Results 1 to 3 of 3

Thread: LDF blocked 0.0.128.0?

  1. #1
    Join Date
    Apr 2015
    Posts
    141

    LDF blocked 0.0.128.0?

    I just got a "blocked" message from LFD:

    Code:
    lfd on server.myserver.com: 0.0.128.0 (-/-/-) blocked with too many connections
    
    Time:        Tue Nov 28 10:01:43 2017 +0100
    IP:          0.0.128.0 (-/-/-)
    Connections: 258
    Blocked:     Temporary Block
    
    Connections:
    tcp6: 0.0.128.0:62418 -> xxx.11.36.110:443 (TIME_WAIT)
    tcp6: 0.0.128.0:36766 -> xxx.11.36.110:443 (TIME_WAIT)
    tcp6: 0.0.128.0:19060 -> xxx.11.36.110:443 (TIME_WAIT)
    tcp6: 0.0.128.0:22294 -> xxx.11.36.110:443 (TIME_WAIT)
    tcp6: 0.0.128.0:13338 -> xxx.11.36.110:443 (TIME_WAIT)
    tcp6: 0.0.128.0:60074 -> xxx.11.36.110:80 (TIME_WAIT)
    tcp6: 0.0.128.0:53082 -> xxx.11.36.110:443 (TIME_WAIT)
    tcp6: 0.0.128.0:13118 -> xxx.11.36.110:443 (TIME_WAIT)
    tcp6: 0.0.128.0:18740 -> xxx.11.36.110:443 (TIME_WAIT)
    tcp6: 0.0.128.0:49148 -> xxx.11.36.110:443 (TIME_WAIT)
    I haven't seen this before. 0.0.128.0 doesn't ring any bell, but the target IP address also doesn't. What can this be? Does this look suspicious to anyone?

  2. #2
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,400
    Hello,

    Strange to see it. Whois shows:

    Code:
    # whois 0.0.128.0
    [Querying whois.iana.org]
    [whois.iana.org]
    % IANA WHOIS server
    % for more information on IANA, visit http://www.iana.org
    % This query returned 1 object
    
    
    inetnum:      0.0.0.0 - 0.255.255.255
    organisation: IANA - Local Identification
    status:       RESERVED
    
    
    remarks:      0.0.0.0/8 reserved for self-identification [RFC1122],
    remarks:      section 3.2.1.3. Reserved by protocol. For authoritative
    remarks:      registration, seeiana-ipv4-special-registry.
    
    
    changed:      1981-09
    source:       IANA

    but the IP is having tcp6 connections. Check and see whether or not you have this IP on your network interface, and find it in apache logs.

  3. #3
    Join Date
    Apr 2015
    Posts
    141
    Quote Originally Posted by zEitEr View Post
    Check and see whether or not you have this IP on your network interface, and find it in apache logs.
    Thanks Alex. It's not in the webserver logs (NGINX in my case), which doesn't surprise me, because I don't think this was a webserver request. The strange thing is that the address it wanted to connect to was also listed as "SPECIAL-IPV4-FUTURE-USE-IANA-RESERVED". I inspected the network interfaces, but there's nothing extraordinary in there.

    It seems it happened earlier, on October 23rd. I suspect it's a daemon service trying to make this connection, but unless it's logged somewhere, I think it's going to be quite hard to find out which and why. I'll scan though all the logs to see if something comes up.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •