Re: strange outgoing smpppd SYN packets
From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 11/24/05
- Previous message: Unruh: "Re: good/bad passwords question"
- In reply to: EricT: "Re: strange outgoing smpppd SYN packets"
- Next in thread: EricT: "Re: strange outgoing smpppd SYN packets"
- Reply: EricT: "Re: strange outgoing smpppd SYN packets"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 23 Nov 2005 21:53:46 -0600
On Wed, 23 Nov 2005, in the Usenet newsgroup comp.os.linux.security, in article
<dm2jlq$b50$1@news.hispeed.ch>, EricT wrote:
>Moe Trin wrote:
>> EricT wrote:
>>>Nov 22 21:45:45 fw kernel: TCP-DROP: IN= OUT=eth0 SRC=80.xxx.xxx.xxx
>>>DST=80.xxx.xxx.1 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=4295 DF PROTO=TCP
>>>SPT=61513 DPT=3185 WINDOW=5840 RES=0x00 SYN URGP=0
That bugs me, because I've seen this one before, and I can't find any
old references in my notes.
>> And a source of >60k suggests IP Masquerading.
>absolutely correct.
>> Security by obscurity - make sure your firewall is properly configured
>> instead of worrying about this.
>
>... learned it already in this thread.
That's OK - a lot of people aren't aware of it. You are now.
>Actually i kept on investigating in this matter and realized, that the
>destination address should be the ISP-router.
OK, that figures.
>What i don't get is, why are SYN packets sent to the router after the
>IP has already been assigned to the external interface.
Yeah, and if you hit google, the results are very sparse.
Results 1 - 10 of 15 for SuSE 3185 TCP. (1.47 seconds)
and several of those are just copies of port lists.
>Also, these packets will be catched only right after KDE login for about
>2 minutes. Then there is no recurrence anymore the whole KDE session. It
>is reproducible by re-logging in.
That's where I am also having problems. I remember this problem from
roughly SuSE 8.0 as we had a user who was using that, and those packets
caught someone's eye on our net. We resolved it - it _is_ a setup thing
in SuSE, but I can't remember what the heck it was.
OK, search on google instead of google groups - and found a hit there, but
no answer.
/sbin/chkconfig smpppd is turned off
Does that match?
The SuSE Meta PPP Daemon is the back-end for kinternet. It is required
for modem, ISDN, and DSL connections.
So make sure you have this package installed.
That's another hit.
I'm sorry, but I'm really not having much more luck. I just did a recursive
zgrep for 3185 on my archive server and find nothing further. My best
suggestion at this point would be to read the documentation on the smpppd
package, and if that doesn't hit the answer, try posting to the SuSE
newsgroup. There is also a SuSE mailing list that I'm aware of, but as
I don't use SuSE, I don't have the appropriate address.
>Is there a way to find the process belonging to these packets? I tried
>tcpdump -vvv but i don't find any useful information about the
>requesting process.
My _guess_ is that it's something triggered by kinternet. The process is
almost certainly smpppd. If I couldn't find an answer on a SuSE newsgroup
or mailing list, I'd brute force it by greping for 'smpppd' and '3185' in
/etc/ and below.
Hope this helps,
Old guy
- Previous message: Unruh: "Re: good/bad passwords question"
- In reply to: EricT: "Re: strange outgoing smpppd SYN packets"
- Next in thread: EricT: "Re: strange outgoing smpppd SYN packets"
- Reply: EricT: "Re: strange outgoing smpppd SYN packets"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
