Hetzner netscan abuse warning.

[FallingHazard]

Checklist

• This is a bug report, not a question. Ask questions on discuss.ipfs.io.
• I have searched on the issue tracker for my bug.
• I am running the latest kubo version or have an issue updating.

Installation method

ipfs-desktop

Version

Kubo version: 0.26.0
Repo version: 15
System version: amd64/linux
Golang version: go1.21.6

Config

{
  "API": {
    "HTTPHeaders": {}
  },
  "Addresses": {
    "API": "/ip4/127.0.0.1/tcp/5001",
    "Announce": [],
    "AppendAnnounce": [],
    "Gateway": "/ip4/127.0.0.1/tcp/8080",
    "NoAnnounce": [
      "/ip4/10.0.0.0/ipcidr/8",
      "/ip4/100.64.0.0/ipcidr/10",
      "/ip4/169.254.0.0/ipcidr/16",
      "/ip4/172.16.0.0/ipcidr/12",
      "/ip4/192.0.0.0/ipcidr/24",
      "/ip4/192.0.2.0/ipcidr/24",
      "/ip4/192.168.0.0/ipcidr/16",
      "/ip4/198.18.0.0/ipcidr/15",
      "/ip4/198.51.100.0/ipcidr/24",
      "/ip4/203.0.113.0/ipcidr/24",
      "/ip4/240.0.0.0/ipcidr/4",
      "/ip6/100::/ipcidr/64",
      "/ip6/2001:2::/ipcidr/48",
      "/ip6/2001:db8::/ipcidr/32",
      "/ip6/fc00::/ipcidr/7",
      "/ip6/fe80::/ipcidr/10"
    ],
    "Swarm": [
      "/ip4/0.0.0.0/tcp/4001",
      "/ip6/::/tcp/4001",
      "/ip4/0.0.0.0/udp/4001/quic-v1",
      "/ip4/0.0.0.0/udp/4001/quic-v1/webtransport",
      "/ip6/::/udp/4001/quic-v1",
      "/ip6/::/udp/4001/quic-v1/webtransport"
    ]
  },
  "AutoNAT": {},
  "Bootstrap": [
    "/dnsaddr/bootstrap.libp2p.io/p2p/QmNnooDu7bfjPFoTZYxMNLWUQJyrVwtbZg5gBMjTezGAJN",
    "/dnsaddr/bootstrap.libp2p.io/p2p/QmQCU2EcMqAqQPR2i9bChDtGNJchTbq5TbXJJ16u19uLTa",
    "/dnsaddr/bootstrap.libp2p.io/p2p/QmbLHAnMoJPWSCR5Zhtx6BHJX9KiKNN6tpvbUcqanj75Nb",
    "/dnsaddr/bootstrap.libp2p.io/p2p/QmcZf59bWwK5XFi76CZX8cbJ4BhTzzA3gU1ZjYZcYW3dwt",
    "/ip4/104.131.131.82/tcp/4001/p2p/QmaCpDMGvV2BGHeYERUEnRQAwe3N8SzbUtfsmvsqQLuvuJ",
    "/ip4/104.131.131.82/udp/4001/quic-v1/p2p/QmaCpDMGvV2BGHeYERUEnRQAwe3N8SzbUtfsmvsqQLuvuJ"
  ],
  "DNS": {
    "Resolvers": {}
  },
  "Datastore": {
    "BloomFilterSize": 0,
    "GCPeriod": "1h",
    "HashOnRead": false,
    "Spec": {
      "mounts": [
        {
          "child": {
            "path": "blocks",
            "shardFunc": "/repo/flatfs/shard/v1/next-to-last/2",
            "sync": true,
            "type": "flatfs"
          },
          "mountpoint": "/blocks",
          "prefix": "flatfs.datastore",
          "type": "measure"
        },
        {
          "child": {
            "compression": "none",
            "path": "datastore",
            "type": "levelds"
          },
          "mountpoint": "/",
          "prefix": "leveldb.datastore",
          "type": "measure"
        }
      ],
      "type": "mount"
    },
    "StorageGCWatermark": 90,
    "StorageMax": "10GB"
  },
  "Discovery": {
    "MDNS": {
      "Enabled": false
    }
  },
  "Experimental": {
    "FilestoreEnabled": false,
    "GraphsyncEnabled": false,
    "Libp2pStreamMounting": false,
    "OptimisticProvide": false,
    "OptimisticProvideJobsPoolSize": 0,
    "P2pHttpProxy": false,
    "StrategicProviding": false,
    "UrlstoreEnabled": false
  },
  "Gateway": {
    "APICommands": [],
    "DeserializedResponses": null,
    "DisableHTMLErrors": null,
    "ExposeRoutingAPI": null,
    "HTTPHeaders": {},
    "NoDNSLink": false,
    "NoFetch": false,
    "PathPrefixes": [],
    "PublicGateways": null,
    "RootRedirect": ""
  },
  "Identity": {
    "PeerID": ""
  },
  "Internal": {},
  "Ipns": {
    "RecordLifetime": "",
    "RepublishPeriod": "",
    "ResolveCacheSize": 128
  },
  "Migration": {
    "DownloadSources": [],
    "Keep": ""
  },
  "Mounts": {
    "FuseAllowOther": false,
    "IPFS": "/ipfs",
    "IPNS": "/ipns"
  },
  "Peering": {
    "Peers": null
  },
  "Pinning": {
    "RemoteServices": {}
  },
  "Plugins": {
    "Plugins": null
  },
  "Provider": {
    "Strategy": ""
  },
  "Pubsub": {
    "DisableSigning": false,
    "Router": ""
  },
  "Reprovider": {},
  "Routing": {
    "AcceleratedDHTClient": true,
    "Methods": null,
    "Routers": null
  },
  "Swarm": {
    "AddrFilters": [
      "/ip4/10.0.0.0/ipcidr/8",
      "/ip4/100.64.0.0/ipcidr/10",
      "/ip4/169.254.0.0/ipcidr/16",
      "/ip4/172.16.0.0/ipcidr/12",
      "/ip4/192.0.0.0/ipcidr/24",
      "/ip4/192.0.2.0/ipcidr/24",
      "/ip4/192.168.0.0/ipcidr/16",
      "/ip4/198.18.0.0/ipcidr/15",
      "/ip4/198.51.100.0/ipcidr/24",
      "/ip4/203.0.113.0/ipcidr/24",
      "/ip4/240.0.0.0/ipcidr/4",
      "/ip6/100::/ipcidr/64",
      "/ip6/2001:2::/ipcidr/48",
      "/ip6/2001:db8::/ipcidr/32",
      "/ip6/fc00::/ipcidr/7",
      "/ip6/fe80::/ipcidr/10"
    ],
    "ConnMgr": {},
    "DisableBandwidthMetrics": false,
    "DisableNatPortMap": true,
    "RelayClient": {},
    "RelayService": {},
    "ResourceMgr": {},
    "Transports": {
      "Multiplexers": {},
      "Network": {},
      "Security": {}
    }
  },
  "apply": "server"
}

Description

I keep getting abuse warning for netscans. I am in server profile.
They have locked my server and now won't unlock.

#############################################################################

Netscan detected from host xxxxxxxxxxxxxxxx

#############################################################################

TIME (UTC) SRC SRC-PORT -> DST DST-PORT SIZE PROT

2024-01-29 07:33:46 xxxxxxxxxxxxxxxx 4001 -> ::5054:ff:fe92:8bc9 4001 98 TCP
2024-01-29 07:33:33 xxxxxxxxxxxxxxxx 4001 -> ::9036:1c17:f6e3:4a35 44005 1298 UDP
2024-01-29 07:33:00 xxxxxxxxxxxxxxxx 4001 -> ::3:0:5bd:802:1aae 4001 1298 UDP
2024-01-29 07:33:00 xxxxxxxxxxxxxxxx 4001 -> 1e::3:0:2:bd0b 4001 1298 UDP
2024-01-29 07:33:00 xxxxxxxxxxxxxxxx 4001 -> 1e::ea3:0:2:bd0b 4001 1298 UDP
2024-01-29 07:33:29 xxxxxxxxxxxxxxxx 4001 -> 64:ff9b::175:1005 4001 1298 UDP
2024-01-29 07:33:43 xxxxxxxxxxxxxxxx 4001 -> 64:ff9b::300:debc 4001 98 TCP
2024-01-29 07:33:04 xxxxxxxxxxxxxxxx 4001 -> 64:ff9b::311:39b8 4001 98 TCP
2024-01-29 07:33:35 xxxxxxxxxxxxxxxx 4001 -> 64:ff9b::315:f409 4001 98 TCP
2024-01-29 07:33:32 xxxxxxxxxxxxxxxx 4001 -> 64:ff9b::322:124e 4001 98 TCP
2024-01-29 07:33:27 xxxxxxxxxxxxxxxx 4001 -> 64:ff9b::347:2aaa 4001 98 TCP
2024-01-29 07:33:33 xxxxxxxxxxxxxxxx 4001 -> 64:ff9b::350:b405 4001 98 TCP
2024-01-29 07:33:29 xxxxxxxxxxxxxxxx 4001 -> 64:ff9b::355:56bb 4001 98 TCP
2024-01-29 07:33:35 xxxxxxxxxxxxxxxx 4001 -> 64:ff9b::355:e7c2 4001 1298 UDP
2024-01-29 07:33:35 xxxxxxxxxxxxxxxx 4001 -> 64:ff9b::372:fa7f 4001 98 TCP
2024-01-29 07:33:25 xxxxxxxxxxxxxxxx 4001 -> 64:ff9b::378:ca60 4001 1298 UDP
2024-01-29 07:33:37 xxxxxxxxxxxxxxxx 4001 -> 64:ff9b::386:4d5d 4001 98 TCP
2024-01-29 07:32:55 xxxxxxxxxxxxxxxx 4001 -> 64:ff9b::386:9798 4001 98 TCP
2024-01-29 07:33:08 xxxxxxxxxxxxxxxx 4001 -> 64:ff9b::38a:8610

[hsanjuan]

It seems 64:ff9b:1::/48 is used for ipv4 translation... essentially you need to update your AddrFilters to exclude whatever Hetzner is using for LAN addresses. The server profile includes some well-known ranges but it seems to be missing this one. I guess it should be included...

Of course, let's not forget that Hetzner sucks, that they don't implement any network isolation and instead they put this shitty netscan detector and make ipfs-users life hard without giving any warning. You may well ask their support what private IP ranges to avoid because they may belong to other customers, but instead of dealing with Hetzner support, it is better that you buy yourself an icecream and spend the remaining time migrating off to a sane cloud provider that doesn't make you deal with this BS, if possible (in my humble and personal opinion).

[aschmahmann]

Mostly agree with @hsanjuan, but poking into this more it looks like there are a few things going on here (although lmk if I'm wrong).

• ::/8 was reserved by IETF and has carved out some uses https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml
  • For some reason there are machines out there with what seem to be invalid addresses like ::5054:ff:fe92:8bc9 (i.e. they don't fall under one of the approved uses in a space reserved by IETF)
  • Hetzner yells at you for dialing these addresses... which they could just drop because they're invalid, but it also seem like fair game for go-libp2p to block dialing these addresses too
• 64:ff9b:1::/48 should be add to the server profile filters in kubo because it's a private IP range
• 64:ff9b::/96 is a valid public IP space per https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
  • 64:ff9b::175:1005 falls into this range rather than the one above which should be filtered in kubo. If I'm doing the conversion correctly this is 1.117.16.5 (apparently a Tencent datacenter in China). This means Hetzner is blaming you for dialing what should be valid IP addresses... they might just have a filter for ::/8 and yell at you for dialing anything in that range (since the loopback addresses shouldn't touch the network anyway).

If so this would mean the actions here are:

1. Add filters (likely in go-libp2p, although they could be hardcoded in kubo if necessary) that block the subset of ::/8 that's undefined
2. Add 64:ff9b:1::/48 to the server profile filters in kubo
3. Hetzner users should tell them that 64:ff9b::/96 is fair game
   • See https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml (globally reachable column)
   • See RFC 6052
   • Hetzner users can also choose to block this range as well while they wait on Hetzner to deal with the issue