LDF blocked 0.0.128.0?

zmippie

Verified User
Joined
Apr 19, 2015
Messages
161
I just got a "blocked" message from LFD:

Code:
lfd on server.myserver.com: 0.0.128.0 (-/-/-) blocked with too many connections

Time:        Tue Nov 28 10:01:43 2017 +0100
IP:          0.0.128.0 (-/-/-)
Connections: 258
Blocked:     Temporary Block

Connections:
tcp6: 0.0.128.0:62418 -> xxx.11.36.110:443 (TIME_WAIT)
tcp6: 0.0.128.0:36766 -> xxx.11.36.110:443 (TIME_WAIT)
tcp6: 0.0.128.0:19060 -> xxx.11.36.110:443 (TIME_WAIT)
tcp6: 0.0.128.0:22294 -> xxx.11.36.110:443 (TIME_WAIT)
tcp6: 0.0.128.0:13338 -> xxx.11.36.110:443 (TIME_WAIT)
tcp6: 0.0.128.0:60074 -> xxx.11.36.110:80 (TIME_WAIT)
tcp6: 0.0.128.0:53082 -> xxx.11.36.110:443 (TIME_WAIT)
tcp6: 0.0.128.0:13118 -> xxx.11.36.110:443 (TIME_WAIT)
tcp6: 0.0.128.0:18740 -> xxx.11.36.110:443 (TIME_WAIT)
tcp6: 0.0.128.0:49148 -> xxx.11.36.110:443 (TIME_WAIT)

I haven't seen this before. 0.0.128.0 doesn't ring any bell, but the target IP address also doesn't. What can this be? Does this look suspicious to anyone?
 
Hello,

Strange to see it. Whois shows:

Code:
# whois 0.0.128.0
[Querying whois.iana.org]
[whois.iana.org]
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object


inetnum:      0.0.0.0 - 0.255.255.255
organisation: IANA - Local Identification
status:       RESERVED


remarks:      0.0.0.0/8 reserved for self-identification [RFC1122],
remarks:      section 3.2.1.3. Reserved by protocol. For authoritative
remarks:      registration, seeiana-ipv4-special-registry.


changed:      1981-09
source:       IANA


but the IP is having tcp6 connections. Check and see whether or not you have this IP on your network interface, and find it in apache logs.
 
Check and see whether or not you have this IP on your network interface, and find it in apache logs.

Thanks Alex. It's not in the webserver logs (NGINX in my case), which doesn't surprise me, because I don't think this was a webserver request. The strange thing is that the address it wanted to connect to was also listed as "SPECIAL-IPV4-FUTURE-USE-IANA-RESERVED". I inspected the network interfaces, but there's nothing extraordinary in there.

It seems it happened earlier, on October 23rd. I suspect it's a daemon service trying to make this connection, but unless it's logged somewhere, I think it's going to be quite hard to find out which and why. I'll scan though all the logs to see if something comes up.
 
Back
Top