts are among the most informative here.