[Dshield] Rejected packets

Lauro, John jlauro at umflint.edu
Wed Jun 19 14:57:13 GMT 2002


Hello,

I started getting reports for the logs submitted to dshield.  I don't
normally reject ICMP, unless to a non existent subnet, but I can
understand why those might be rejected by dshield...  and I don't mind
some icmp probes, as long as it's not thousands of packets an hour...

However, I am just curious what these other packets are trying to do,
as they appear to be some sort of source routing or something...?
141.216.234.* is not active, so that is probably why the firewall
dropped them.  I haven't seen much traffic like this (and only noticed
it because dshield rejected it), but it is the rare traffic that is
the most curious...


  -> Jun 19 07:24:41 gw126 kernel: IN=eth1 OUT=eth0 SRC=168.95.84.169
DST=141.216.234.18 LEN=56 TOS=0x00 PREC=0x00 TTL=111 ID=0 PROTO=ICMP
TYPE=11 CODE=0 [SRC=141.216.234.18 DST=61.230.104.116 LEN=44 TOS=0x00
PREC=0x00 TTL=0 ID=44316 PROTO=TCP SPT=80 DPT=3142 WINDOW=0 RES=0x00
URGP=0 ] 

  -> Jun 19 07:24:49 gw126 kernel: IN=eth1 OUT=eth0 SRC=168.95.84.169
DST=141.216.234.18 LEN=56 TOS=0x00 PREC=0x00 TTL=111 ID=0 PROTO=ICMP
TYPE=11 CODE=0 [SRC=141.216.234.18 DST=61.230.104.116 LEN=44 TOS=0x00
PREC=0x00 TTL=0 ID=24412 PROTO=TCP SPT=80 DPT=3142 WINDOW=30768
RES=0x34 URG ACK URGP=0 ] 

  -> Jun 19 07:25:01 gw126 kernel: IN=eth1 OUT=eth0 SRC=168.95.84.169
DST=141.216.234.18 LEN=56 TOS=0x00 PREC=0x00 TTL=111 ID=0 PROTO=ICMP
TYPE=11 CODE=0 [SRC=141.216.234.18 DST=61.230.104.116 LEN=44 TOS=0x00
PREC=0x00 TTL=0 ID=62150 PROTO=TCP SPT=80 DPT=3142 WINDOW=1 RES=0x00
URGP=0 ] 

  -> Jun 19 07:25:14 gw126 kernel: IN=eth1 OUT=eth0 SRC=168.95.84.169
DST=141.216.234.18 LEN=56 TOS=0x00 PREC=0x00 TTL=111 ID=0 PROTO=ICMP
TYPE=11 CODE=0 [SRC=141.216.234.18 DST=61.230.104.116 LEN=40 TOS=0x00
PREC=0x00 TTL=0 ID=57350 PROTO=TCP SPT=80 DPT=3142 WINDOW=28260
RES=0x00 ECE URG FIN URGP=0 ] 




More information about the list mailing list