Thread Info
  • State Verified Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 92 replies
  • Subscribers 55 subscribers
  • Views 14109 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Any experience with an excessive number of ThunderVPN hits?

ARandomHerdFan

I recently set up a new XG firewall at our main branch location in order to assist with IPS and application control service.   I am currently using the "Block high risk (Risk Level 4 and 5) apps" setting for app control.

What I am noticing is a large amount of ThunderVPN hits on our network, and I'm at a bit of a loss on what could be causing this traffic.  I'm glad they are being blocked, but I wanted to see if anyone had any experience with this and what might be utilizing this service.

Our entire network consists of Dell workstations and the traffic is coming from various IP addresses, not just one machine.

Thanks in advance for any information!



This thread was automatically locked due to age.
Parents
  • 0

    As i am still not able to find any reliable source of this ThunderVPN Traffic: 

    I need a pcap of this traffic and a matching conntrack of this traffic:

    tcpdump -ni any port 123 -b -w /tmp/thundervpn.pcap 

    conntrack -L | grep 123 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    OK I have been watching this thread for a while as we have also been getting these blocked Thunder VPN connections on our XG fw. These began on the 24th Sept 21 and previous to this we had been getting blocked Tunnelbear (VPN) reports.


    On our system honing in on the culprit seems to have been a bit easier than some other here as these connections have been predictable over the last weeks and once a day at specific times to only 2x servers, both web servers running very few non standard extra packages.


    My immediate thought was to check the LetsEncrypt "CertifyTheWeb" app, so I disabled it in services and sure enough, last night there was no blocked Thunder VPN connection:

    The question remains, why is a supposedly legit app (we use it to update our site certs) using some iffy Android VPN service and connecting behind port 123 to a bunch of IP addresses worldwide (most have no entry on AbuseIP although one did route direct to an embedded player with no content! Highly suspicious and suggests to me something is awry.

     

    If you need any more info pcap or whatever, I will do my best to provide (and will be disabling CertifyTheWeb on our systems for now!)

Reply
  • 0 in reply to LuCar Toni

    OK I have been watching this thread for a while as we have also been getting these blocked Thunder VPN connections on our XG fw. These began on the 24th Sept 21 and previous to this we had been getting blocked Tunnelbear (VPN) reports.


    On our system honing in on the culprit seems to have been a bit easier than some other here as these connections have been predictable over the last weeks and once a day at specific times to only 2x servers, both web servers running very few non standard extra packages.


    My immediate thought was to check the LetsEncrypt "CertifyTheWeb" app, so I disabled it in services and sure enough, last night there was no blocked Thunder VPN connection:

    The question remains, why is a supposedly legit app (we use it to update our site certs) using some iffy Android VPN service and connecting behind port 123 to a bunch of IP addresses worldwide (most have no entry on AbuseIP although one did route direct to an embedded player with no content! Highly suspicious and suggests to me something is awry.

     

    If you need any more info pcap or whatever, I will do my best to provide (and will be disabling CertifyTheWeb on our systems for now!)

Children
No Data
Unfiltered HTML