I don’t know if it is a bug or if I could do something against it: ZeroTier One seems to use the “real” network adapters to scan for IPs that look like it’s VPN-IPs.
Our hoster wrote: “The IP address(es) were used to run scans on other servers.
This consumed significant network resources and consequently severely impacted part of our network.”
ZeroTier One tried to connect all 192.168.196.xxx on port 80, 443, 5432, 22, 1433, 6379, 445, 135 by TCP and a few other by UDP.
The protocol says that the “attack” lasted (at least) several minutes.
For the moment I have no other solution than to not use ZeroTier One.
The question remains whether ZeroTier One should only use its own adapter. I was firmly convinced that it would. What would be the point of “searching” the public network for VPN participants (no idea what this scan is actually supposed to achieve - the existing nodes are actually known, after all)?
It tries to find the shortest path to any peer to optimise the routing. This part makes sense to me.
What does not make sense is probing 22, 445, 135, etc. I am not surprised at all that this looks to be malicious. Surely it should only be 9993?
The host claims that ZeroTier One uses the real network hardware adapters, too and not only it’s own virtual adapter. What’s the problem to understand that this can’t be right? The requests have to stay in the VPN if the are necessary.
All VPNs/SDWANs use the real network. That’s the only way to move packets across the internet. ZeroTier packets are encrypted and sent along via the real internet.
The ZeroTier network under your account uses 192.168.196.xxx.
The best we can guess with the information we have is that something is using 80, 443, 5432, 22, 1433, 6379, 445, 135 on your ZeroTier network.
That’s quite clear.
But ZeroTier installs it’s own network adapter and only that should be used to do it’s requests. Our hoster claims ZT directly uses the “real” adapter. The “real” adapter shouldn’t know anything about the VPN-internal traffic. At what point am I unclear?