31 Jan
2012
31 Jan
'12
10:01 p.m.
After making sure that my VPS is receiving packets on the right address,
I'm now getting warnings that it's sending on the old address. To my
knowledge I don't have any software installed for which I needed to specify
the VPS' IP, so my guess is that this will end when I remove the old
address from network/interfaces. Is that right? Is there a way to test
before deleting the old IP?
Thanks,
Mike
On Sat, Jan 28, 2012 at 7:14 AM, <andy(a)bitfolk.com> wrote:
Dear customer,
You're receiving this email because our monitoring has detected that, in
the last 24 hours, your VPS "science" is still sending packets from the
address 212.13.195.254, which is part of our deprecated range of IP
addresses, 212.13.194.0/23.
Back at the start of November 2011 we announced that a renumbering would
be necessary, and we set a deadline of Monday 6th February 2012 for this
to be completed:
* Announcement:
http://lists.bitfolk.com/lurker/message/20111104.221826.7f38e097.en.html
* Full instructions:
https://tools.bitfolk.com/wiki/Renumbering_for_customers
There's now just over a week before the IP addresses that you are still
making use of are taken out of service. If you don't act to stop using
these addresses then YOU WILL EXPERIENCE A LOSS OF SERVICE once
212.13.194.0/23 is decommissioned.
Therefore if you have any questions about the renumbering process or
need help to complete it, it is important that you get in touch with us
as soon as possible.
Questions regarding how to renumber would be best asked on the users
mailing list:
http://lists.bitfolk.com/lurker/list/users.en.html
BitFolk will only be able to carry out the work on your behalf as a
chargeable consultancy service. Please contact support if you would like
us to do this.
It is possible that you have received this email purely because you
still have one or more of the deprecated IP addresses active on your
VPS. Internet hosts receive a constant "background noise" of random
traffic. It is recommended to remove the deprecated IP addresses once
you think you don't need them any longer, both to avoid this and to
reassure yourself that they are really not in use by other systems.
Best regards,
Andy Smith
BitFolk Ltd
31 Jan
31 Jan
10:10 p.m.
Hi Michael,
I think Andy mentioned using tcpdump in an earlier post to the mailing list:
I still have the command in a text file: tcpdump -vpni eth0 'host
212.13.19x.y'
That should show you what is still using the old IP. If you're confident
that there isn't anything there of importance you can try removing the IP
now and see if anything fails, that way you can easily re-add it until you
fix the problem.
Daniel
10:17 p.m.
Hi Michael,
On Tue, Jan 31, 2012 at 04:01:08PM -0600, Michael Corliss wrote:
After making sure that my VPS is receiving packets on
the right address,
I'm now getting warnings that it's sending on the old address.
I had a look at what was caught for you and it was just 9 packets,
split between source port 443 and source port 53. Probably just
scans.
So I wouldn't be too concerned.
To my knowledge I don't have any software
installed for which I
needed to specify the VPS' IP, so my guess is that this will end
when I remove the old address from network/interfaces. Is that
right?
You will definitely not be able to send packets from an IP address
you have removed¹. ;)
Is there a way to test before deleting the old IP?
# tcpdump -vpni eth0 'src net 212.13.194.0/23 and not arp'
will show you any traffic going in or out of your eth0 that has a
source address inside 212.13.194.0/23 and is not ARP traffic.
Cheers,
Andy
¹ OK yeah barring some crafty thing you do to generate such traffic.
1 Feb
1 Feb
9:31 p.m.
Ok, ran tcpdump with the following result:
$ sudo tcpdump -vpni eth0 'src net 212.13.194.0/23 and not arp'
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96
bytes
21:14:44.610567 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP
(6), length 52)
212.13.195.254.80 > 180.76.5.52.34209: Flags [S.], cksum 0x2eb3
(correct), seq 1882408364, ack 2442136209, win 5840, options [mss
1460,nop,nop,sackOK,nop,wscale 6], length 0
21:14:44.916894 IP (tos 0x0, ttl 64, id 18695, offset 0, flags [DF], proto
TCP (6), length 40)
212.13.195.254.80 > 180.76.5.52.34209: Flags [.], cksum 0x84f9
(correct), ack 240, win 108, length 0
[...]
21:14:47.691019 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP
(6), length 60)
212.13.195.254.80 > 66.249.72.20.49028: Flags [S.], cksum 0x3588
(correct), seq 4123153607, ack 62604846, win 5792, options [mss
1460,sackOK,TS val 918884192 ecr 696390848,nop,wscale 6], length 0
I see the same few IPs in the destination, and I looked them up: Baidu and
Google. I take it these are "scans"? It seems like a lot of communication
going on. But if that's the only traffic, am I'm only facing a drop in
search ranking if I delete that IP?
On Tue, Jan 31, 2012 at 4:17 PM, Andy Smith <andy(a)bitfolk.com> wrote:
Hi Michael,
On Tue, Jan 31, 2012 at 04:01:08PM -0600, Michael Corliss wrote:
After making sure that my VPS is receiving
packets on the right address,
I'm now getting warnings that it's sending on the old address.
I had a look at what was caught for you and it was just 9 packets,
split between source port 443 and source port 53. Probably just
scans.
So I wouldn't be too concerned.
To my knowledge I don't have any software
installed for which I
needed to specify the VPS' IP, so my guess is that this will end
when I remove the old address from network/interfaces. Is that
right?
You will definitely not be able to send packets from an IP address
you have removed¹. ;)
Is there a way to test before deleting the old
IP?
# tcpdump -vpni eth0 'src net 212.13.194.0/23 and not arp'
will show you any traffic going in or out of your eth0 that has a
source address inside 212.13.194.0/23 and is not ARP traffic.
Cheers,
Andy
¹ OK yeah barring some crafty thing you do to generate such traffic.
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
2 Feb
2 Feb
1:59 p.m.
Hi Michael,
On Wed, Feb 01, 2012 at 03:31:58PM -0600, Michael Corliss wrote:
Ok, ran tcpdump with the following result:
$ sudo tcpdump -vpni eth0 'src net 212.13.194.0/23 and not arp'
212.13.195.254.80 > 180.76.5.52.34209: Flags [S.], cksum 0x2eb3
212.13.195.254.80 > 180.76.5.52.34209: Flags [.], cksum 0x84f9
212.13.195.254.80 > 66.249.72.20.49028: Flags [S.], cksum 0x3588
I see the same few IPs in the destination, and I looked them up: Baidu and
Google.
Ah, perhaps they have been slow to pick up the new IPs.
I take it these are "scans"?
Maybe.. If you used the -A option to tcpdump you can see what web
stuff they are requesting as well. It may be that they are just
scanning every IP for port 80 to see if there is a web site on it.
But if that's the only traffic, am I'm only
facing a drop in
search ranking if I delete that IP?
I would be surprised if search ranking dropped, given that you've
had the same site on the new IPs for a week or more.. but I don't
know for sure!
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
4706
days inactive
4708
days old
4 comments
3 participants
participants (3)
-
Andy Smith -
Daniel Case -
Michael Corliss