I have a VPS in the Netherlands and I joined it to the pool. After that, I was looking at my firewall log and noticed I was getting several requests per second from various IPs, addressed to UDP port 37, associated with the ancient RFC868 time protocol. All IPs reverse-resolved to “fixed.kpn.net” which seems to be some kind of Netherlands ISP: https://www.overons.kpn/en/kpn-in-the-netherlands/our-network/fixed-network
All of the IPs sending traffic to port 37 are IPV4, although I’m in the pool as both IPV4 and IPV6.
I was feeling generous so I installed xinetd and activated a server for this protocol. (The protocol supports both TCP and UDP but I enabled it for UDP only as that was all I was seeing requests for.)
I allowed the traffic through the firewall & verified that I’m responding to the requests now. I thought if they got a response they might shut up for a while, but it seems like each IP continues to send a new request every few seconds.
Has anyone seen anything like this before or have any insights / ideas about exactly what is happening here?
tcpdump log showing some of these requests and responses:
08:28:06.709097 IP 86-95-86-101.fixed.kpn.net.10740 > ipv4.MYDOMAIN.time: UDP, length 0
08:28:06.709365 IP ipv4.MYDOMAIN.time > 86-95-86-101.fixed.kpn.net.10740: UDP, length 4
08:28:07.047885 IP 86-90-14-93.fixed.kpn.net.65518 > ipv4.MYDOMAIN.time: UDP, length 0
08:28:07.048146 IP ipv4.MYDOMAIN.time > 86-90-14-93.fixed.kpn.net.65518: UDP, length 4
08:28:07.154944 IP 86-86-199-112.fixed.kpn.net.56526 > ipv4.MYDOMAIN.time: UDP, length 0
08:28:07.155230 IP ipv4.MYDOMAIN.time > 86-86-199-112.fixed.kpn.net.56526: UDP, length 4
08:28:07.179140 IP 145-53-219-150.fixed.kpn.net.40518 > ipv4.MYDOMAIN.time: UDP, length 0
08:28:07.179440 IP ipv4.MYDOMAIN.time > 145-53-219-150.fixed.kpn.net.40518: UDP, length 4
08:28:08.013170 IP 86-85-67-163.fixed.kpn.net.35891 > ipv4.MYDOMAIN.time: UDP, length 0
08:28:08.013484 IP ipv4.MYDOMAIN.time > 86-85-67-163.fixed.kpn.net.35891: UDP, length 4
08:28:09.304604 IP 77-168-76-16.fixed.kpn.net.64295 > ipv4.MYDOMAIN.time: UDP, length 0
08:28:09.304838 IP ipv4.MYDOMAIN.time > 77-168-76-16.fixed.kpn.net.64295: UDP, length 4
08:28:09.437496 IP 86-85-67-163.fixed.kpn.net.64939 > ipv4.MYDOMAIN.time: UDP, length 0
08:28:09.437735 IP ipv4.MYDOMAIN.time > 86-85-67-163.fixed.kpn.net.64939: UDP, length 4
08:28:10.909157 IP 86-95-86-101.fixed.kpn.net.10740 > ipv4.MYDOMAIN.time: UDP, length 0
08:28:10.909429 IP ipv4.MYDOMAIN.time > 86-95-86-101.fixed.kpn.net.10740: UDP, length 4
08:28:11.247969 IP 86-90-14-93.fixed.kpn.net.65518 > ipv4.MYDOMAIN.time: UDP, length 0
08:28:11.248203 IP ipv4.MYDOMAIN.time > 86-90-14-93.fixed.kpn.net.65518: UDP, length 4
08:28:11.355008 IP 86-86-199-112.fixed.kpn.net.56526 > ipv4.MYDOMAIN.time: UDP, length 0
08:28:11.355288 IP ipv4.MYDOMAIN.time > 86-86-199-112.fixed.kpn.net.56526: UDP, length 4
08:28:11.379163 IP 145-53-219-150.fixed.kpn.net.40518 > ipv4.MYDOMAIN.time: UDP, length 0
08:28:11.379452 IP ipv4.MYDOMAIN.time > 145-53-219-150.fixed.kpn.net.40518: UDP, length 4
08:28:12.213238 IP 86-85-67-163.fixed.kpn.net.35891 > ipv4.MYDOMAIN.time: UDP, length 0
08:28:12.213489 IP ipv4.MYDOMAIN.time > 86-85-67-163.fixed.kpn.net.35891: UDP, length 4
08:28:13.504423 IP 77-168-76-16.fixed.kpn.net.64295 > ipv4.MYDOMAIN.time: UDP, length 0
08:28:13.504679 IP ipv4.MYDOMAIN.time > 77-168-76-16.fixed.kpn.net.64295: UDP, length 4
08:28:13.637538 IP 86-85-67-163.fixed.kpn.net.64939 > ipv4.MYDOMAIN.time: UDP, length 0
08:28:13.637780 IP ipv4.MYDOMAIN.time > 86-85-67-163.fixed.kpn.net.64939: UDP, length 4
08:28:15.109358 IP 86-95-86-101.fixed.kpn.net.10740 > ipv4.MYDOMAIN.time: UDP, length 0
08:28:15.109674 IP ipv4.MYDOMAIN.time > 86-95-86-101.fixed.kpn.net.10740: UDP, length 4
I noticed this old thread without any reply. Not sure you already have resolution or not.
What I do to notify IP address owners is to use www.arin.net to lookup who the IP address space is managed by. Contact them with the abuse e-mail address they supply or the Admin contact and they can contact the users that use the IP addresses.
You can also ask them to relay your contact info, so you can attempt to get a technical contact directly, so you can explain.