Re: Mysterious packet

To: debian-user@lists.debian.org
Subject: Re: Mysterious packet
From: Tom Furie <tom@furie.org.uk>
Date: Fri, 9 Nov 2012 23:30:37 +0000
Message-id: <[🔎] 20121109233037.GA18164@furie.org.uk>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] k7jmi3$6lp$1@ger.gmane.org>
References: <[🔎] k7giuv$ruu$1@ger.gmane.org> <[🔎] 20121108165833.GD12359@darac.org.uk> <[🔎] 201211081215.55984.neal.p.murphy@alum.wpi.edu> <[🔎] k7jmi3$6lp$1@ger.gmane.org>

On Fri, Nov 09, 2012 at 07:46:11PM +0000, Hendrik Boom wrote:
> On Thu, 08 Nov 2012 12:15:55 -0500, Neal Murphy wrote:
> 
> > On Thursday, November 08, 2012 11:58:33 AM Darac Marjal wrote:
> >> On Thu, Nov 08, 2012 at 03:26:23PM +0000, Hendrik Boom wrote:
> >> > I've started getting messages like the following:
> >> > 
> >> > [12332.047451] IN=ppp0 OUT=ppp0 SRC=74.125.133.188 DST=25.46.128.71
> >> > LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=46353 PROTO=TCP SPT=5228
> >> > DPT=44380 WINDOW=0 RES=0x00 RST URGP=0 [111179.489288] IN=ppp0
> >> > OUT=ppp0 SRC=74.125.133.188 DST=25.45.89.15 LEN=40 TOS=0x00 PREC=0x00
> >> > TTL=50 ID=25315 PROTO=TCP SPT=5228 DPT=43491 WINDOW=0 RES=0x00 RST
> >> > URGP=0
> >> > 
> >> > Now these IP numbers are not on my LAN, which is masqueraded.  They
> >> > also bear no relationship to my external-world IP number.  If it's
> >> > about a packet being sent from 4.125.133.188 to either of the others,
> >> > my ISP shouldn't even be sending it to me.  Do I understand the
> >> > message correctly?
> >> 
> >> Yep. As I understand it 74.125.133.188:5228 is sending a RESET packet
> >> to 25.46.128.71:44380. By the looks of things, though, your kernel is
> >> responding as you'd expect it to and re-routing the packet back out
> >> your PPP connection (that is, it came in on ppp0, it's not for you, so
> >> you pass it back out on the default route which I imagine is ppp0).
> > 
> > Presented this way, it could be a DDoS attack on either the src or the
> > dest.
> 
> That's plausible.  There's probably no real reason for assuming that 
> the SRC address is where the packet originated.
> 
> Two more of htem arrived today, with a new SRC, 74.125.142.138 
> (different but similar to yesterday's), but different destinations, 
> 25.46 37.163 and 25.44.254.232.

Not sure it helps any, but the 74.125.0.0/16 block belongs to Google and
the 25.0.0.0/8 block belongs to the UK's MoD. Looks like some sort of
attack attempt to me.

Cheers,
Tom

-- 
We don't need no education, we don't need no thought control.
		-- Pink Floyd

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Mysterious packet
  - From: Neal Murphy <neal.p.murphy@alum.wpi.edu>

References:
- Mysterious packet
  - From: Hendrik Boom <hendrik@topoi.pooq.com>
- Re: Mysterious packet
  - From: Darac Marjal <mailinglist@darac.org.uk>
- Re: Mysterious packet
  - From: Neal Murphy <neal.p.murphy@alum.wpi.edu>
- Re: Mysterious packet
  - From: Hendrik Boom <hendrik@topoi.pooq.com>

Prev by Date: extending LV with JFS online
Next by Date: Re: Mysterious packet
Previous by thread: Re: Mysterious packet
Next by thread: Re: Mysterious packet
Index(es):
- Date
- Thread