Re: Tracking down IP's

To: debian-user@lists.debian.org
Cc: will trillich <will@serensoft.com>
Subject: Re: Tracking down IP's
From: Nathan E Norman <nnorman@micromuse.com>
Date: Tue, 2 Jan 2001 03:39:12 -0600
Message-id: <[🔎] 20010102033912.B27721@micromuse.com>
Mail-followup-to: debian-user@lists.debian.org, will trillich <will@serensoft.com>
In-reply-to: <[🔎] 20010102020920.B30017@mail.serensoft.com>; from will@serensoft.com on Tue, Jan 02, 2001 at 02:09:20AM -0600
References: <14927.45238.928821.699754@minbar.directlink.net> <14927.49282.131612.689865@minbar.directlink.net> <[🔎] 20010102020920.B30017@mail.serensoft.com>

On Tue, Jan 02, 2001 at 02:09:20AM -0600, will trillich wrote:
> i've got something quite similar to this, but mine's on INPUT--
> 
> Jan  2 01:18:48 server kernel: Packet log: input DENY eth0 PROTO=1 172.156.51.114:10 224.0.0.2:0 L=28 S=0x00 I=8964 F=0x0000 T=128 (#9)
> Jan  2 01:18:51 server kernel: Packet log: input DENY eth0 PROTO=1 172.156.51.114:10 224.0.0.2:0 L=28 S=0x00 I=9220 F=0x0000 T=128 (#9)
> Jan  2 01:20:07 server kernel: Packet log: input DENY eth0 PROTO=1 172.167.37.113:10 224.0.0.2:0 L=28 S=0x00 I=33028 F=0x0000 T=128 (#9)
> Jan  2 01:20:10 server kernel: Packet log: input DENY eth0 PROTO=1 172.167.37.113:10 224.0.0.2:0 L=28 S=0x00 I=34308 F=0x0000 T=128 (#9)
> Jan  2 01:20:13 server kernel: Packet log: input DENY eth0 PROTO=1 172.167.37.113:10 224.0.0.2:0 L=28 S=0x00 I=34564 F=0x0000 T=128 (#9)

This is multicast traffic.  224.0.0.2 means "all routers on this
subnet".  This is probably router discovery traffic; I'd bet if you
nmap (with tcp fingerprint) 172.167.37.113 you'll find it's a router.

btw, unless you editted it, 172.167.37.113 is not a private address
(though someone might be laboring under the illusion that it is).  RFC
1918 says 172.16.0.0 thru 172.31.255.255 are reserved for private
networks.

] nnorman@canaris:~$ whois -h rs.arin.net 172.167
] America Online, Inc. (NETBLK-AOL-172BLK)
]    12100 Sunrise Valley Drive
]    Reston, VA 20191
]    US
] 
]    Netname: AOL-172BLK
]    Netblock: 172.128.0.0 - 172.185.255.255
]    Maintainer: AOL
] 
]    Coordinator:
]       America Online, Inc.  (AOL-NOC-ARIN)  domains@AOL.NET
]       703-265-4670
] 
]    Domain System inverse mapping provided by:
] 
]    DAHA-01.NS.AOL.COM		152.163.159.233
]    DAHA-02.NS.AOL.COM		205.188.157.233
] 
]    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
] 
]    Record last updated on 21-Nov-2000.
]    Database last updated on 1-Jan-2001 18:15:35 EDT.
] 
] The ARIN Registration Services Host contains ONLY Internet
] Network Information: Networks, ASN's, and related POC's.
] Please use the whois server at rs.internic.net for DOMAIN related
] Information and whois.nic.mil for NIPRNET Information.

How about that :)

-- 
Nathan Norman - Staff Engineer | A good plan today is better
Micromuse Inc.                 | than a perfect plan tomorrow.
mailto:nnorman@micromuse.com   |   -- Patton

Attachment: pgpsPM3XZ0RCW.pgp
Description: PGP signature

Reply to:

References:
- Re: Tracking down IP's
  - From: will trillich <will@serensoft.com>

Prev by Date: Re: remote x via ssh question
Next by Date: ASUS A7V problem
Previous by thread: Re: Tracking down IP's
Next by thread: Re: Tracking down IP's
Index(es):
- Date
- Thread