| View previous topic :: View next topic |
| Author |
Message |
cdunham
Apprentice
Joined: 06 Jun 2003
Posts: 211
Location: Rhode Island
|
 Posted: Fri Jun 27, 2003 10:37 pm Post subject: Mystery Traffic |
 |
|
So, I'm getting a bunch of these logged from iptables:
| Code: | | Jun 27 16:40:39 hhhhhhhh State INVALID:IN=eth0 OUT= MAC=00:30:48:52:1b:d2:00:0x:XX:XX:XX SRC=dd.5.51.2 DST=dd.dd.dd.210 LEN=56 TOS=0x00 PREC=0x00 TTL=255 ID=24633 PROTO=ICMP TYPE=3 CODE=1 [SRC=dd.dd.dd.210 DST=169.1.161.40 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=30170 DF PROTO=TCP INCOMPLETE [8 bytes] ] |
(Please excuse the redaction).
These came and went and came back again with new traffic I was getting. It looks like a router a hop or two away (dd.5.51.2) is sending me (dd.dd.dd.210) an ICMP_HOST_UNREACH(3/1) message (I also see ICMP_TIME_EXCEEDED(11/0), ICMP_PKT_FILTERED(3/13), and other less-frequent junk) for traffic to bogus or other addresses (eg 169.1.161.40 here, but I see a lot like 100.0.xx.xx also).
As far as I can tell, I am not sending a traceroute or anything else to thes addresses. Extended traces with tcpdump showed nothing.
Note also that iptables is rejecting this on a "state" module rule:
$IPTABLES -A check-state -m state --state INVALID $LOGLIMIT -j LOG --log-level 1 --log-prefix "State INVALID:"
$IPTABLES -A check-state -m state --state INVALID -j DROP
Because the payload is an incomplete TCP packet? I have two theories, neither of which I can test easily:
1. The upstream router is configured or coded wrong, only sending back parts of the offending packet in the ICMP_HOST_UNREACH, and I am getting something from a bogus address and trying to respond to it. I see nothing like that in my logs, but it could be at a lower level, and somehow let through the iptables rules. Seems a stretch for either condition, never mind both (not boasting, just would expect to see *something* for a slipped up rule).
2. Packets with my address as source are showing up at the router from another source, and it is bouncing the errors to me. Again, unlikely that they would forget to check for illegal source routing, or that the offender is on my side of the router. Also, this would not explain why it ebbs and flows with legit traffic, unless that was stimulating some bot/trojan somewhere.
So neither feels like it passes Occam's Razor.
You smart people probably already recognized what was going on in the first line, and I just wasted a lot of time typing all this, but it has me a bit confused.
Any ideas? Anything to try? A ticket has been filed with the hosting service, but I want to try to diagnose it from my end as well...
_________________
This post more meaningful in a scalar context. |
|
| Back to top |
|
 |
devon
l33t
Joined: 23 Jun 2003
Posts: 943
|
| Posted: Sat Jun 28, 2003 4:47 pm Post subject: |
|
|
| Did you ever figure this out? Or did you hear back from the hosting service? I read some Google search results and some people speculate that it may be backscatter traffic from a DoS attack towards the router. |
|
| Back to top |
|
|
cdunham
Apprentice
Joined: 06 Jun 2003
Posts: 211
Location: Rhode Island
|
| Posted: Sat Jun 28, 2003 5:27 pm Post subject: |
|
|
Nothing yet. One interesting thing is that the dd.dd.dd.210 address is just one in a /29 block, and I am not only seeing these on any others. Odd...
_________________
This post more meaningful in a scalar context. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
