Re: ipchains log
From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)Date: 03/26/02
- Next message: ck: "./chrootkit output"
- Previous message: RainbowHat: "Re: newB logging martians"
- In reply to: David K. Means: "Re: ipchains log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid> Date: Tue, 26 Mar 2002 10:38:34 +0000 (UTC)
< David K. Means
>On Mon, 25 Mar 2002 14:14:53 -0800, Dankin wrote:
>
>> Mar 25 17:50:24 sluis-van kernel: Packet log:
>> ppp-in DENY ppp0 PROTO=6 216.190.255.225:2283 62.212.97.194:25
>> L=48 S=0x00 I=14162 F=0x4000 T=111 SYN (#64)
50:27 I=14547 3 seconds later
50:28 I=14825 1
50:31 I=15307 3
50:37 I=16228 6
>Each of these is an attempt to connect to your mail-server; each is
>failing because of rule #64 in your chain named ppp-in. The lines
>explain that the packet was DENYed on interface ppp0. The protocol
>was TCP (you can look it up in /etc/protocols), it was from
>some hign-numbered port on 216.190.255.225, and your address is
>62.212.97.194. I can tell that it was mail by looking up port 25
>in /etc/services. The rest of the report line describes other fields
>in the TCP header; mostly you can ignore them, until the last: SYN
>is a flag that is set on a TCP packet that attempts to initiate a
>connection.
And F=0x4000 mean DF (Don't Fragment) flag set. According to DF and
T=111, perhaps 216.190.255.225 is Windoze 95 to 2000 (this mean
Windoze dose not so evolve into TCP/IP stack.), Linux 2.2.13,
BorderManager 3.5, NetWare 4.11 or Dec 4.0 OSF1. 216.190.255.225 is
located 17 hops away from your loged box if there was not spoofed.
Source IP of 216.190.255.225 is broadcast address but protocol is not
ICMP nor UDP just TCP. And this is not destination just source. A
broadcast using TCP doesn't make any sense. Any suggestions?
<!-- If you think this is a crap, please ignore this part. -->
<perhaps>
My hypothesis is that 216.190.255.225 is spoofed amplifier address.
OP just droped so no problem (you were lucky). If there are port 25
mail service, it respond SYN-ACK to broadcast address and 216.190
routers broadcast. Next sequence are depend on each individual box
setting. Rejected boxes respond ICMP to 62.212.97.194. Not firewalled
and port 2283 not serviced boxes respond TCP RST to 62.212.97.194.
This will be DDoS attack. I think this attack need sloppy setting
routers.
If 62.212.97.194 box rejected this packets, it respond ICMP packets
to broadcast address and 216.190 routers broadcast ICMP.
</perhaps>
216.190.0.0 - 216.190.255.255 Electric Lightwave, Inc.
(NETBLK-ELI-NETBLK99)
216.190.255.128 - 216.190.255.255 Mountain Safety Research
(NETBLK-ELI-D8BEFF80-2622)
http://logi.cc/linux/ipchainsLogAnalyzer.php3
RFC 791
|Bit 1: (DF) 0 = May Fragment, 1 = Don't Fragment.
-- Best Regards, RainbowHat. I support FULL DISCLOSURE. ----+----1----+----2----+----3----+----4----+----5----+----6----+----7
- Next message: ck: "./chrootkit output"
- Previous message: RainbowHat: "Re: newB logging martians"
- In reply to: David K. Means: "Re: ipchains log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
