Add signature for bird/ unwanted peerings

Create issue
Issue #118 open
Nico Schottelius created an issue

Running bird with bgp peering, invalid peers try to connect:

May 21 22:11:18 router1 bird: BGP: Unexpected connect from unknown address 107.6.171.130 (port 51798)
May 21 22:11:20 router1 bird: BGP: Unexpected connect from unknown address 107.6.171.130 (port 38278)
May 21 22:11:22 router1 bird: BGP: Unexpected connect from unknown address 107.6.171.130 (port 41872)
May 21 22:11:24 router1 bird: BGP: Unexpected connect from unknown address 107.6.171.130 (port 44464)
May 21 22:11:26 router1 bird: BGP: Unexpected connect from unknown address 107.6.171.130 (port 46784)

This should be blocked, because the requests are unwanted

Comments (4)

  1. Kevin Zheng

    Running bird with bgp peering, invalid peers try to connect:

    May 21 22:11:18 router1 bird: BGP: Unexpected connect from unknown address 107.6.171.130 (port 51798)
    May 21 22:11:20 router1 bird: BGP: Unexpected connect from unknown address 107.6.171.130 (port 38278)
    May 21 22:11:22 router1 bird: BGP: Unexpected connect from unknown address 107.6.171.130 (port 41872)
    May 21 22:11:24 router1 bird: BGP: Unexpected connect from unknown address 107.6.171.130 (port 44464)
    May 21 22:11:26 router1 bird: BGP: Unexpected connect from unknown address 107.6.171.130 (port 46784)
    

    This should be blocked, because the requests are unwanted

  2. Kevin Zheng

    You can contribute a patch to sshg-parser (source in src/parser). Most of the interesting logic is in attack_scanner.l and attacker_parser.y. I’ve been busy so I haven’t been able to put this in, but your attack signature seems relatively straightforward.

  3. Log in to comment