Our Server was taken offline after abuse notification

I don’t know if it is a bug or if I could do something against it: ZeroTier One seems to use the “real” network adapters to scan for IPs that look like it’s VPN-IPs.

Our hoster wrote: “The IP address(es) were used to run scans on other servers.
This consumed significant network resources and consequently severely impacted part of our network.”

ZeroTier One tried to connect all 192.168.196.xxx on port 80, 443, 5432, 22, 1433, 6379, 445, 135 by TCP and a few other by UDP.

The protocol says that the “attack” lasted (at least) several minutes.

For the moment I have no other solution than to not use ZeroTier One. :frowning:

Thanks for writing. That sounds a little aggressive of your host…

You can limit some of that by creating a local.conf file

You could blacklist as a physical path, for example.

The question remains whether ZeroTier One should only use its own adapter. I was firmly convinced that it would. What would be the point of “searching” the public network for VPN participants (no idea what this scan is actually supposed to achieve - the existing nodes are actually known, after all)?

It tries to find the shortest path to any peer to optimise the routing. This part makes sense to me.
What does not make sense is probing 22, 445, 135, etc. I am not surprised at all that this looks to be malicious. Surely it should only be 9993?

It connects to other nodes on the addresses and ports they advertise themselves on. It could be any udp port.

ZeroTier One tried to connect all 192.168.196.xxx on port 80, 443, 5432, 22, 1433, 6379, 445, 135 by TCP and a few other by UDP.

Reading this again, it looks like the host is monitoring your zerotier interfaces/addresses? 192.168.196.xxx is common for zerotier networks.

The host claims that ZeroTier One uses the real network hardware adapters, too and not only it’s own virtual adapter. What’s the problem to understand that this can’t be right? The requests have to stay in the VPN if the are necessary.

All VPNs/SDWANs use the real network. That’s the only way to move packets across the internet. ZeroTier packets are encrypted and sent along via the real internet.

The ZeroTier network under your account uses 192.168.196.xxx.

The best we can guess with the information we have is that something is using 80, 443, 5432, 22, 1433, 6379, 445, 135 on your ZeroTier network.

That’s quite clear.
But ZeroTier installs it’s own network adapter and only that should be used to do it’s requests. Our hoster claims ZT directly uses the “real” adapter. The “real” adapter shouldn’t know anything about the VPN-internal traffic. At what point am I unclear?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.