Re: Mysterious packet
On Thursday, November 08, 2012 11:58:33 AM Darac Marjal wrote:
> On Thu, Nov 08, 2012 at 03:26:23PM +0000, Hendrik Boom wrote:
> > I've started getting messages like the following:
> > [12332.047451] IN=ppp0 OUT=ppp0 SRC=18.104.22.168 DST=22.214.171.124
> > LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=46353 PROTO=TCP SPT=5228 DPT=44380
> > WINDOW=0 RES=0x00 RST URGP=0 [111179.489288] IN=ppp0 OUT=ppp0
> > SRC=126.96.36.199 DST=188.8.131.52 LEN=40 TOS=0x00 PREC=0x00 TTL=50
> > ID=25315 PROTO=TCP SPT=5228 DPT=43491 WINDOW=0 RES=0x00 RST URGP=0
> > Now these IP numbers are not on my LAN, which is masqueraded. They also
> > bear no relationship to my external-world IP number. If it's about a
> > packet being sent from 184.108.40.206 to either of the others, my ISP
> > shouldn't even be sending it to me. Do I understand the message
> > correctly?
> Yep. As I understand it 220.127.116.11:5228 is sending a RESET packet
> to 18.104.22.168:44380. By the looks of things, though, your kernel is
> responding as you'd expect it to and re-routing the packet back out your
> PPP connection (that is, it came in on ppp0, it's not for you, so you
> pass it back out on the default route which I imagine is ppp0).
Presented this way, it could be a DDoS attack on either the src or the dest.