help! Strange traffic

Marcelo Souza mpsouza at centroin.com.br
Fri Jun 10 02:43:34 GMT 2005 

Hi,

	It seems that it's only SYN packets. Maybe someone is trying to
use your machine as a gateway, or is only a misconfiguration.
	Review your policies to allow ONLY your internal network to use
this machine as a gateway, and deny anything else.

- Marcelo Souza

On Thu, 9 Jun 2005, Karan Gupta wrote:

|Hi
|  Im running a fBSD T1 router(a gatewat with a sangoma 514 csu/dsu card)
|that performs dhcp, nat, ipfw firewall.
|FreeBSD rtr-eee.eeee.com 4.8-RELEASE FreeBSD 4.8-RELEASE #4: Thu Jul 31
|04:47:04 PDT 2003     root@:/usr/src/sys/compile/GENERIC  i386
|
|Im seeing the following traffic on doing tcpdump on the external interface
|01:12:15.875308 201.93.36.43.1913 > web.visp.ashosting.nl.http: S
|1396310016:1396310016(0) win 16384
|01:12:15.876288 201.93.36.41.1587 > web.visp.ashosting.nl.http: S
|802357248:802357248(0) win 16384
|01:12:15.885340 201.93.37.127.cuillamartin > web.visp.ashosting.nl.http:
|S 1656750080:1656750080(0) win 16384
|01:12:15.886056 201.93.36.250.1194 > web.visp.ashosting.nl.http: S
|1188954112:1188954112(0) win 16384
|01:12:15.886794 201.93.36.118.1613 > web.visp.ashosting.nl.http: S
|474546176:474546176(0) win 16384
|01:12:15.887628 201.93.36.120.1135 > web.visp.ashosting.nl.http: S
|224526336:224526336(0) win 16384
|01:12:15.895344 201.93.37.129.1073 > web.visp.ashosting.nl.http: S
|5767168:5767168(0) win 16384
|01:12:15.896286 201.93.37.131.timbuktu-srv3 >
|web.visp.ashosting.nl.http: S 2056323072:2056323072(0) win 16384
|01:12:15.905302 201.93.37.225.1341 > web.visp.ashosting.nl.http: S
|2125070336:2125070336(0) win 16384
|01:12:15.906042 201.93.37.223.docstor > web.visp.ashosting.nl.http: S
|1558642688:1558642688(0) win 16384
|01:12:15.915253 201.93.38.91.1842 > web.visp.ashosting.nl.http: S
|1312751616:1312751616(0) win 16384
|01:12:15.916105 201.93.38.89.1326 > web.visp.ashosting.nl.http: S
|1620377600:1620377600(0) win 16384
|
|The 201.x.x.x is NOT from my local network. That would mean that
|web.visp.ashosting.nl is being hosted on my network(weird!!)) ???? This
|name doesnt resolve to any IP address either. How do i block this. I
|tried blocking 201.93.0.0/16 but then the traffic started coming from
|195.x.x.x
|
|Help!!!!!!
|
|
|_______________________________________________
|freebsd-questions at freebsd.org mailing list
|http://lists.freebsd.org/mailman/listinfo/freebsd-questions
|To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
|


- Marcelo

More information about the freebsd-questions mailing list