DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Logging unusual VPN Entries.
- sheltons
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 49
- Thank you received: 0
06 Nov 2015 10:59 #84691
by sheltons
Logging unusual VPN Entries. was created by sheltons
Hi,
My knowledge is limited in this area but I managed to setup some Remote Dial in users which normally show in the log as PPTP connecting entries but this morning I noticed these entries in the logs:
What makes these more suspicous is the time that's logged against the entries, so is this someone trying to gain access via VPN? If anyone can shed some lights on what these entries mean it would be appreciated.
Just in case it helps I have been dealing with a Dos this morning - coincidence or linked?
Thanks
John.
My knowledge is limited in this area but I managed to setup some Remote Dial in users which normally show in the log as PPTP connecting entries but this morning I noticed these entries in the logs:
1412015-11-05 20:33:48Nov 5 20:33:47GatewayL2TP ==> Control(0xC802)-L-S Ver:2 Len:113, Tunnel ID:5, Session ID:0, Ns:0, Nr:1
1412015-11-05 20:33:48Nov 5 20:33:47GatewayL2TP ==> Control(0xC802)-L-S Ver:2 Len:113, Tunnel ID:5, Session ID:0, Ns:0, Nr:1
1412015-11-05 20:33:48Nov 5 20:33:47GatewayL2TP ==> Control(0xC802)-L-S Ver:2 Len:113, Tunnel ID:5, Session ID:0, Ns:0, Nr:1
1412015-11-06 00:38:15Nov 6 00:38:14GatewayDestroy pptp connection ifno: 10, socket: 16
1412015-11-06 00:38:15Nov 6 00:38:14GatewayDestroy pptp connection ifno: 11, socket: 17
1412015-11-06 00:38:15Nov 6 00:38:15GatewayDestroy pptp connection ifno: 12, socket: 18
1412015-11-06 00:38:16Nov 6 00:38:15GatewayDestroy pptp connection ifno: 13, socket: 19
1412015-11-06 00:38:16Nov 6 00:38:15GatewayDestroy pptp connection ifno: 14, socket: 20
1412015-11-06 00:38:16Nov 6 00:38:15GatewayDestroy pptp connection ifno: 15, socket: 21
1412015-11-06 05:52:27Nov 6 05:52:26GatewayDestroy pptp connection ifno: 10, socket: 16
1412015-11-06 05:52:27Nov 6 05:52:26GatewayDestroy pptp connection ifno: 11, socket: 17
1412015-11-06 05:52:28Nov 6 05:52:26GatewayDestroy pptp connection ifno: 12, socket: 18
1412015-11-06 05:52:28Nov 6 05:52:26GatewayDestroy pptp connection ifno: 13, socket: 19
1412015-11-06 07:02:03Nov 6 07:02:02GatewayL2TP <== Control(0xC802)-L-S Ver:2 Len:107, Tunnel ID:0, Session ID:0, Ns:0, Nr:0
1412015-11-06 07:02:03Nov 6 07:02:02GatewayL2TP ==> Control(0xC802)-L-S Ver:2 Len:113, Tunnel ID:5, Session ID:0, Ns:0, Nr:1
1412015-11-06 07:02:03Nov 6 07:02:02GatewayL2TP <== Control(0xC802)-L-S Ver:2 Len:107, Tunnel ID:0, Session ID:0, Ns:0, Nr:0
1412015-11-06 07:02:03Nov 6 07:02:02GatewayL2TP ==> Control(0xC802)-L-S Ver:2 Len:113, Tunnel ID:5, Session ID:0, Ns:0, Nr:1
What makes these more suspicous is the time that's logged against the entries, so is this someone trying to gain access via VPN? If anyone can shed some lights on what these entries mean it would be appreciated.
Just in case it helps I have been dealing with a Dos this morning - coincidence or linked?
Thanks
John.
Please Log in or Create an account to join the conversation.
- chrisw
- Offline
- Junior Member
Less
More
- Posts: 75
- Thank you received: 0
08 Nov 2015 20:45 #84701
by chrisw
Replied by chrisw on topic Re: Logging unusual VPN Entries.
I have a L2TP/IPsec VPN setup for remote access. Typically there are multiple syslog entries per day for what I assume must be random IP scan attempts to find 'interesting' VPNs to hack into.
My L2TP log entries look just like yours, but without the word 'Gateway', but I don't know the significance of this! I don't have pptp enabled, so no idea about this part.
Unfortunately the log doesn't show the IP of the attacking party. It would be good to know what these entries really mean!
My L2TP log entries look just like yours, but without the word 'Gateway', but I don't know the significance of this! I don't have pptp enabled, so no idea about this part.
Unfortunately the log doesn't show the IP of the attacking party. It would be good to know what these entries really mean!
Please Log in or Create an account to join the conversation.
- sheltons
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 49
- Thank you received: 0
11 Nov 2015 09:41 #84719
by sheltons
Hi Chris,
thanks for that. For Security I took my routers Name out of the posting and Replaced it with "Gateway".
It looks like you are maybe right. We have had a number addresses trying to Probe our VOIP Server which are being blocked by the firewall. We also get a lot of TraceRoutes which are triggering [DOS][Block][trace_route]....... in the Firewall Log so no surprise they maybe also targeting VPN.
Thanks.
Replied by sheltons on topic Re: Logging unusual VPN Entries.
I have a L2TP/IPsec VPN setup for remote access. Typically there are multiple syslog entries per day for what I assume must be random IP scan attempts to find 'interesting' VPNs to hack into.ChrisW wrote:
My L2TP log entries look just like yours, but without the word 'Gateway', but I don't know the significance of this! I don't have pptp enabled, so no idea about this part.
Unfortunately the log doesn't show the IP of the attacking party. It would be good to know what these entries really mean!
Hi Chris,
thanks for that. For Security I took my routers Name out of the posting and Replaced it with "Gateway".
It looks like you are maybe right. We have had a number addresses trying to Probe our VOIP Server which are being blocked by the firewall. We also get a lot of TraceRoutes which are triggering [DOS][Block][trace_route]....... in the Firewall Log so no surprise they maybe also targeting VPN.
Thanks.
Please Log in or Create an account to join the conversation.
- chrisw
- Offline
- Junior Member
Less
More
- Posts: 75
- Thank you received: 0
11 Nov 2015 09:55 #84721
by chrisw
Replied by chrisw on topic Re: Logging unusual VPN Entries.
VPN 'probing' attacks from my Phone (but with invalid credentials) create similar sorts of syslog entries, so for now at least I am not too worried...
Please Log in or Create an account to join the conversation.
- chrisw
- Offline
- Junior Member
Less
More
- Posts: 75
- Thank you received: 0
17 Nov 2015 15:18 #84761
by chrisw
Replied by chrisw on topic Re: Logging unusual VPN Entries.
Just a final word on this subject...
I've been running Wireshark on the WAN side to see what is really happening, interestingly it seems to be the same Chinese IP address triggering these VPN log entries approx once every 24 hours.
The sequence is that there is one incoming L2TP SCCRQ [Start Control Connection Request] packet [syslog: L2TP <== Control(0xC802)] which then in turn triggers 4 identical SCCRP [Start Control Connection Reply] packets in response from the Draytek at 0, 1,3 & 7 seconds after the original probe [syslog L2TP ==> Control(0xC802)]. The SCCRP packets contain flags, assigned tunnel ID and Vendor ID 'DrayTek, l2tp'.
There does not seem to be any further exchange going on, just these L2TP control packets.
Chris
I've been running Wireshark on the WAN side to see what is really happening, interestingly it seems to be the same Chinese IP address triggering these VPN log entries approx once every 24 hours.
The sequence is that there is one incoming L2TP SCCRQ [Start Control Connection Request] packet [syslog: L2TP <== Control(0xC802)] which then in turn triggers 4 identical SCCRP [Start Control Connection Reply] packets in response from the Draytek at 0, 1,3 & 7 seconds after the original probe [syslog L2TP ==> Control(0xC802)]. The SCCRP packets contain flags, assigned tunnel ID and Vendor ID 'DrayTek, l2tp'.
There does not seem to be any further exchange going on, just these L2TP control packets.
Chris
Please Log in or Create an account to join the conversation.
- sheltons
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 49
- Thank you received: 0
17 Nov 2015 15:39 #84762
by sheltons
Replied by sheltons on topic Re: Logging unusual VPN Entries.
Hi Chris,
they seemed to dropped off trying on mine but the attempts to access the VoiP server directly seem to be on the increase. I think your knowledge is greater than mine as I would know how to use Wireshark on the WAN side.
John.
they seemed to dropped off trying on mine but the attempts to access the VoiP server directly seem to be on the increase. I think your knowledge is greater than mine as I would know how to use Wireshark on the WAN side.
John.
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek