Re: Mysterious packet

[Hendrik Boom <hendrik@topoi.pooq.com>]

On Thu, 08 Nov 2012 12:15:55 -0500, Neal Murphy wrote:

> On Thursday, November 08, 2012 11:58:33 AM Darac Marjal wrote:
>> On Thu, Nov 08, 2012 at 03:26:23PM +0000, Hendrik Boom wrote:
>> > I've started getting messages like the following:
>> > 
>> > [12332.047451] IN=ppp0 OUT=ppp0 SRC=74.125.133.188 DST=25.46.128.71
>> > LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=46353 PROTO=TCP SPT=5228
>> > DPT=44380 WINDOW=0 RES=0x00 RST URGP=0 [111179.489288] IN=ppp0
>> > OUT=ppp0 SRC=74.125.133.188 DST=25.45.89.15 LEN=40 TOS=0x00 PREC=0x00
>> > TTL=50 ID=25315 PROTO=TCP SPT=5228 DPT=43491 WINDOW=0 RES=0x00 RST
>> > URGP=0
>> > 
>> > Now these IP numbers are not on my LAN, which is masqueraded.  They
>> > also bear no relationship to my external-world IP number.  If it's
>> > about a packet being sent from 4.125.133.188 to either of the others,
>> > my ISP shouldn't even be sending it to me.  Do I understand the
>> > message correctly?
>> 
>> Yep. As I understand it 74.125.133.188:5228 is sending a RESET packet
>> to 25.46.128.71:44380. By the looks of things, though, your kernel is
>> responding as you'd expect it to and re-routing the packet back out
>> your PPP connection (that is, it came in on ppp0, it's not for you, so
>> you pass it back out on the default route which I imagine is ppp0).
> 
> Presented this way, it could be a DDoS attack on either the src or the
> dest.

That's plausible.  There's probably no real reason for assuming that 
the SRC address is where the packet originated.

Two more of htem arrived today, with a new SRC, 74.125.142.138 
(different but similar to yesterday's), but different destinations, 
25.46 37.163 and 25.44.254.232.

-- hendrik