A briefly amusing story about conntracct

Recently I’ve migrated from an EdgeRouter Lite-3 home router to a debian stretch LXD container running on a server. There are a number of reasons I did this, and I’ll go over them some other time. For now, I just want to share with you an amusing story about using a tool a friend of mine made called conntracct.

Conntracct is a program that takes conntrack accounting events and pushes them to some kind of sink, in my case, I am sending conntrack data to an influxdb instance over UDP. I’ll explain more about this program and how it works in a followup post. The important thing to note here is that this allows me to query a time series database and show all the connections past and present on my router.

As I started aimlessly writing queries and seeing what I could do, I noticed there were flows with a destination address of my external IP. So I crafted a query to see how many connections were being created, from who they were and what service they were targeting.

SELECT "src_addr", "dst_port", top(connections, 5) AS connections FROM (
  SELECT count("packets_ret") AS connections FROM "ct_acct" WHERE (
    "dst_addr" = '92.x.x.77' AND "dst_port" != '0'
  ) GROUP BY "src_addr", "dst_port"

The results I got were rather interesting, the most connections originated from an IP I didn’t recognise and a destination port I didn’t recognise either.

time src_addr        dst_port connections
---- --------        -------- -----------
0    213.x.x.220     500      1284
0    85.x.x.60       443      60
0    185.x.x.35      443      31
0    95.x.x.116      443      30
0    122.x.x.183     5555     18

First I decided to figure out what this port was for, a quick googling told me it was for IKE (Internet Key Exchange). IKE sounded familiar to me, it was what was used in the IPSec implementation for the EdgeRouter I used to run. At this point I decided to don my detective hat and figure out why I was receiving these packets. It had been a while since I had run an IPSec VPN, so I really wanted to know if this was an intrusion attempt, or a long neglected dangling VPN configuration somewhere.

The first step I took was finding the owner of the IP address with a simple WHOIS, this yielded an ISP in a country where I have previously had an established VPN connection. There was only one person I had connected to in that country. This gave me a suspect, but I wasn’t going to shame this person for neglecting their configuration without definite proof. I decided to resolve some of the suspects domains to see if the IP matches the one I have from my query. No dice. At this point I remembered that the suspect would frequent a TeamSpeak server that I happen to have administrative access on. So I decided to hop into the database and search for this mystery IP and… voila! A match!

I subsequently contacted the person and informed them of the pesky packets and what was causing them, and now they’re gone. Not that I see any real harm done by having these packets arrive at my firewall anyway. This turned out to be an unexpected use for the conntracct tool though I assume there are a lot of interesting reasons to see what flows through your home gateway, even it it is just to see some bots try their luck.

This was mildly entertaining as it’s not often I get to do any cyber sleuthing, but alas it got me to brush up on my influx querying skills and find a good use for this tool.

If you thought that this was just a just an exaggerated account of “connecting the dots”, you’re right. But I also saw a completely unrelated connection attempt on the same port from a Hurricane Electric IP, this has no relation to me whatsoever. But who doesn’t like a good story? :)