[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Mysterious packet

On Thu, Nov 08, 2012 at 03:26:23PM +0000, Hendrik Boom wrote:
> I've started getting messages like the following:
> [12332.047451] IN=ppp0 OUT=ppp0 SRC= DST= LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=46353 PROTO=TCP SPT=5228 DPT=44380 WINDOW=0 RES=0x00 RST URGP=0 
> [111179.489288] IN=ppp0 OUT=ppp0 SRC= DST= LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=25315 PROTO=TCP SPT=5228 DPT=43491 WINDOW=0 RES=0x00 RST URGP=0 
> Now these IP numbers are not on my LAN, which is masqueraded.  They also 
> bear no relationship to my external-world IP number.  If it's about a 
> packet being sent from to either of the others, my ISP 
> shouldn't even be sending it to me.  Do I understand the message 
> correctly?

Yep. As I understand it is sending a RESET packet
to By the looks of things, though, your kernel is
responding as you'd expect it to and re-routing the packet back out your
PPP connection (that is, it came in on ppp0, it's not for you, so you
pass it back out on the default route which I imagine is ppp0).

According to whois, belongs to Google, while
belongs to the UK Ministry of Defence (MOD). I thought it might be worth
checking if either IP was a reserved one such as a multicast address,
but no, they look normal.

> What's could be going on here?

If this is a one-off, it's probably a routing glitch at your ISP. If
it's regular, capture some of the data using Wireshark and/or report it
to your ISP. Or, alternatively, just firewall it out.

Attachment: signature.asc
Description: Digital signature

Reply to: