Malicious VPN connection attempts?

NovaProspekt · Thu Feb 11, 2021 3:29 pm

Hi all. I am relatively new to Mikrotik routers. I have a hAP ac2, and just recently set up IPsec connectivity so that I can VPN from my phone and use RouterOS's built in Wake on LAN feature while I am away from home. Everything seems to be working.

I glanced at my logs in Winbox this morning and noticed that over the past 24 hours my router has received several IPsec key exchange / phase 1 negotiation requests that did not originate from any of my devices. It looks like they were all unsuccessful at establishing connection, but should I be concerned about this?

Thank you in advance.

memelchenkov · Thu Feb 11, 2021 3:36 pm

I’d better investigate it, is it targeted attack or not.
I.e. I spent several months trying to make DigitalOcean to stop botnet attacks from their network, still not resolved, next step will be report to FBI.

kalamaja · Thu Feb 11, 2021 3:47 pm

It’s a known “feature” that some German guys scan public IPSec every night, at least in Europe. Haven’t seen any serious action yet.

NovaProspekt · Thu Feb 11, 2021 4:00 pm

Here are the entries from my log. I know for a fact I was not attempting any VPN connections at these times.

feb/09 21:09:47 ipsec,info respond new phase 1 (Identity Protection): ***MyPublicIPAddress***[500]<=>216.218.206.74[51722]
feb/09 21:09:47 ipsec SPI size isn't zero, but IKE proposal.
feb/09 21:09:47 ipsec invalid encryption algorithm=6.
feb/09 21:09:47 ipsec no Proposal found.
feb/09 21:09:47 ipsec,error 216.218.206.74 failed to get valid proposal.
feb/09 21:09:47 ipsec,error 216.218.206.74 failed to pre-process ph1 packet (side: 1, status 1).
feb/09 21:09:47 ipsec,error 216.218.206.74 phase1 negotiation failed.
feb/10 02:36:23 ipsec 146.88.240.4 packet shorter than isakmp header size (46, 0, 28)
feb/10 17:49:32 ipsec -> ike2 request, exchange: SA_INIT:0 167.71.110.14[47510] 071804b39ac2cf70:0000000000000000
feb/10 17:49:32 ipsec no IKEv2 peer config for 167.71.110.14
feb/10 20:58:12 ipsec,info respond new phase 1 (Identity Protection): ***MyPublicIPAddress***[500]<=>216.218.206.102[34389]
feb/10 20:58:12 ipsec SPI size isn't zero, but IKE proposal.
feb/10 20:58:12 ipsec invalid encryption algorithm=6.
feb/10 20:58:12 ipsec no Proposal found.
feb/10 20:58:12 ipsec,error 216.218.206.102 failed to get valid proposal.
feb/10 20:58:12 ipsec,error 216.218.206.102 failed to pre-process ph1 packet (side: 1, status 1).
feb/10 20:58:12 ipsec,error 216.218.206.102 phase1 negotiation failed.
feb/10 21:18:29 ipsec the length in the isakmp header is too big.
02:42:37 ipsec 146.88.240.4 packet shorter than isakmp header size (46, 0, 28)

Pasting the above unknown IP addresses into Google reveals they all have a history of being reported for abuse. I have my IPsec settings configured with the Xauth road warrior policy based method. Is there any way these connection attempts could "sniff out" any way to connect to my network?

mozerd · Thu Feb 11, 2021 4:30 pm

My suggestion to trap and then drop any unsolicited VPN traffic is as follows:

Create the following address list named rogue_vpn_hosts
Create the following Firewall Filter Rules [this assumes ipsec ... if you are using L2TP/ipse you will need to add more dst-ports ports]:

/ip firewall filter add action=drop chain=input comment="INPUT DROP Rogue VPN Hosts" dst-port=500,4500 in-interface-list=WAN log=yes log-prefix=rogue_vpn protocol=udp src-address-list=rogue_vpn_hosts src-port=0-65535
/ip firewall filter add action=accept chain=input dst-port=500 in-interface-list=WAN log=yes log-prefix="who is this" protocol=udp
/ip firewall filter add action=accept chain=input dst-port=4500 in-interface-list=WAN log=yes log-prefix=who_is_this protocol=udp

Now when you check your logs and see unsolicited VPN traffic copy the IP Address and add that to your address list like the following:
/ip firewall address-list add address=148.75.242.158 list=rogue_vpn_hosts

NovaProspekt · Thu Feb 11, 2021 4:46 pm

My suggestion to trap and then drop any unsolicited VPN traffic is as follows:

Create the following address list named rogue_vpn_hosts
Create the following Firewall Filter Rules [this assumes ipsec ... if you are using L2TP/ipse you will need to add more dst-ports ports]:
Code: Select all
/ip firewall filter add action=drop chain=input comment="INPUT DROP Rogue VPN Hosts" dst-port=500,4500 in-interface-list=WAN log=yes log-prefix=rogue_vpn protocol=udp src-address-list=rogue_vpn_hosts src-port=0-65535
/ip firewall filter add action=accept chain=input dst-port=500 in-interface-list=WAN log=yes log-prefix="who is this" protocol=udp
/ip firewall filter add action=accept chain=input dst-port=4500 in-interface-list=WAN log=yes log-prefix=who_is_this protocol=udp
Now when you check your logs and see unsolicited VPN traffic copy the IP Address and add that to your address list like the following:
/ip firewall address-list add address=148.75.242.158 list=rogue_vpn_hosts

Thanks, I will give this a try. I already have the second two rules, minus the logging, to allow establishment of the VPN connections. Can I just add the logging to the existing rules, or do they need to be separate? Or should I just create two mangle rules where the action is "log"?

Thanks!

mozerd · Thu Feb 11, 2021 4:53 pm

@NovaProspekt
Just add the logging to you existing rules ... no need to mangle ...

I get hit by rouge vpn attempts on a frequent bases and my trap and drop method has worked very effectively in stopping that .... should work well for you as well ..

Get yourself a Tool like ipnetinfo from Nirsoft and that will give you a lot of info about the rouge vpn addresses.

NovaProspekt · Thu Feb 11, 2021 9:27 pm

Thank you!

NovaProspekt · Mon Feb 15, 2021 2:57 pm

So, I have been adding at least 1 rogue VPN connection attempt to my block list nearly every day. I can see this list growing to hundreds or thousands of IP addresses over time. Would it be more efficient to just white-list the MAC addresses of my devices that would be VPN connecting to the router by putting them in the SRC-MAC address field of the IPsec allow filter rules? Then all rogue connection attempts would be blocked automatically without me having to manually maintain the block list.

jvanhambelgium · Mon Feb 15, 2021 3:32 pm

MAC is not relevant here (they only have significance on the local LAN), but public IP's are in this case.
Sure it would be a better way to whitelist and ONLY allows these IP's on the Internet to initiate IPSEC towards you, but this is not always possible unless all endpoint you know have fixed static public IP's ?

mozerd · Mon Feb 15, 2021 4:01 pm

I agree with @jvanhambelgium

I have been trapping rogue VPN host over the past 2 years and so far I have 45 entries in my address list. following is my list that you may find helpful ... note that many of the rogue host are placed in networks [CIDR] because many of these rouge host operated in groups within the same network ...this has proven to be effective for me ... perhaps for you too:

/ip firewall address-list add address=66.240.192.0/18 list=rogue_vpn_hosts
/ip firewall address-list add address=71.6.165.200 list=rogue_vpn_hosts
/ip firewall address-list add address=80.82.77.139 list=rogue_vpn_hosts
/ip firewall address-list add address=195.37.190.88 list=rogue_vpn_hosts
/ip firewall address-list add address=93.174.95.106 list=rogue_vpn_hosts
/ip firewall address-list add address=71.6.158.128/26 list=rogue_vpn_hosts
/ip firewall address-list add address=71.6.146.128/26 list=rogue_vpn_hosts
/ip firewall address-list add address=185.195.201.148 list=rogue_vpn_hosts
/ip firewall address-list add address=216.195.192.0/19 list=rogue_vpn_hosts
/ip firewall address-list add address=71.6.135.0/24 list=rogue_vpn_hosts
/ip firewall address-list add address=154.85.56.0/24 list=rogue_vpn_hosts
/ip firewall address-list add address=71.6.167.142 list=rogue_vpn_hosts
/ip firewall address-list add address=144.217.181.56 list=rogue_vpn_hosts
/ip firewall address-list add address=77.243.148.0/22 list=rogue_vpn_hosts
/ip firewall address-list add address=83.169.211.0/24 list=rogue_vpn_hosts
/ip firewall address-list add address=46.148.174.31 list=rogue_vpn_hosts
/ip firewall address-list add address=76.190.234.39 list=rogue_vpn_hosts
/ip firewall address-list add address=198.20.64.0/18 list=rogue_vpn_hosts
/ip firewall address-list add address=203.91.118.0/24 list=rogue_vpn_hosts
/ip firewall address-list add address=148.75.242.158 list=rogue_vpn_hosts
/ip firewall address-list add address=115.236.61.204 list=rogue_vpn_hosts
/ip firewall address-list add address=50.108.197.207 list=rogue_vpn_hosts
/ip firewall address-list add address=183.129.174.252 list=rogue_vpn_hosts
/ip firewall address-list add address=79.133.47.2 list=rogue_vpn_hosts
/ip firewall address-list add address=210.4.99.146 list=rogue_vpn_hosts
/ip firewall address-list add address=50.84.194.194 list=rogue_vpn_hosts
/ip firewall address-list add address=164.52.24.173 list=rogue_vpn_hosts
/ip firewall address-list add address=203.91.119.0/24 list=rogue_vpn_hosts
/ip firewall address-list add address=51.159.55.44 list=rogue_vpn_hosts
/ip firewall address-list add address=104.152.52.0/22 list=rogue_vpn_hosts
/ip firewall address-list add address=122.228.19.64/27 list=rogue_vpn_hosts
/ip firewall address-list add address=164.90.128.0/17 list=rogue_vpn_hosts
/ip firewall address-list add address=146.59.228.0/22 list=rogue_vpn_hosts
/ip firewall address-list add address=45.56.64.0/18 list=rogue_vpn_hosts
/ip firewall address-list add address=109.201.142.0/25 list=rogue_vpn_hosts
/ip firewall address-list add address=151.115.0.0/18 list=rogue_vpn_hosts
/ip firewall address-list add address=172.104.208.47 list=rogue_vpn_hosts
/ip firewall address-list add address=64.225.27.43 list=rogue_vpn_hosts
/ip firewall address-list add address=37.49.230.0/24 list=rogue_vpn_hosts
/ip firewall address-list add address=193.42.137.0/24 list=rogue_vpn_hosts
/ip firewall address-list add address=46.166.176.138 list=rogue_vpn_hosts
/ip firewall address-list add address=104.244.78.139 list=rogue_vpn_hosts
/ip firewall address-list add address=146.88.240.4 list=rogue_vpn_hosts
/ip firewall address-list add address=216.218.128.0/17 list=rogue_vpn_hosts

karlisi · Mon Feb 15, 2021 4:17 pm

Also many of them are used only once and never appears again.

mozerd · Mon Feb 15, 2021 6:39 pm

As @karlisi states many only try once and do not come back

You can add a timeout value to hosts and see what happens after a period of time ... the timeout means that the IP address will be removed from the list when it hits the time out value.
Example:

/ip firewall address-list add address=185.195.201.148 list=rogue_vpn_hosts timeout=48:00:00

the timeout value stated above is 2 days in length .... I like using 5 days and in that case the timeout value would be 120:00:00

Malicious VPN connection attempts?

Malicious VPN connection attempts?

Re: Malicious VPN connection attempts?

Re: Malicious VPN connection attempts?

Re: Malicious VPN connection attempts?

Re: Malicious VPN connection attempts?

Re: Malicious VPN connection attempts?

Re: Malicious VPN connection attempts?

Re: Malicious VPN connection attempts?

Re: Malicious VPN connection attempts?

Re: Malicious VPN connection attempts?

Re: Malicious VPN connection attempts?

Re: Malicious VPN connection attempts?

Re: Malicious VPN connection attempts?

Who is online