Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Hetzner MAC-address abuse
New on LowEndTalk? Please Register and read our Community Rules.

Hetzner MAC-address abuse

datanomidatanomi Member

This week I have received 2 MAC-address abuse tickets from Hetzner.

I've been trying to figure what could be the problem since nothing has changed in my setup and these have only started recently.

Today though I noticed that all the MAC-addresses that Hetzner sent to me are quite similar to one another but also similar to the Gateway MAC-address.

Abuse MACs
60:99:d0:07:ca:8d
d8:23:d0:07:ca:8d
04:51:d0:07:ca:8d
32:db:d0:07:ca:8d

d0:07:ca:8d:21:d3 - Hetzner Gateway MAC

So I'm thinking could this be frame corruption and possibly faulty hardware?
I sent a ticket to Hetzner but they have given me generic responses for the last two responses.

Comments

  • comXyzcomXyz Member

    Are you running proxmox?

  • @comXyz said:
    Are you running proxmox?

    No, I am not running any virtualization software.

    I should also point out that the retry link that they give in the ticket always resolves the ticket without me doing any modifications to the server.

  • ralfralf Member

    @datanomi said:
    This week I have received 2 MAC-address abuse tickets from Hetzner.

    I've been trying to figure what could be the problem since nothing has changed in my setup and these have only started recently.

    Today though I noticed that all the MAC-addresses that Hetzner sent to me are quite similar to one another but also similar to the Gateway MAC-address.

    Abuse MACs
    60:99:d0:07:ca:8d
    d8:23:d0:07:ca:8d
    04:51:d0:07:ca:8d
    32:db:d0:07:ca:8d
    
    d0:07:ca:8d:21:d3 - Hetzner Gateway MAC
    

    So I'm thinking could this be frame corruption and possibly faulty hardware?
    I sent a ticket to Hetzner but they have given me generic responses for the last two responses.

    Yeah, I think you're probably right. Those numbers are just too coincidental given that MAC addresses are usually pretty random except for the first 2 digits, which are usually the same for the same vendor.

    That said, it's shifted in a weird way... The destination address is before the source address in the ethernet frame, which would mean it'd have to have started 8 bytes early to transpose the bytes that way.

    However, the packet preamble would be 7x55,d5 so that would be fixed and so you would expect that to be interpreted as a packet to MAC 55:55:55:55:55:55 and source 55:d5:d0:07:ca:8d. The reason that's important is that the "abuse" MAC would be fixed, not random.

    But either way, I still think faulty hardware is the most likely.

    Thanked by 2datanomi dahartigan
  • @ralf said:

    @datanomi said:
    This week I have received 2 MAC-address abuse tickets from Hetzner.

    I've been trying to figure what could be the problem since nothing has changed in my setup and these have only started recently.

    Today though I noticed that all the MAC-addresses that Hetzner sent to me are quite similar to one another but also similar to the Gateway MAC-address.

    Abuse MACs
    60:99:d0:07:ca:8d
    d8:23:d0:07:ca:8d
    04:51:d0:07:ca:8d
    32:db:d0:07:ca:8d
    
    d0:07:ca:8d:21:d3 - Hetzner Gateway MAC
    

    So I'm thinking could this be frame corruption and possibly faulty hardware?
    I sent a ticket to Hetzner but they have given me generic responses for the last two responses.

    Yeah, I think you're probably right. Those numbers are just too coincidental given that MAC addresses are usually pretty random except for the first 2 digits, which are usually the same for the same vendor.

    That said, it's shifted in a weird way... The destination address is before the source address in the ethernet frame, which would mean it'd have to have started 8 bytes early to transpose the bytes that way.

    However, the packet preamble would be 7x55,d5 so that would be fixed and so you would expect that to be interpreted as a packet to MAC 55:55:55:55:55:55 and source 55:d5:d0:07:ca:8d. The reason that's important is that the "abuse" MAC would be fixed, not random.

    But either way, I still think faulty hardware is the most likely.

    Thanks this helps a lot. It's still up to Hetzner what they will do but I just wanted to know that I wasn't totally wrong.

  • @datanomi said:
    This week I have received 2 MAC-address abuse tickets from Hetzner.

    I've been trying to figure what could be the problem since nothing has changed in my setup and these have only started recently.

    Today though I noticed that all the MAC-addresses that Hetzner sent to me are quite similar to one another but also similar to the Gateway MAC-address.

    Abuse MACs
    60:99:d0:07:ca:8d
    d8:23:d0:07:ca:8d
    04:51:d0:07:ca:8d
    32:db:d0:07:ca:8d
    
    d0:07:ca:8d:21:d3 - Hetzner Gateway MAC
    

    So I'm thinking could this be frame corruption and possibly faulty hardware?
    I sent a ticket to Hetzner but they have given me generic responses for the last two responses.

    The MSB in the first octet of some MACs being set makes them bogus. @ralf is right, there's malfunctioning hardware and it's probably on Hetzner's side.

  • ralfralf Member
    edited August 5

    @TimboJones said:
    The MSB in the first octet of some MACs being set makes them bogus. @ralf is right, there's malfunctioning hardware and it's probably on Hetzner's side.

    The broadcast bit is actually the LSB of the first byte (i.e. the first bit transmitted) and it's clear on all of these.

    Thanked by 1TimboJones
  • @ralf said:

    @TimboJones said:
    The MSB in the first octet of some MACs being set makes them bogus. @ralf is right, there's malfunctioning hardware and it's probably on Hetzner's side.

    The broadcast bit is actually the LSB of the first byte (i.e. the first bit transmitted) and it's clear on all of these.

    Crap, yep.

  • emgemg Member

    @datanomi said:
    This week I have received 2 MAC-address abuse tickets from Hetzner.

    I've been trying to figure what could be the problem since nothing has changed in my setup and these have only started recently.

    Today though I noticed that all the MAC-addresses that Hetzner sent to me are quite similar to one another but also similar to the Gateway MAC-address.

    Abuse MACs
    60:99:d0:07:ca:8d
    d8:23:d0:07:ca:8d
    04:51:d0:07:ca:8d
    32:db:d0:07:ca:8d
    
    d0:07:ca:8d:21:d3 - Hetzner Gateway MAC
    

    So I'm thinking could this be frame corruption and possibly faulty hardware?
    I sent a ticket to Hetzner but they have given me generic responses for the last two responses.

    What is the device with the "Abuse MACs"? Is it real hardware like a dedicated server, or is it a virtual machine like a VPS?

    What MAC address(es) show up with "ip a" or "ifconfig" commands on the "abuse" system?

    The pattern d0:07:ca are the first three octets of Juniper Networks devices. They show up as the first three octets of the Hetzner Gateway MAC address, which makes sense to me.

    Those same octets appear as the 3rd through 5th octets in the Abuse MACs addresses. Is that part of a MAC address randomization feature for a virtual machine?

  • Well Hetzner responded that they would swap my server for another one and would investigate the broken server.

    Thanked by 3ralf i4P1 Erisa
  • My takeaway from this story - want your Hetzner server to be fully swapped for some reason?
    Spoof some random MACs, shrug when they ask you for explanation - blame the hardware :trollface:

    Thanked by 1ralf
  • ralfralf Member

    @luckypenguin said:
    My takeaway from this story - want your Hetzner server to be fully swapped for some reason?
    Spoof some random MACs, shrug when they ask you for explanation - blame the hardware :trollface:

    "Honestly guv, that 330TB of spoofed data was your own router, innit?"

  • @ralf said: "Honestly guv, that 330TB of spoofed data was your own router, innit?"

    Nah, that will make it a full throttle 1gbit running 24/7/30.
    Hetzner would give you a max of 48 hours to resolve those MAC/IP spoof crap.
    I'm talking about a legit case where you really know you need your hardware replaced,
    i.e. shitty disk info in SMART, high CPU temp they won't look at, etc.

  • ralfralf Member

    @luckypenguin said:

    @ralf said: "Honestly guv, that 330TB of spoofed data was your own router, innit?"

    Nah, that will make it a full throttle 1gbit running 24/7/30.
    Hetzner would give you a max of 48 hours to resolve those MAC/IP spoof crap.
    I'm talking about a legit case where you really know you need your hardware replaced,
    i.e. shitty disk info in SMART, high CPU temp they won't look at, etc.

    Heh, sorry now the situation was resolved, I was parodying the other thread!

    But in the case of a drive about to fail, from what I've heard they do swap disks if they're old and genuinely a cause for concern. But for broken NIC, they'd probably want to minimise downtime and so just move the disk into another known-good machine.

    Thanked by 1luckypenguin
  • @ralf said: Heh, sorry now the situation was resolved, I was parodying the other thread!

    But in the case of a drive about to fail, from what I've heard they do swap disks if they're old and genuinely a cause for concern. But for broken NIC, they'd probably want to minimise downtime and so just move the disk into another known-good machine.

    There are many reasons why they wouldn't replace a complete server.
    Not happened to me personally because I only had to ask it twice in my lifetime,
    and both times it was a genuine request (or at least they thought so) but some people
    here think that they get "inferior setups" here and then. May it be bad disk performance
    or slow network, I'm just giving a little idea. Since it takes quite a technical skill to achieve
    I don't think it will be abused by LET's teenagers that often :)

  • emgemg Member

    Have we confirmed that it is a broken NIC?

    This is a very unusual failure mode for a NIC. I have never heard of a NIC experiencing a hardware failure where the NIC remained operational but started using various MAC addresses. There is a first time for everything, I suppose.

  • msnmsn Member

    @luckypenguin said: i.e. shitty disk info in SMART

    Just open a ticket and they will change the disk. just had that done today. took 10 minutes.

    Thanked by 1karjaj
  • @emg said:
    Have we confirmed that it is a broken NIC?

    This is a very unusual failure mode for a NIC. I have never heard of a NIC experiencing a hardware failure where the NIC remained operational but started using various MAC addresses. There is a first time for everything, I suppose.

    I don't know if Hetzner will come back to me if they find something in my old server. But I guess if I don't get any more abuse tickets from Hetzner then something was indeed broken in that server.

  • emgemg Member

    Do the MAC addresses on the new server make sense? Do the first three octets point to real hardware devices?

  • "mac address abuse" lol... so you're paying for a managed server, hetzner is just making you manage their servers for free.

Sign In or Register to comment.