Jump to content
Bohemia Interactive Forums
PSYKO_nz

some network security questions for my server

By PSYKO_nz, in ARMA 3 - SERVERS & ADMINISTRATION

Recommended Posts

PSYKO_nz    44

PSYKO_nz
Posted

hey all, hope you are well. I've had a bit of an interesting day today...

 

so I thought id do some router maintenance today, taking a look at my connections and some strange IP addresses were showing connecting to the internal IP address of my computer that's running the small dedicated server I run for me and my mates through port 2303, the pc wasn't on at this stage, so I thought I would do some checking..

 

udp   51.15.237.45:49557                       x.x.x.x:2303  
udp   142.44.175.123:64599                     x.x.x.x:2303     
udp   51.15.202.209:56650                      x.x.x.x:2303    
udp   51.222.127.205:56477                     x.x.x.x:2303         

 

I tried to search the is of a few of them, couldn't find anything but I accidentally connected to one of them, (wasn't looking where I typed it and hit enter) it came back saying "if you see this page 

nginx has been successfully installed" then links to nginx.com and nginx.org. then i freaked out

 

i have no idea what it is, who it is or anything

 

after freaking out i went back to work, 

 

I stopped searching these IPs and just went to virus total and scanned them, nothing came back as malicious

 

WHY AM I POSTING THIS HERE?

 

because, I decided to turn on my router packet reporting and then closed all my ports but 2302 (the main port) did some testing with friends, turns out I can run it like that and they can just directly connect to the server when we play when checking my ports I was getting slammed by connections trying to connect to 2303, which made sense as this was what was already happening, these connection attempts were coming through every couple of seconds.

 

so then I decided to see if I could run arma through another port, so picked a port near but not in armas range.

 

booted the server as expected the main port came up as expected and the steam query port (usually 2303) came up as the port +1, all happened as expected and people could connect

 

HOWEVER

 

immediately upon the server working, I started getting slammed by those same IP addresses on both 2303 AND THE NEW PORT

 

kernel: DROP IN=ppp0 OUT= MAC= SRC=51.15.237.45 DST=x.x.x.x LEN=53 TOS=0x00 PREC=0x00 TTL=48 ID=4673 DF PROTO=UDP SPT=44846 DPT=2303 LEN=33 MARK=0x8000000 

 

That's what the router tracking looked like. (DST was my external ip address, redacted for obvious reasons)

 

so I shut it all down, server pc off etc etc etc

 

after getting back from a coffee I checked the router traffic, and again, every few seconds I would get a hit from the IP addresses, the main one being the one posted above, alternating between port 2303, and then the next attempt would be to the new port I had assigned it.

 

it hasn't stopped and its been an hour.

 

TLDR MY QUESTION?

 

what the heck is happening? the new port is not used by anything else anywhere on my network, and it started getting hit immediately after the arma server assigned it as the query port

 

im so confused and a bit worried.

 

can someone please help me understand what is going on? is my network compromised? is arma 3 server compromised? is this normal?

Share this post

Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Go To Topic Listing ARMA 3 - SERVERS & ADMINISTRATION
×