Weird 129.0.0.x IPs ?

src386 · June 16, 2016, 3:37pm

Hello everyone,

Sniffing the trafic with sniffer on my CCR1009-8G-1S-1S+ I can see some weird IPs :

129.0.0.10
129.0.0.20
129.0.0.30
129.0.0.40

Why Weird ? Because of the end numbers (too perfects to be real IPs) and because of the fact that the device (CCR1009-8G-1S-1S+) is behind a strict gateway which does not allows incoming trafic from these.
This trafic only appears if the filter-interface is empty. Snffing the trafic on every single interface (ether1,ether2,sfp1) does not show any 129.0.0.x.
Analyzing the capture file in Wireshark highlight bad layer2 frames :

Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)

Do you have an idea ?
Regards.

src386 · June 21, 2016, 8:53am

up ?

pe1chl · June 21, 2016, 9:15am

Why don’t you post the entire captured frame?

src386 · June 21, 2016, 10:15am

Privacy issue Not my decision unfortunately.

Now that we have more traffic on the router, the problem seems obviously related to bad UDP frames :

This is SIP traffic generated by SBC appliances (Session Border Controler).
I will check this.

pe1chl · June 21, 2016, 11:43am

Apparently broken equipment that sends garbage ethernet frames (with non-random garbage).
Not something related to your router, I think.

Of course this shows how useful it is to sometimes do a capture and look what is going on.

akschu · July 13, 2016, 8:31pm

I’m seeing this too. And it’s hard to figure out where the traffic is coming from because the routeros sniffer either doesn’t work right or it’s lying to me because it shows the traffic on bond1 when interface is any:

1 0.035 bond1 129.0.0.71:49320 172.28.0.15:1891 tcp 188 1 no But if I sniff on bond1 it doesn’t show up.

Also this doesn’t match anything either:
/ip firewall mangle
add action=log chain=postrouting log-prefix=TEST src-address=129.0.0.0/16
add action=log chain=prerouting log-prefix=TEST src-address=129.0.0.0/16
add action=log chain=input log-prefix=TEST src-address=129.0.0.0/16
add action=log chain=output log-prefix=TEST src-address=129.0.0.0/16
add action=log chain=forward log-prefix=TEST src-address=129.0.0.0/16
add action=log chain=postrouting dst-address=129.0.0.0/16 log-prefix=TEST
add action=log chain=prerouting dst-address=129.0.0.0/16 log-prefix=TEST
add action=log chain=input dst-address=129.0.0.0/16 log-prefix=TEST
add action=log chain=output dst-address=129.0.0.0/16 log-prefix=TEST
add action=log chain=forward dst-address=129.0.0.0/16 log-prefix=TEST

Something isn’t right…

swissiws · September 24, 2016, 7:13am

same here - running on x86

ether1 has no ip address assigned, having vlan interfaces attached to it - maybe this is the issue?

IntrusDave · September 24, 2016, 5:53pm

Those are valid IP’s… My honeypots have seen traffic them from many times.

NetRange: 129.0.0.0 - 129.0.255.255
CIDR: 129.0.0.0/16
NetName: AFRINIC-ERX-129-0-0-0
NetHandle: NET-129-0-0-0-1
Parent: NET129 (NET-129-0-0-0-0)
NetType: Transferred to AfriNIC
Organization: African Network Information Center (AFRINIC)
Ref: > https://whois.arin.net/rest/net/NET-129-0-0-0-1
OrgId: AFRINIC
Address: Level 11ABC
Address: Raffles Tower
Address: Lot 19, Cybercity
City: Ebene
Country: MU

swissiws · September 24, 2016, 6:39pm

Valid IP address range would not explain why those packets do not get picked up by any firewall filter nor can I see those packets within wireshark.

BartoszP · September 24, 2016, 6:56pm

I suspect that someone has two concurrent connections to Internet: one with your LAN and the second with eg. LTE and parts of LTE traffic is “leaking” to LAN interface.

swissiws · September 24, 2016, 8:41pm

The bytes counters are incredible - 4GB - and I run the sniffer only for approx 5 seconds each time (I am using PtP to connect to VLAN, around 40Mbit/s)

When I change VLANID, Src Addresses 129.0.x.x changes in captured connections, as long as existing connect exist prior to switching to none existing vlanXXX – ?

BartoszP · September 24, 2016, 8:45pm

What is 10.10.219.2 device ?

swissiws · September 24, 2016, 9:46pm

it is the local IP address assigned to vlan219.

\

/snip

sep/24/2016 11:32:46 by RouterOS 6.37

/interface bridge
add mtu=1500 name=BridgeLOCAL
add name=bridgeVLAN219

/interface vlan
add arp=enabled interface=ether2 mac-address=00:0C:42:D3:D3:97 name=vlan219
vlan-id=219

/interface bridge port
add bridge=BridgeLOCAL interface=ether3
add bridge=BridgeLOCAL interface=ether4
add bridge=bridgeVLAN219 interface=vlan219

/ip address
add address=172.17.3.1/24 interface=BridgeLOCAL network=172.17.3.0
add address=10.10.219.2/24 interface=bridgeVLAN219 network=10.10.219.0

/ip firewall nat
add action=masquerade chain=srcnat dst-address=10.0.0.0/8 out-interface=
bridgeVLAN219

/ip route
add distance=1 dst-address=10.0.0.0/8 gateway=10.10.219.1

swissiws · October 11, 2016, 10:46am

Anyone @ Mikrotik?

mauricioesilva · October 20, 2016, 2:43pm

Hi,

I was debugging my configuration with the tool “Packet Sniffer” from 2 routers “RB2011UiAS-2HnD-IN” with the OS 6.37.1 and I found myself seeing similar traffic. In my case the source IP is always 129.0.0.3. The weired part:

The direction is always TX.
I can’t see the traffic on the destination addresses (sniffing with tcpdump on the destination host).
I can’t see it entering the routers.
In one router the traffic is always TCP on the other is always UDP.
It happens on interfaces that are used as TRUNKs but the packet is on the parent interface and not in any of the VLANs.

I included the raw data of one of the packages. I see similar raw data on a valid traffic between a PC and a IP camera.
I hope this help to solve this problem.

coylh · November 11, 2016, 3:52am

I’m getting the 129 addresses in captures too. It looks like the packets are being damaged or the record of the packet is damaged. I have 172.16.. devices talking, and wireshark will show the source address as 129.0.0.*.

coylh · November 11, 2016, 4:03am

This happens on the CCR ROS 6.36.3, but not on a 450G with the same version.

ricotoh · November 26, 2016, 6:38am

Hello,

I’m exactly in the same case.
I’ve weird 129.0.0.vlanid packet broadcasting inside the vlan. Sometimes when users need more network ressources, the flow can gros as the consumed bandwith. Sometimes i had above 10Mbits/s or 20Mbits of weird traffic.
It doesn’t get caught by firewall and not visible in wireshark.
It’s not internet flow cause we disabled internet interface while rebooting router and switch.

If someone have new info or tips,…

regards.

ricotoh · November 27, 2016, 8:58pm

To illustrate these packet & conection:

ricotoh · November 27, 2016, 10:24pm

To detail a bit more :

On the top of network I’ve 2 DSL link with mangle in LB mode (ECMP) on a RB2011
1 trunk port with 5 VLans in RB 2011 going to a CRS with access ports & trunk port corresponding to these vlans.

All 129.0.0.X IP talk to clients in all vlan and network device on the same port.
I believe it’s some broadcast by mikrotik device in routing or hidden things.
When traffic up a bit more, “broadcast” is done in access ports with equal TX bandwith.