I found the same thing in my logs yesterday. I was worried I had my name server misconfigured. Phew.
-Steve On Thursday, October 25, 2001, at 09:58 PM, Brad Fritz wrote: > > On Thu, 25 Oct 2001 17:49:35 PDT Robert wrote: > >> This afternoon I received 292 log items in 6 seconds. > > There was a lot of discussion of these floods on the linux-router > list in late April and May of this year. IIRC, they are response > time measurement probes that are part of a global load-balancing > scheme. Hitting certain web sites ( http://www.weather.com/ for me) > will trigger them. > > I couldn't find a concise description of the scheme (maybe another > subscriber has one?), but if you search the Geocrawler linux-router > archives from May > http://www.geocrawler.com/archives/3/303/2001/5/0/ , > you'll probably find more information. I also vaguely remember > a thread on the Security Focus "incidents" list. I think David > Douthitt, of Oxygen fame, was one of the posters. > > There's an ipfilter.conf hack to prevent logging of them at > http://www.geocrawler.com/mail/msg.php3?msg_id=5930039&list=303 > that you might find useful. > > --Brad > > >> I know that >> port 53 is related to DNS but beyond that I am fairly naive. The log >> analyzer at http://www.echogent.com/cgi-bin/fwlog.pl did not have any >> thin specific to say about these It is interesting to me that all 18 >> of the ips that sent packets did so all with in 6 seconds most of >> them sending exactly 16 packets each. Any help diagnosing this would >> be helpful. If they are harmless I will just make up a ipchains rule >> to not log them. I am using Dachstien rc2. >> Thanks for any insight. >> Robert Williams >> >> >> 292 >> Oct 25 15:51:01 firewall kernel: Packet log: input DENY eth0 PROTO=6 >> 64.14.200.154:17181 64.171.17.149:53 L=44 S=0x00 I=0 F=0x0000 T=245 >> (#41) >> Oct 25 15:51:01 firewall kernel: Packet log: input DENY eth0 PROTO=6 >> 209.249.97.40:60302 64.171.17.149:53 L=44 S=0x00 I=0 F=0x0000 T=245 >> (#41) >> Oct 25 15:51:01 firewall kernel: Packet log: input DENY eth0 PROTO=6 >> 208.184.162.71:15070 64.171.17.149:53 L=44 S=0x00 I=0 F=0x0000 T=246 >> (#41) >> >> <snip> >> >> Oct 25 15:51:07 firewall kernel: Packet log: input DENY eth0 PROTO=6 >> 202.139.133.129:16725 64.171.17.149:53 L=44 S=0x00 I=0 F=0x0000 T=243 >> (#41) >> Oct 25 15:51:07 firewall kernel: Packet log: input DENY eth0 PROTO=6 >> 203.208.128.70:32687 64.171.17.149:53 L=44 S=0x00 I=0 F=0x0000 T=241 >> (#41) >> >> List of offending IPs >> 194.205.125.26 >> 194.213.64.150 >> 202.139.133.129 >> 203.194.166.182 >> 203.208.128.70 >> 207.55.138.206 >> 208.184.162.71 >> 209.249.97.40 >> 212.78.160.237 >> 216.220.39.42 >> 216.33.35.214 >> 216.34.68.2 >> 216.35.167.58 >> 62.23.80.2 >> 62.26.119.34 >> 64.14.200.154 >> 64.37.200.46 >> 64.56.174.18 >> >> 6 >> 64.78.235.14 >> > > _______________________________________________ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
