Docker0 Connection Spam in Logs

henryjameslocker · January 25, 2022, 11:29am

Hello!
Over the past couple of days, I can’t remember when this started to crop up, my journal logs are filled with:

[UFW BLOCK] IN=docker0 OUT= MAC= SRC=172.17.0.1 DST=239.192.152.143 LEN=165 TOS=0x00 PREC=0x00 TTL=32 ID=4232 DF PROTO=UDP SPT=6771 DPT=6771 LEN=145

every 20 or so seconds.
My ufw rules look like this:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
2222/tcp                   ALLOW IN    Anywhere                  
80                         ALLOW IN    Anywhere                  
443                        ALLOW IN    Anywhere                  
Anywhere                   ALLOW IN    192.168.1.0/24            
58846/tcp                  ALLOW IN    Anywhere                  
47417/tcp                  ALLOW IN    Anywhere                  
47417/udp                  ALLOW IN    Anywhere                  
2222/tcp (v6)              ALLOW IN    Anywhere (v6)             
80 (v6)                    ALLOW IN    Anywhere (v6)             
443 (v6)                   ALLOW IN    Anywhere (v6)             
58846/tcp (v6)             ALLOW IN    Anywhere (v6)             
47417/tcp (v6)             ALLOW IN    Anywhere (v6)             
47417/udp (v6)             ALLOW IN    Anywhere (v6)

I’m running Docker on a 64-bit Raspberry Pi, Debian 11.
This is with the Docker service stopped, & all containers offline.

The closest thing I have to a solution right now is this stackoverflow question, but I don’t want to resort to that just yet given I have no idea why it’s trying to reach 239.192.152.143 on the specified port.

Am I missing something completely obvious? I got no clue so apologies in advance if it’s something stupid, & any help is appreciated!

henryjameslocker · January 27, 2022, 10:57am

Nobody’s got an idea?

terpz · January 27, 2022, 3:38pm

Seen this?

henryjameslocker · January 27, 2022, 5:36pm

Damm… that’s pretty much spot on.
I do have a deluge instance running 24/7.
Well in that case, I’ll be good with whitelisting to prevent error messages correct?

Also, if you don’t mind, however did you find that post? I’d looked it up, but not properly it seems, as using your answer it’s all available.

Anyways, many thanks for identifying the issue, I can now rest much easier

terpz · January 27, 2022, 5:56pm

Since there has been so much regarding log4j (Apache Log4j 2 CVE-2021-44228 - Docker Blog)
i thought it might be a compromised image, so i google the IP.

But its because deluge is using LPD then, to find more peers, you can either disable this in deluge or just let it be, it wont matter

henryjameslocker · January 27, 2022, 6:03pm

I see, thanks once again for clarifying. I’ll likely just let it be.

Topic		Replies	Views
Slew of ICMPv6 requests in my UFW logs from Docker containers General docker	0	475	February 24, 2021
Log retrieval problem with local log driver - how to troubleshoot? General	1	101	September 5, 2024
VM Firewall implicitly allow ports... Why? General	3	38	July 21, 2024
Query about a possible security issue General	1	72	April 30, 2024
Docker UFW container access on private interface General	0	1006	August 29, 2019

Docker0 Connection Spam in Logs

Related topics