Daily 30k plus connection requests since Aug 15th on 80 and 443

Hi there,

I see 30k plus per day dropped connection requests to port 80 and 443 from AWS cloud IP’s in Bahrain.

As you may guess, I have enabled location block for that country.

Amazon helped a bit and their customer explained that these connections would belong to normal activities regarding Epic Games.

The problem is: I’ve no Epic Games installation anywhere in my network.

However, i tried to monitor the outgoing connections on ipfire and found e.g. this when using iftop -i red0:

my.host.name:www-http => ec2-15-185-242-57.me-south-1.compute.amazonaws.com:51606
my.host.name:https => ec2-15-185-242-57.me-south-1.compute.amazonaws.com:44360
my.host.name:www-http => ec2-15-185-242-57.me-south-1.compute.amazonaws.com:38102
my.host.name:www-http => ec2-15-185-242-57.me-south-1.compute.amazonaws.com:15927
my.host.name:https => ec2-15-185-242-57.me-south-1.compute.amazonaws.com:4614
my.host.name:www-http => ec2-15-185-242-57.me-south-1.compute.amazonaws.com:14415
my.host.name:https => ec2-15-185-242-57.me-south-1.compute.amazonaws.com:57658
my.host.name:https => ec2-15-185-242-57.me-south-1.compute.amazonaws.com:54856

Is there any tool available on ipfire to constantly track and filter those connections, so that I find out which process/app/ip is causing that?

Thank you for hints.

Maybe try tcpdump or tshark to look at the traffic packets and tell it to only record those that contain ec2-15-185-242-57

I would expect that the output of either of those programs should include the IP of the source of those packets in your network.

I don’t use either of those programs very often so I can’t help on syntax of the commands.

2 Likes

Thank you, that helped. Please allow a short off topic here. I tried to track those incoming connections on my web server on orange as shown below:

netstat -atulpn | grep 80
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1404/nginx: master
tcp        0      0 internal.ip:80        15.185.243.219:17536    SYN_RECV    -

or


netstat -atulpn | grep 443
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      1404/nginx: master
tcp        0      0 internal.ip:443       15.185.243.219:16978    SYN_RECV    -

show a lot of SYN_RECV but no established connections to the AWS Bahrain subnets. It seems that just a lot of connections (60 + per port) are opened and then closed again.

I mean, that isn’t normal, isn’t it?

Though calling lsof -i in a loop i was not able to identify a process causing those “burts” of connection trials. Stopping services on the involved machine didn’t help either.

So I created some location based inbound rules for RED, adjusted Location Block on the corresponding ipFire page and the traffic disappeared immediately (for now).

2 Likes