DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Logging unusual VPN Entries.

  • sheltons
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
06 Nov 2015 10:59 #1 by sheltons
Logging unusual VPN Entries. was created by sheltons
Hi,
My knowledge is limited in this area but I managed to setup some Remote Dial in users which normally show in the log as PPTP connecting entries but this morning I noticed these entries in the logs:


1412015-11-05 20:33:48Nov 5 20:33:47GatewayL2TP ==> Control(0xC802)-L-S Ver:2 Len:113, Tunnel ID:5, Session ID:0, Ns:0, Nr:1
1412015-11-05 20:33:48Nov 5 20:33:47GatewayL2TP ==> Control(0xC802)-L-S Ver:2 Len:113, Tunnel ID:5, Session ID:0, Ns:0, Nr:1
1412015-11-05 20:33:48Nov 5 20:33:47GatewayL2TP ==> Control(0xC802)-L-S Ver:2 Len:113, Tunnel ID:5, Session ID:0, Ns:0, Nr:1
1412015-11-06 00:38:15Nov 6 00:38:14GatewayDestroy pptp connection ifno: 10, socket: 16
1412015-11-06 00:38:15Nov 6 00:38:14GatewayDestroy pptp connection ifno: 11, socket: 17
1412015-11-06 00:38:15Nov 6 00:38:15GatewayDestroy pptp connection ifno: 12, socket: 18
1412015-11-06 00:38:16Nov 6 00:38:15GatewayDestroy pptp connection ifno: 13, socket: 19
1412015-11-06 00:38:16Nov 6 00:38:15GatewayDestroy pptp connection ifno: 14, socket: 20
1412015-11-06 00:38:16Nov 6 00:38:15GatewayDestroy pptp connection ifno: 15, socket: 21
1412015-11-06 05:52:27Nov 6 05:52:26GatewayDestroy pptp connection ifno: 10, socket: 16
1412015-11-06 05:52:27Nov 6 05:52:26GatewayDestroy pptp connection ifno: 11, socket: 17
1412015-11-06 05:52:28Nov 6 05:52:26GatewayDestroy pptp connection ifno: 12, socket: 18
1412015-11-06 05:52:28Nov 6 05:52:26GatewayDestroy pptp connection ifno: 13, socket: 19
1412015-11-06 07:02:03Nov 6 07:02:02GatewayL2TP <== Control(0xC802)-L-S Ver:2 Len:107, Tunnel ID:0, Session ID:0, Ns:0, Nr:0
1412015-11-06 07:02:03Nov 6 07:02:02GatewayL2TP ==> Control(0xC802)-L-S Ver:2 Len:113, Tunnel ID:5, Session ID:0, Ns:0, Nr:1
1412015-11-06 07:02:03Nov 6 07:02:02GatewayL2TP <== Control(0xC802)-L-S Ver:2 Len:107, Tunnel ID:0, Session ID:0, Ns:0, Nr:0
1412015-11-06 07:02:03Nov 6 07:02:02GatewayL2TP ==> Control(0xC802)-L-S Ver:2 Len:113, Tunnel ID:5, Session ID:0, Ns:0, Nr:1



What makes these more suspicous is the time that's logged against the entries, so is this someone trying to gain access via VPN? If anyone can shed some lights on what these entries mean it would be appreciated.

Just in case it helps I have been dealing with a Dos this morning - coincidence or linked?

Thanks
John.

Please Log in or Create an account to join the conversation.

More
08 Nov 2015 20:45 #2 by chrisw
Replied by chrisw on topic Re: Logging unusual VPN Entries.
I have a L2TP/IPsec VPN setup for remote access. Typically there are multiple syslog entries per day for what I assume must be random IP scan attempts to find 'interesting' VPNs to hack into.

My L2TP log entries look just like yours, but without the word 'Gateway', but I don't know the significance of this! I don't have pptp enabled, so no idea about this part.

Unfortunately the log doesn't show the IP of the attacking party. It would be good to know what these entries really mean!

Please Log in or Create an account to join the conversation.

  • sheltons
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
11 Nov 2015 09:41 #3 by sheltons
Replied by sheltons on topic Re: Logging unusual VPN Entries.

ChrisW wrote: I have a L2TP/IPsec VPN setup for remote access. Typically there are multiple syslog entries per day for what I assume must be random IP scan attempts to find 'interesting' VPNs to hack into.

My L2TP log entries look just like yours, but without the word 'Gateway', but I don't know the significance of this! I don't have pptp enabled, so no idea about this part.

Unfortunately the log doesn't show the IP of the attacking party. It would be good to know what these entries really mean!



Hi Chris,
thanks for that. For Security I took my routers Name out of the posting and Replaced it with "Gateway".

It looks like you are maybe right. We have had a number addresses trying to Probe our VOIP Server which are being blocked by the firewall. We also get a lot of TraceRoutes which are triggering [DOS][Block][trace_route]....... in the Firewall Log so no surprise they maybe also targeting VPN.

Thanks.

Please Log in or Create an account to join the conversation.

More
11 Nov 2015 09:55 #4 by chrisw
Replied by chrisw on topic Re: Logging unusual VPN Entries.
VPN 'probing' attacks from my Phone (but with invalid credentials) create similar sorts of syslog entries, so for now at least I am not too worried...

Please Log in or Create an account to join the conversation.

More
17 Nov 2015 15:18 #5 by chrisw
Replied by chrisw on topic Re: Logging unusual VPN Entries.
Just a final word on this subject...

I've been running Wireshark on the WAN side to see what is really happening, interestingly it seems to be the same Chinese IP address triggering these VPN log entries approx once every 24 hours.

The sequence is that there is one incoming L2TP SCCRQ [Start Control Connection Request] packet [syslog: L2TP <== Control(0xC802)] which then in turn triggers 4 identical SCCRP [Start Control Connection Reply] packets in response from the Draytek at 0, 1,3 & 7 seconds after the original probe [syslog L2TP ==> Control(0xC802)]. The SCCRP packets contain flags, assigned tunnel ID and Vendor ID 'DrayTek, l2tp'.

There does not seem to be any further exchange going on, just these L2TP control packets.

Chris

Please Log in or Create an account to join the conversation.

  • sheltons
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
17 Nov 2015 15:39 #6 by sheltons
Replied by sheltons on topic Re: Logging unusual VPN Entries.
Hi Chris,
they seemed to dropped off trying on mine but the attempts to access the VoiP server directly seem to be on the increase. I think your knowledge is greater than mine as I would know how to use Wireshark on the WAN side.

John.

Please Log in or Create an account to join the conversation.