Re: Mysterious packet
On Thu, 08 Nov 2012 12:15:55 -0500, Neal Murphy wrote:
> On Thursday, November 08, 2012 11:58:33 AM Darac Marjal wrote:
>> On Thu, Nov 08, 2012 at 03:26:23PM +0000, Hendrik Boom wrote:
>> > I've started getting messages like the following:
>> > [12332.047451] IN=ppp0 OUT=ppp0 SRC=184.108.40.206 DST=220.127.116.11
>> > LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=46353 PROTO=TCP SPT=5228
>> > DPT=44380 WINDOW=0 RES=0x00 RST URGP=0 [111179.489288] IN=ppp0
>> > OUT=ppp0 SRC=18.104.22.168 DST=22.214.171.124 LEN=40 TOS=0x00 PREC=0x00
>> > TTL=50 ID=25315 PROTO=TCP SPT=5228 DPT=43491 WINDOW=0 RES=0x00 RST
>> > URGP=0
>> > Now these IP numbers are not on my LAN, which is masqueraded. They
>> > also bear no relationship to my external-world IP number. If it's
>> > about a packet being sent from 126.96.36.199 to either of the others,
>> > my ISP shouldn't even be sending it to me. Do I understand the
>> > message correctly?
>> Yep. As I understand it 188.8.131.52:5228 is sending a RESET packet
>> to 184.108.40.206:44380. By the looks of things, though, your kernel is
>> responding as you'd expect it to and re-routing the packet back out
>> your PPP connection (that is, it came in on ppp0, it's not for you, so
>> you pass it back out on the default route which I imagine is ppp0).
> Presented this way, it could be a DDoS attack on either the src or the
That's plausible. There's probably no real reason for assuming that
the SRC address is where the packet originated.
Two more of htem arrived today, with a new SRC, 220.127.116.11
(different but similar to yesterday's), but different destinations,
25.46 37.163 and 18.104.22.168.