On Fri, 18 Jan 2002, Mike Sussman wrote: > > Folks, > Since I posted my earlier message, I have begun to see this kind of > thing repeatedly. For the past 24 hours, my logs contain over 1000 > lines of such packets! By that I mean, if I discard all lines that are > identical to one another except for the T= field, my file goes from > 1177 denied packets to 47 denied packets. They are NOT all > port 111 packets--some are port 111, some are port 22, port 21, > port 53, and port 0 (PROTO 1). And they seem to have many different > source IP's as well.
Sounds like someone is throwing a book at you. > I have NEVER seen anything like this over the past year. Can't say I have either. But the decreasing T field You might ought to look at the various ip numbers they do come from. If they are all in the same network, they might be from different dynamically assigned ip addresses for the same machine. If they are not on the same network, they might more likely be from multiple cracked machines. Or they could be from someone on your subnet, forging source ips. > I changed from ES2B to D-floppy about two weeks ago. I have > rebooted since these started. > > Is it possible that I have a bug somewhere and these log entries are all > from the same packet? Is it possible that someone on my cable > subnet is doing something bad to me? It is possible that someone is trying. It is also possible that they might eventually succeed if they are allowed to continue indefinitely, so don't ignore it. Send messages to the abuse address for the source network(s), describing the nature of the attacks, and including extracts long enough to support the patterns you have identified. Keep in mind the spoofing option, though... they might be able to tell you those packets are not leaving their network. The character of the packets is not normal, though. I found http://archives.neohapsis.com/archives/incidents/2000-05/0047.html, but I am not sure why someone would want to do a camouflaged traceroute to you repeatedly, on separate ports. The camouflage is that any packet whose time-to-live (ttl, or T=) runs out before it reaches you will generate an icmp packet they can use to identify routers between you and them. The usual non-icmp traceroute uses incrementing UDP ports typically (but not always) in the range 33434 and up, with TTL values increasing instead of decreasing. Your symptoms could be consistent with the sender starting with a ttl>39, and quickly sending a burst of packets, and watching the icmp "ttl exceeded" messages for the packets with ttls that ran out before getting to you. It would be a flaky system though because the packets are sent so close together that routers could drop packets. Again, I don't know what this _means_, but it might help explain parts of what you are seeing. You might find http://www.robertgraham.com/pubs/firewall-seen.html useful in a general sense. And http://www.samspade.org for learning more about the source ips and the networks they belong to. > >Folks, I have begun receiving (and denying) long sequences of packets and I > >am wondering what is going on. > > >I am running Dachstein 1.0.2 floppy on a 486/33 with 16MB. VERY nice! > >Thanks Charles and so many others. I am on a cable connection with > >Adelphia, from which I generally get good service. > > >Starting several days ago I began receiving long sequences of packets. For > >example, I received the following: > >Jan 17 10:27:25 boxer kernel: Packet log: input DENY eth0 PROTO=6 > >65.103.98.68:2240 24.51.134.147:111 L=60 S=0x00 I=4296 F=0x4000 T=39 SYN > >(#62) > >This packet is suspicious in itself, but I also received 38 more like it > >with > >the same time stamp (10:27:25), identical in all fields except the T= > >field. That one contained the numbers 1-38 for each of the other > >packets. They appear in order, decreasing from 39 to 1, in > > /var/log/messages. > -- > Mike Sussman > [EMAIL PROTECTED] > > _______________________________________________ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > --------------------------------------------------------------------------- Jeff Newmiller The ..... ..... Go Live... DCN:<[EMAIL PROTECTED]> Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/Batteries O.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --------------------------------------------------------------------------- _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
