Hi all,
I just saw in my proxmox firewall log some entries for HA which I couldn’t really explain to myself.
SRC is the ip of the HAOS VM
DST are some random ips in my local network
Rest looks like this: LEN=28 TOS=0x00 PREC=0x00 DF PROTO=UDP DPT=80 LEN=8
Now I’m wondering: what’s happening here?
Since the tiny length of the packets, I would think it’s like a discovery service. But I couldn’t find anything like this in the docu which uses port 80 UDP.
Do you gave any info about what the target IPs are. (all a certain device type etc?)
I don’t know of anything that DEFAULTS to UDP 80. (remember you can actually send any protocols over any ports, well known service ports are just well known)
It could technically be anything (without a packet capturewe’re likely guessing) that said usually when I see 80 Udp is something related to penetration testing (someone seeing if they can get away with something - did you leave UDP 80 open instead of TCP 80) or some developer somewhere used UDP80 for a boutique protocol when they do t need to maintain TCP session.
Just looking at what devices are being touched might help ID what it is.
Sure.
It seems pretty random devices. Some Alexas, Chromecast, Vacuum Robot, Work laptop,… Some of those devices are in guest network (I have unifi network, so devices in guest network also can be seen by default).
It mostly seems to send out that packages after reboot. Sometimes to one device. Sometimes more than one device. Sometimes to none. Edit: Seems to send to devices which it has not seen before the last reboot.
I also did a tcpdump. But result was expectable: the 8bytes size is just the header (source, destination, length, checksum). No payload.
