Help With Selfhosted Homelab Network Issue

Submitted ⁨⁨2⁩ ⁨weeks⁩ ago⁩ by ⁨irmadlad@lemmy.world⁩ to ⁨selfhosted@lemmy.world⁩

For the past 3 or so months I’ve been noticing entries in Suricata that concern me. Maybe they are benign, but figured I’d throw this out there and see if anyone has/is experiencing this.

There is a pattern to these entries. All of them are listed as ‘PROTOCOL-ICMP Destination Unreachable Network Unreachable’. But it’s like there is a cron that fires this off once every hour and 5 +/- minutes.

spoiler

12/13/2025 16:55:02 12/13/2025 15:50:01 12/13/2025 14:45:01 12/13/2025 13:40:01 12/13/2025 12:35:01 12/13/2025 11:30:01 12/13/2025 10:25:02 12/13/2025 09:20:01 12/13/2025 08:15:01 12/13/2025 07:10:01

These ip ranges are usually from China, Romania, and Singapore. The biggest ‘offender’ being China:

spoiler

203.119.27.1 was found in our database! This IP was reported 11 times. Confidence of Abuse is 1%: ISP China Internet Network Information Center Usage Type Data Center/Web Hosting/Transit ASN AS24406 Hostname(s) c.dns.cn Domain Name cnnic.cn Country 🇨🇳 China City Shanghai, Shanghai

Thing is, these ip’s are usually what I consider ‘clean’. Not a lot of abuse reports. On the surface, I know what ‘PROTOCOL-ICMP Destination Unreachable Network Unreachable’ means. Pretty self explanatory. What I’m trying to figure out is the why part.

I have gone through my logs, monitored for any calls to these ip’s from inside the network, and I come up empty. Nothing within my network, whether server or other devices, is requesting data from these ip’s. I have no cron set to do such on a hour and 5 minute interval.

So I’m left wondering, is this normal network chatter? Perhaps scraping attempts? Or perhaps breach attempts. So, I sit at the feet of the network experts to be schooled and see if I have something misconfiguration, or if it’s nothing to be worried about, or what the devil is going on.

source

Comments

Sort:hotnew top

frongt@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago
It’s the Internet. People send random garbage everywhere, all the time. You have a firewall, block everything you’re not explicitly expecting, move on with your life.

source
- irmadlad@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  
  block everything you’re not explicitly expecting, move on with your life.
  
  You are vastly underestimating my propensity to obsess. LOL They are blocked, so I got that going for me, which is nice. What is bugging me is the repetitive pattern of once every hour and five minutes.
  
  source
  - frongt@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago
    Someone is executing something on a schedule. No way to tell what or why.
    
    source
non_burglar@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
We would need more info to help confirm, but watching ids traffic will show you lots of misconfigurations as well as actually suspicious traffic, so this might be a POS device doing stupid stuff.

Is suricata listening on an internal subnet interface? If you are listening on a public interface, your job sorting through the trash traffic will be difficult because determining source is nearly pointless and your external interface should not know anything about the internal subnet.

source
- irmadlad@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  
  Is suricata listening on an internal subnet interface
  
  Suricata monitors both WAN & LAN. I also use ntopng for traffic analysis.
  
  external interface should not know anything about the internal subnet
  
  All multicast/broadcast are confined to local and are not leaked to the WAN…that I know of. I’m guessing that’s what you are telling me. Again, I do not possess the skills of a seasoned network engineer, which is why I’m consulting with the experts. I just know what I see on my network and investigate/research until I have a broader understanding.
  
  source