G' Day, not a complete newbie, but this one is not clear to me although I have googled, grouped and read some documents about the TCP/IP protocol:
We have a server hosted by an ISP. The server has its own subnet s1.s2.s3.s4/28 with multiple IP adresses. Since some days, there are several thousand TCP/IP packets per day which hit our server; nor the source IP address neither the destination IP address of these packets are part of our server's subnet. 'tcpdump -n -vvv ip and not net 62.146.42.48/28' says for example: 19:15:45.830294 s1.s2.s5.s6.smtp > d1.d2.d3.d4.27975: . 173:173(0) ack 97523 win 62780 (DF) (ttl 64, id 3691) s1.s2.s5.s6 and d1.d2.d3.d4 are not part of our s1.s2.s3.s4/28 subnet. 'tcpdump -en -vvv ip and not net 62.146.42.48/28' says for example: 19:04:04.352676 0:4:76:16:c8:1f Broadcast ip 1518: 62.146.28.150.http > 24.132.142.176.ampr-inter: . 1:1461(1460) ack 301 win 6432 (DF) (ttl 64, id 23341) The question is: Why are these packets routed to our server / its subnet? My conclusion is that our ISP has a misconfiguration on his routers. The other possibility would be that the machine from which the traffic originates (let's name this machine "host A") means our server to be a gateway, i.e. host A is misconfigured or hacked. But a gateway has to be on the same ethernet segment as its clients, hasn't it? So our server would not be seen by host A directly. Since there are no other machines in our /28 subnet, there must be a misconfiguration in our ISP's router. Before our ISP telling to correct this, I would like to hear the opinions of the experts. Is there any possible reason (besides misconfiguration of our ISP's router and besides spoofing and hacking) which could lead to the situation that our server (which sits alone in his /28 subnet) receives packets with destination IPs outside his subnet? Thank you very much, Peter
