| View previous topic :: View next topic |
| Author |
Message |
tuxamd
Apprentice
Joined: 28 Jan 2005
Posts: 281
|
 Posted: Thu Mar 03, 2005 8:46 pm Post subject: IPtables dropping tons of connections, what are they up to? |
 |
|
Checking my everything log reveals tons and tons of connections that were dropped. But a few are coming fromt he same ips quite often. This server is in a datacenter and the connections destination seems to be 255.255.255.255. Can someone explain what's going on and which part of this is the port and etc? I'm not quite sure what all the parts mean in the logs.
Here is an example:
| Code: | | Mar 3 15:35:05 [kernel] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:11:09:c5:0a:35:08:00 SRC=206.225.86.170 DST=255.255.255.255 LEN=230 TOS=0x00 PREC=0x00 TTL=128 ID=17774 PROTO=UDP SPT=2003 DPT=4991 LEN=210 |
Still not sure why I keep getting spammed especially when the destination is 255.255.255.255? What do you think the sources of these requests are trying to do? |
|
| Back to top |
|
 |
j-m
Retired Dev
Joined: 31 Oct 2004
Posts: 975
|
| Posted: Thu Mar 03, 2005 8:50 pm Post subject: |
|
|
| Hmm, some misconfigured routers? |
|
| Back to top |
|
|
msalerno
Veteran
Joined: 17 Dec 2002
Posts: 1338
Location: Sweating in South Florida
|
| Posted: Thu Mar 03, 2005 8:53 pm Post subject: |
|
|
| Are the offending IP's on the same subnet as your system? |
|
| Back to top |
|
|
tuxamd
Apprentice
Joined: 28 Jan 2005
Posts: 281
|
| Posted: Thu Mar 03, 2005 8:58 pm Post subject: |
|
|
Misconfigured routers would be the last thing I would expect from the hosting company I use, though human error is inevetable. Misconfigured router on that level = discontinued job.
As far as the subnets yes they are ont he same I believe. They are on the same physical network I believe, the hosts's that is. |
|
| Back to top |
|
|
msalerno
Veteran
Joined: 17 Dec 2002
Posts: 1338
Location: Sweating in South Florida
|
| Posted: Thu Mar 03, 2005 9:11 pm Post subject: |
|
|
| Well if it came from just one system, then it could possibly be an issue with the servers network configuration, rather than the router. Check the MAC |
|
| Back to top |
|
|
tuxamd
Apprentice
Joined: 28 Jan 2005
Posts: 281
|
| Posted: Thu Mar 03, 2005 9:24 pm Post subject: |
|
|
| Servers are different, even the macs are. However sometimes there are repeating ips. I'd say there's as many as 10 different ips, some more than others. Also which of those fields shows the port they were trying to reach? |
|
| Back to top |
|
|
j-m
Retired Dev
Joined: 31 Oct 2004
Posts: 975
|
| Posted: Thu Mar 03, 2005 9:26 pm Post subject: |
|
|
| tuxamd wrote: | | Also which of those fields shows the port they were trying to reach? |
DPT |
|
| Back to top |
|
|
msalerno
Veteran
Joined: 17 Dec 2002
Posts: 1338
Location: Sweating in South Florida
|
| Posted: Thu Mar 03, 2005 9:34 pm Post subject: |
|
|
| Have you contacted the datacenters network admins about this yet? |
|
| Back to top |
|
|
tuxamd
Apprentice
Joined: 28 Jan 2005
Posts: 281
|
| Posted: Thu Mar 03, 2005 9:36 pm Post subject: |
|
|
| I haven't done so yet, but I plan to do so. I've asked a few techs but they are not sure. Also another strange thing, it turns out 98% of all the requests are for port 4991. Which after checking more information on really isn't used for any single thing out there. Anyone have any ideas? |
|
| Back to top |
|
|
msalerno
Veteran
Joined: 17 Dec 2002
Posts: 1338
Location: Sweating in South Florida
|
| Posted: Thu Mar 03, 2005 9:50 pm Post subject: |
|
|
According to http://www.iana.org/assignments/port-numbers
4990-4999 Unassigned
I don't know what they would be trying to hit if in fact they were trying to do some malicious |
|
| Back to top |
|
|
kloune
Apprentice
Joined: 09 May 2004
Posts: 185
Location: lost
|
| Posted: Thu Mar 03, 2005 11:59 pm Post subject: |
|
|
Hi,
If I remember right, 4991 is used by some p2p program, I think overnet, but I'm not sure anymore. But the target address is kind of strange. |
|
| Back to top |
|
|
|
Networking & Security
