Routerboard pinging random addresses

0ldman · March 11, 2018, 6:41pm

I’ve got an RB600 that is pinging random IP addresses.

It has persisted through a wipe and reload. Unit has been in service since April of 2008. Getting ready to replace it, but something odd is going on. I’d like to get to the bottom of it.

Netinstall is not an option at the moment, maybe not at all. Ether1 is broken.

I’m less concerned about fixing this particular unit and more concerned with getting to the bottom of the problem.

I’ve cleared the unit, the instant a default route is added to the unit it starts pinging random addresses. Complete wipe, no default config, mac-telnet into the unit, add any address on that subnet, add a gateway, it starts pinging.

0ldman · March 11, 2018, 7:26pm

screenshot

BartoszP · March 12, 2018, 8:14am

It is not router pinging but “outside world” is pinging your router and you IMHO have passing this traffic to 10.1.22.2 device with firewall’s dst rule … if 10.1.22.2 is LAN address not WAN.

arnoldmikro · March 12, 2018, 1:32pm

I dont agree with BartoszP , you have tx wit no rx do a sniffer capture on the packets. the bps is large whats inside?

BartoszP · March 12, 2018, 1:47pm

It’s your opinion but source address is public one and destination is local one. It seems to be obvious IMHO that traffic come from the world to LAN or to WAN interface if 10.x.x.x is address of WAN interface.

EDIT

Tx means that router transmits packets form “outside” to 10.x.x.x address. Router does not receives them as it is not destination of them … we do not know DST-NAT rules.

Sob · March 12, 2018, 2:35pm

I get confused by src/dst in Torch myself from time to time. But if you try it yourself, this really is how it looks like for outgoing traffic from router.

CZFan · March 12, 2018, 3:40pm

My thinking tend to be inline with above.

From screenshot, ether2 IP seems to be 10.1.22.1, packets are coming in on ether2 from outside world destined for 10.1.22.2 and being forwarded to 10.1.22.2, the TX part.
Replies from 10.1.22.2 is not for ether2 / 10.1.22.1, but for outside world, i.e. passing through ether2, hence no RX on that interface.
Can also be being dropped by 10.1.22.2.

agnostic · March 12, 2018, 6:06pm

you didnt tell us if you have any pc connected to routerboard. from what i see it seems like an infected with virus pc pinging an ip with random src address. if it wasnt for tx traffic it would probably be from outside but now it is from inside your network. at first disconnect every machine from network and torch again. at second if you must have pc’s connected you could try enabling tcp cookies and rp check filter so every packet with spoofed src address would be discarded.

Sob · March 12, 2018, 6:31pm

As I understand it, the router is currently not routing, it’s just connected to network, and there’s barely any config except address (10.1.22.2) and gateway (10.1.22.1). And if that’s the case, some process on router pinging random addresses would look exactly like this.