Ubuntu Server 20.04: IP address in use

Question

I have a bare metal dedicated server with a UK hosting company.

They have an automated system which keeps blocking my server because they claim that I am using an unauthorised IP address. The IP address which they claim my server is trying to bind to is 109.169.37.166. The IP address which I am allowed to use is 109.169.37.97.

If I do ip addr show the output is:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether c8:1f:66:c4:b4:1d brd ff:ff:ff:ff:ff:ff
    inet 109.169.37.97/24 brd 109.169.37.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::ca1f:66ff:fec4:b41d/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether c8:1f:66:c4:b4:1e brd ff:ff:ff:ff:ff:ff

so the machine appears here to be bound to the correct IP. Also if I look at my netplan config file, the output is:

# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      addresses: [ 109.169.37.97/24 ]
      gateway4: 109.169.37.1
      nameservers:
        addresses: [ 80.84.58.27, 80.84.58.28 ]

which again appears correct. I am at a loss. Where else could the incorrect IP address be assigned? My DNS is set up to point to the 109.169.37.97 address and this works so I am not sure what the issue is.

Answer 1

You can always install a firewall rules to record (log) and prevent (drop) outgoing traffic with wrong IP altogether. Use something like this:

iptables -I OUTPUT 1 -o eth0 ! -s 109.169.37.97 -j DROP
iptables -I OUTPUT 1 -o eth0 ! -s 109.169.37.97 -j LOG --log-prefix "Suspicious"

(in this order, because the second -I ... 1 command will move the rule installed with the first command to the second position). You can even try to run some log-analyzing program which will react on that "Suspicious" and run ip addr immediately to see if the claimed address is assigned to the machine.

A computer can send packets to the network with some source address even if it doesn't have that address assigned. For example, this is precisely what router is doing. Special case of this is proxy-ARP, which can also display such strange behaviour. Also your computer can source-NAT something to that address. It is hard to configure all of this accidentally, but who knows what's going, the original claim is very strange. Anyway, in all such cases the packet will not traverse filter OUTPUT chain so the rules above will not catch it, but you can have other rules that will trigger; try to install similar rules into filter FORWARD, or even mangle POSTROUTING. (I think there is no way in the Netfilter to catch packets after all possible translations applied; please see Netfilter packet flow diagram for details).

How to analyze why it happens: if problem occurs often enough, the best is to have traffic capture running and catch the claimed occurence of IP address hijacking. Then you can analyse that capture to see what happens (which traffic was directly before claimed hijacking occured).

If it is not feasible, like that the problem appears randomly once a week, try configuring traffic accounting, for example, with flow-tools, and analyze that.