Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

gn.gov.ie on my firewall

  • 22-12-2016 12:33am
    #1
    Registered Users, Registered Users 2 Posts: 1,908 ✭✭✭


    I have Zywall firewall installed recently and I just managed to record and analyse its logs. It is low traffic small business connection working office hours with small AD environment. I found in logs quite intensive communication between firewall and one of gn.gov.ie IPs and seems like it is trying unsuccessfuly establish VPN IPSec connection every few minutes. I don't have any IPSec VPV connection set in settings. I really dont know what it is and if I should start to worry about it ?


Comments

  • Registered Users, Registered Users 2 Posts: 246 ✭✭Alcoheda


    post the logs


  • Registered Users, Registered Users 2 Posts: 9,605 ✭✭✭gctest50


    zom wrote: »
    I have Zywall firewall installed recently and I just managed to record and analyse its logs. It is low traffic small business connection working office hours with small AD environment. I found in logs quite intensive communication between firewall and one of gn.gov.ie IPs and seems like it is trying unsuccessfuly establish VPN IPSec connection every few minutes. I don't have any IPSec VPV connection set in settings. I really dont know what it is and if I should start to worry about it ?

    Small chance that your Zywall has been violated

    If it has dodgy firmware uploaded to it, it will write anything they want in it's logs

    - (something).gov.ie was a reasonable guess by them, looks a bit less suspect than candycrush.com

    Don't unplug it and reflash it - you'll never know what it was - get a passive tap and put it between the Zywall and it's source of internets.


  • Registered Users, Registered Users 2 Posts: 1,908 ✭✭✭zom


    I'm not sure how much I can share but it is more or less:

    From gn.gov.ie:
    - Recv Main Mode request from [...ip...]
    - The cookie pair is : .........
    - Recv:[SA][VID][VID]


    then from my Ip (Zywall):
    - The cookie pair is : ..........
    - [SA] : Tunnel [IPSEC_VPN_CONNECTION] Phase 1 proposal mismatch
    - The cookie pair is : ..........
    - [SA] : No proposal chosen
    - The cookie pair is : ..........
    - Send:[NOTIFY:NO_PROPOSAL_CHOSEN]

    and so on every minute. I have logs like week back, and it seems to be there all the time. Wonder what gn.gov.ie addresses are - any idea ?


  • Closed Accounts Posts: 710 ✭✭✭GreenFolder2


    If that traffic is genuinely originating from the Government Network a likely source is a PC or other device that's infected with malware.

    If it's originating from your router is possible you've malware trying to partake in a DDoS attack too.

    Is it running the original firmware? You didn't flash it with anything from any unofficial source?

    Is the connection being fired up from your router? Or is it the gov.ie address attempting to initiate a connection to you?

    There's nothing configured on your router to do remote access or send log dumps that might be set to an IP address owned by gov.ie accidentally?

    If you're clear it's coming from the state system, it might be worth alerting their IT unit that they've got a potential malware issue!


  • Registered Users, Registered Users 2 Posts: 1,908 ✭✭✭zom


    This is Virgin / UPC fiber broadband on some old CISCO router. I have no access to it and can't tell anything bout it.
    There is not much more in Zywall logs but category is: ike (IKE_LOG).
    I think I will try to block external connections from that IP (only one) so presumably it should indicate if that's really external or just firewall bug. It is damn hard to figure out new Zywall interface but I'll try.

    Sorry for bothering you here, just thought maybe someone got the same issue and recognise the problem.


  • Advertisement
  • Closed Accounts Posts: 710 ✭✭✭GreenFolder2


    I'd say it's just a PC with an infection on their side. AFAIK that's just the general state communications network - it would have a very large number of users in umpteen departments.

    The state isn't very likely to be hacking your cable router tbh. It's not exactly known for its investment in cyber warfare... More likely a wonky PC in some random office.

    Maybe Google a help desk contact and report the traffic so they can fix the issue.


  • Moderators, Society & Culture Moderators Posts: 17,643 Mod ✭✭✭✭Graham


    Maybe your IP address used to belong to the other end of a legit VPN connection.


  • Closed Accounts Posts: 710 ✭✭✭GreenFolder2


    Graham wrote: »
    Maybe your IP address used to belong to the other end of a legit VPN connection.

    Not very likely if it's a consumer ISP as they're assigned dynamically and could even be shared behind a NAT.


  • Registered Users, Registered Users 2 Posts: 1,908 ✭✭✭zom


    I added rule to firewall and let it log for a moment to see how it's doing.
    All IPSec nagging is gone, now it is only ACCESS BLOCK for "from WAN to ZyWALL, UDP, service others, DROP" on government IP.
    Not sure if I will bother to explore it anymore, but I am still interested what you think about it?


  • Moderators, Society & Culture Moderators Posts: 17,643 Mod ✭✭✭✭Graham


    Not very likely if it's a consumer ISP as they're assigned dynamically and could even be shared behind a NAT.

    OP mentioned a business connection, firewall is usually at the border before NAT.


  • Advertisement
  • Closed Accounts Posts: 1,198 ✭✭✭testicles


    This post has been deleted.


  • Registered Users, Registered Users 2 Posts: 175 ✭✭amovingstatue


    testicles wrote: »
    This post has been deleted.

    Indeed. Maybe, just maybe the last person who had the dynamic IP allocated to their home internet connection now allocated to the OP's, was an employee in some gov department who had setup vpn negotiation to their home for some data transfer reason requiring a secure connection......


  • Closed Accounts Posts: 710 ✭✭✭GreenFolder2


    testicles wrote: »
    IP ranges change purpose and hands you know?

    Yes, of course I know ... !?!

    However, UPC and Virgin have had those ranges for years. It would just seem a bit odd to have a state computer attempting to make VPN connections to a range of addresses that's normally used for consumer grade and small business cable modems and where they're usually dynamic.

    It's likely either malware or some irregular use like someone using a state machine to access their home security cameras or something like that. Maybe connecting to their home PC as a remote desktop.

    I can't think of many normal circumstances where you'd be connecting FROM a big corporate system TO a remote PC on a home network and residential style ISP.

    Usually it's the other way around where someone is dialling in from home.

    If it's an on going issue, report it to the owner of the network. It could be a security issue on their end.


  • Registered Users, Registered Users 2 Posts: 1,193 ✭✭✭liamo


    I'd be inclined to think that it's not malware.
    Realistically, what malware is going to try to establish a IPSec VPN?

    The most likely explanation is that this is an old, and possibly forgotten or perhaps a current but poorly configured VPN.

    I'd report it to the network owner. Regardless of the reason behind this traffic, I imagine the SysAdmin(s) would be interested to hear about it.


  • Registered Users, Registered Users 2 Posts: 36,170 ✭✭✭✭ED E


    Not very likely if it's a consumer ISP as they're assigned dynamically and could even be shared behind a NAT.
    Yes, of course I know ... !?!

    However, UPC and Virgin have had those ranges for years. It would just seem a bit odd to have a state computer attempting to make VPN connections to a range of addresses that's normally used for consumer grade and small business cable modems and where they're usually dynamic.

    It's likely either malware or some irregular use like someone using a state machine to access their home security cameras or something like that. Maybe connecting to their home PC as a remote desktop.

    I can't think of many normal circumstances where you'd be connecting FROM a big corporate system TO a remote PC on a home network and residential style ISP.

    Usually it's the other way around where someone is dialling in from home.

    If it's an on going issue, report it to the owner of the network. It could be a security issue on their end.


    Liberty have had to expand their Irish blocks several times in the last 24 months. Its totally feasible that in the moves a static block got moved into the SME/Consumer pools/


Advertisement