On Thu, Nov 08, 2012 at 03:26:23PM +0000, Hendrik Boom wrote: > I've started getting messages like the following: > > [12332.047451] IN=ppp0 OUT=ppp0 SRC=22.214.171.124 DST=126.96.36.199 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=46353 PROTO=TCP SPT=5228 DPT=44380 WINDOW=0 RES=0x00 RST URGP=0 > [111179.489288] IN=ppp0 OUT=ppp0 SRC=188.8.131.52 DST=184.108.40.206 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=25315 PROTO=TCP SPT=5228 DPT=43491 WINDOW=0 RES=0x00 RST URGP=0 > > Now these IP numbers are not on my LAN, which is masqueraded. They also > bear no relationship to my external-world IP number. If it's about a > packet being sent from 220.127.116.11 to either of the others, my ISP > shouldn't even be sending it to me. Do I understand the message > correctly? Yep. As I understand it 18.104.22.168:5228 is sending a RESET packet to 22.214.171.124:44380. By the looks of things, though, your kernel is responding as you'd expect it to and re-routing the packet back out your PPP connection (that is, it came in on ppp0, it's not for you, so you pass it back out on the default route which I imagine is ppp0). According to whois, 126.96.36.199 belongs to Google, while 188.8.131.52 belongs to the UK Ministry of Defence (MOD). I thought it might be worth checking if either IP was a reserved one such as a multicast address, but no, they look normal. > > What's could be going on here? If this is a one-off, it's probably a routing glitch at your ISP. If it's regular, capture some of the data using Wireshark and/or report it to your ISP. Or, alternatively, just firewall it out.
Description: Digital signature