Re: [Leaf-user] Help understand unusual packets

Scott Wed, 19 Dec 2001 14:28:57 -0800

I should also note that the DOS attack which was launched from this server 
{prior to having the dachstein firewall in the way} was targetted against 
the us navy.  I'm sure it was a distributed DOS in which case you might 
have been another recipient of the attack.  Or it's just a coincidence.


-Scott

> Just some of the stuff I've seen splatting against the box today, also
> from 192.168.27.x (my eth1 is the external interface):
> 
> Is there a way besides snort to capture & examine these packets?
> 
> -Blanton
> 
> Dec 19 09:42:28 (none) kernel: Packet log: ext-if DENY eth1 PROTO=1
> 192.168.27.24:8 24.155.29.78:0 L=1500 S=0x00 I=53505 F=0x4000 T=242
> (#6) Dec 19 09:42:28 (none) kernel: Packet log: ext-if DENY eth1
> PROTO=1 192.168.27.21:8 24.155.29.78:0 L=1500 S=0x00 I=25601 F=0x4000
> T=242 (#6) Dec 19 09:42:29 (none) kernel: Packet log: ext-if DENY eth1
> PROTO=1 192.168.27.25:8 24.155.29.78:0 L=1500 S=0x00 I=35073 F=0x4000
> T=242 (#6) Dec 19 09:44:42 (none) kernel: Packet log: ext-if DENY eth1
> PROTO=1 192.168.27.25:8 24.155.29.78:0 L=1500 S=0x00 I=45313 F=0x4000
> T=242 (#6) Dec 19 09:44:44 (none) kernel: Packet log: ext-if DENY eth1
> PROTO=1 192.168.27.23:8 24.155.29.78:0 L=1500 S=0x00 I=32769 F=0x4000
> T=242 (#6) Dec 19 09:45:06 (none) kernel: Packet log: ext-if DENY eth1
> PROTO=6 192.168.27.32:80 24.155.29.78:10675 L=40 S=0x00 I=25633
> F=0x4000 T=51 (#6) Dec 19 09:45:08 (none) kernel: Packet log: ext-if
> DENY eth1 PROTO=6 192.168.27.32:80 24.155.29.78:10675 L=40 S=0x00
> I=25634 F=0x4000 T=51 (#6) Dec 19 09:45:09 (none) kernel: Packet log:
> ext-if DENY eth1 PROTO=6 192.168.27.24:80 24.155.29.78:6165 L=40 S=0x00
> I=20776 F=0x0000 T=51 (#6) Dec 19 09:45:11 (none) kernel: Packet log:
> ext-if DENY eth1 PROTO=6 192.168.27.24:80 24.155.29.78:6165 L=40 S=0x00
> I=20777 F=0x0000 T=51 (#6) Dec 19 09:45:12 (none) kernel: Packet log:
> ext-if DENY eth1 PROTO=6 192.168.27.32:80 24.155.29.78:10675 L=40
> S=0x00 I=25635 F=0x4000 T=51 (#6) Dec 19 09:45:17 (none) kernel: Packet
> log: ext-if DENY eth1 PROTO=6 192.168.27.24:80 24.155.29.78:6165 L=40
> S=0x00 I=20778 F=0x0000 T=51 (#6) Dec 19 09:45:19 (none) kernel: Packet
> log: ext-if DENY eth1 PROTO=6 192.168.27.32:80 24.155.29.78:10675 L=40
> S=0x00 I=10497 F=0x4000 T=51 (#6) Dec 19 09:45:28 (none) kernel: Packet
> log: ext-if DENY eth1 PROTO=6 192.168.27.24:80 24.155.29.78:6165 L=40
> S=0x00 I=33793 F=0x0000 T=51 (#6) Dec 19 09:45:28 (none) kernel: Packet
> log: ext-if DENY eth1 PROTO=1 192.168.27.24:8 24.155.29.78:0 L=1500
> S=0x00 I=1025 F=0x4000 T=242 (#6) Dec 19 09:45:34 (none) kernel: Packet
> log: ext-if DENY eth1 PROTO=6 192.168.27.32:80 24.155.29.78:10675 L=40
> S=0x00 I=10498 F=0x4000 T=51 (#6) Dec 19 09:45:50 (none) kernel: Packet
> log: ext-if DENY eth1 PROTO=6 192.168.27.24:80 24.155.29.78:6165 L=40
> S=0x00 I=33794 F=0x0000 T=51 (#6) Dec 19 09:46:03 (none) kernel: Packet
> log: ext-if DENY eth1 PROTO=6 192.168.27.32:80 24.155.29.78:10675 L=40
> S=0x00 I=10499 F=0x4000 T=51 (#6) Dec 19 09:46:34 (none) kernel: Packet
> log: ext-if DENY eth1 PROTO=6 192.168.27.24:80 24.155.29.78:6165 L=40
> S=0x00 I=33795 F=0x0000 T=51 (#6) Dec 19 09:47:01 (none) kernel: Packet
> log: ext-if DENY eth1 PROTO=6 192.168.27.32:80 24.155.29.78:10675 L=40
> S=0x00 I=10500 F=0x4000 T=51 (#6) Dec 19 09:47:18 (none) kernel: Packet
> log: ext-if DENY eth1 PROTO=6 192.168.27.24:80 24.155.29.78:12005 L=40
> S=0x00 I=33796 F=0x0000 T=51 (#6) Dec 19 09:47:19 (none) kernel: Packet
> log: ext-if DENY eth1 PROTO=6 192.168.27.24:80 24.155.29.78:12005 L=40
> S=0x00 I=33797 F=0x0000 T=51 (#6) Dec 19 09:47:21 (none) kernel: Packet
> log: ext-if DENY eth1 PROTO=6 192.168.27.23:80 24.155.29.78:12077 L=40
> S=0x00 I=19 F=0x0000 T=51 (#6) Dec 19 09:47:21 (none) kernel: Packet
> log: ext-if DENY eth1 PROTO=6 192.168.27.23:80 24.155.29.78:4440 L=40
> S=0x00 I=20 F=0x0000 T=51 (#6) Dec 19 09:47:22 (none) kernel: Packet
> log: ext-if DENY eth1 PROTO=6 192.168.27.24:80 24.155.29.78:12005 L=40
> S=0x00 I=33798 F=0x0000 T=51 (#6) Dec 19 09:47:25 (none) kernel: Packet
> log: ext-if DENY eth1 PROTO=6 192.168.27.23:80 24.155.29.78:12077 L=40
> S=0x00 I=21 F=0x0000 T=51 (#6) Dec 19 09:47:25 (none) kernel: Packet
> log: ext-if DENY eth1 PROTO=6 192.168.27.23:80 24.155.29.78:4440 L=40
> S=0x00 I=22 F=0x0000 T=51 (#6) Dec 19 09:47:27 (none) kernel: Packet
> log: ext-if DENY eth1 PROTO=6 192.168.27.24:80 24.155.29.78:12005 L=40
> S=0x00 I=33799 F=0x0000 T=51 (#6) Dec 19 09:47:33 (none) kernel: Packet
> log: ext-if DENY eth1 PROTO=6 192.168.27.23:80 24.155.29.78:4440 L=40
> S=0x00 I=6401 F=0x0000 T=51 (#6) Dec 19 09:47:33 (none) kernel: Packet
> log: ext-if DENY eth1 PROTO=6 192.168.27.23:80 24.155.29.78:12077 L=40
> S=0x00 I=6401 F=0x0000 T=51 (#6) Dec 19 09:47:33 (none) kernel: Packet
> log: ext-if DENY eth1 PROTO=1 192.168.27.23:8 24.155.29.78:0 L=1500
> S=0x00 I=39169 F=0x4000 T=242 (#6) Dec 19 09:47:33 (none) kernel:
> Packet log: ext-if DENY eth1 PROTO=1 192.168.27.23:8 24.155.29.78:0
> L=1500 S=0x00 I=39169 F=0x4000 T=242 (#6)
> 
> ----- Original Message -----
> From: "Patrick Benson" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, December 19, 2001 2:22 PM
> Subject: Re: [Leaf-user] Help understand unusual packets
> 
> 
>> Scott wrote:
>> >
>> > I've been getting tons of these mysterious packets.  Eth0 is my
>> > external interface so it's unusual that these two private IPs are
>> > hitting it.  I checked it against that ipchains log decoder (forgot
>> > the website) which mostly brushed it off as non-threatening. 
>> > However, 216.231.46.238 was
> the
>> > result of a big nasty DOS attack last weekend so I'm suspicious of
>> > everything.  Any insight is most helpfull.
>> >
>> > The offending packets (they are constantly coming in):
>> >
>> > Dec 19 09:30:19 mail kernel: Packet log: input DENY eth0 PROTO=6
>> > 192.168.27.31:80 216.231.46.238:14641 L=41 S=0x00 I=35612 F=0x4000
>> > T=51 (#10)
>> >
>> > Dec 19 09:30:26 mail kernel: Packet log: input DENY eth0 PROTO=6
>> > 172.16.0.110:80 216.231.46.238:32992 L=40 S=0x00 I=34533 F=0x4000
>> > T=238
> (#9)
>> >
>> > -Scott
>>
>> Scott,
>>
>> Is there a chance that your ISP uses those private nrs. on their
>> internal network? My ISP uses 192.168.x.x and 172.17.x.x. That could
>> be a hint to why you're getting packets on your eth0...Do you know if
>> your ISP uses any sort of proxies with http?
>>
>>
>> --
>> Patrick Benson
>> Stockholm, Sweden
>>
>> _______________________________________________
>> Leaf-user mailing list
>> [EMAIL PROTECTED]
>> https://lists.sourceforge.net/lists/listinfo/leaf-user
> 
> 
> _______________________________________________
> Leaf-user mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user



_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Help understand unusual packets

Reply via email to