Anyone having recent OpenVPN problems?

[bigredfish]

Attacks began Aug 7th

literally 100's p/second, no doubt routed from elsewhere

Aug 7 19:26:28 openvpn[3973]: 185.49.126.9:1848 TLS: Initial packet from [AF_INET]185.49.126.9:1848 (via [AF_INET]108.xxx.xxx.xxx%eth0), sid=xxxxxxxxxxxx

Then this IP
Aug 7 19:27:16 openvpn[3973]: 45.88.230.205:34650 TLS: Initial packet from [AF_INET]45.88.230.205:34650 (via [AF_INET]108.xxx.xxx.xxx%eth0), sid=xxxxxxxxxx

Then this one
Aug 7 19:28:08 openvpn[3973]: 51.79.98.58:33239 TLS: Initial packet from [AF_INET]51.79.98.58:33239 (via [AF_INET]108.xxx.xxx.xxx%eth0), sid=xxxxxxxxxxxxx


Then they start over each taking a turn for a minute or two at 100+ requests per second.

 

[looney2ns]

Asus statement.

https://www.asus.com/us/news/wbhfio4vqjodds5p/

 

[bigredfish]

Asus statement.

https://www.asus.com/us/news/wbhfio4vqjodds5p/

Yeah saw that, these are EOL and FW is latest and its a very strong pass.

It doesnt appear they're getting in, they arent even trying to handshake at all. (those entries are all they send, just 100's p/second) Just pounding the service with requests and not answering with the expected reply. It appears brute force.,, but then I'm no network engineer either...

 

[wittaj]

Unplug the modem and router for awhile and see if it will assign a different IP address.

Also change the port number. It may not stop it, but hitting that fast they may only be looking for the default port and having a different port may stop or slow down.

 

[quiet.tea]

So both of the Asus routers are under direct attack. I was in both this morning and they’re dead again. (The VPN service)

Poured through the logs and both show being hit on the vpn service massively until the service runs out of memory and dies. Router stays up working but vpn service needs manually restarted.

Same European IPs on both.

I’ll have to see what I can do to get the router to refuse the requests altogether ?

Could be bots trying to mass exploit the vulnerability mentioned at 9,000 Asus routers compromised by botnet attack and persistent SSH backdoor that even firmware updates can't fix. Sometimes the exploit does not work but cause stability issues.

 

[bigredfish]

Will change the default port number tomorrow when I drive down there to connect to it.

Having read up on that "famous" Asus exploit I dont think thats what it is. They are hammering the VPN service specifically which by itself wouldnt allow them to execute the vulnerability. Its a DOS of type targeting the VPN service I think, sending a "hello" packet which the router is rightfully not responding to.