odd incoming packets
James R. Van Zandt
jrv at vanzandt.mv.com
Fri Sep 12 21:40:27 EDT 2003
I think my setup is fairly standard: a Linux box connected to a router
(Linksys BEFSR41) connected to a cable modem connected to a Comcast
cable. The router is set up to forward SSH and nothing else. The
Linux box has a firewall that drops some packets silently but logs
others.
I'd like to understand these entries in my syslog:
vanzandt:/var/log# grep Drop syslog|tail -6
Sep 12 20:19:14 vanzandt kernel: Dropping packet: IN=eth0 OUT=
MAC=00:50:ba:48:13:d8:00:06:25:dc:ad:a9:08:00 SRC=204.127.204.8
DST=192.168.1.102 LEN=78 TOS=0x00 PREC=0x00 TTL=242 ID=55166 DF
PROTO=UDP SPT=53 DPT=56639 LEN=58
Sep 12 20:19:34 vanzandt kernel: Dropping packet: IN=eth0 OUT=
MAC=00:50:ba:48:13:d8:00:06:25:dc:ad:a9:08:00 SRC=204.127.204.8
DST=192.168.1.102 LEN=80 TOS=0x00 PREC=0x00 TTL=242 ID=29685 DF
PROTO=UDP SPT=53 DPT=56758 LEN=60
Sep 12 20:19:38 vanzandt kernel: Dropping packet: IN=eth0 OUT=
MAC=00:50:ba:48:13:d8:00:06:25:dc:ad:a9:08:00 SRC=204.127.204.8
DST=192.168.1.102 LEN=81 TOS=0x00 PREC=0x00 TTL=242 ID=44989 DF
PROTO=UDP SPT=53 DPT=56759 LEN=61
Sep 12 20:39:11 vanzandt kernel: Dropping packet: IN=eth0 OUT=
MAC=00:50:ba:48:13:d8:00:06:25:dc:ad:a9:08:00 SRC=204.127.204.8
DST=192.168.1.102 LEN=79 TOS=0x00 PREC=0x00 TTL=242 ID=46535 DF
PROTO=UDP SPT=53 DPT=60321 LEN=59
Sep 12 20:59:30 vanzandt kernel: Dropping packet: IN=eth0 OUT=
MAC=00:50:ba:48:13:d8:00:06:25:dc:ad:a9:08:00 SRC=204.127.204.8
DST=192.168.1.102 LEN=79 TOS=0x00 PREC=0x00 TTL=242 ID=26430 DF
PROTO=UDP SPT=53 DPT=60479 LEN=59
Sep 12 21:19:39 vanzandt kernel: Dropping packet: IN=eth0 OUT=
MAC=00:50:ba:48:13:d8:00:06:25:dc:ad:a9:08:00 SRC=204.127.204.8
DST=192.168.1.102 LEN=81 TOS=0x00 PREC=0x00 TTL=242 ID=59248 DF
PROTO=UDP SPT=53 DPT=60515 LEN=61
The packets are coming from 204.127.204.8, which is one of the Comcast
domain name servers:
vanzandt:~$ host 204.127.204.8
Name: ns13.attbi.com
Address: 204.127.204.8
First, why should their server send UDP packets to various
high-numbered ports on my machine?
Second, how are those packets getting through my router?
If their server is a Windows box, maybe it's been compromised. I
suppose I *could* run nmap against it just to identify it. They
might think that unfriendly, though.
- Jim Van Zandt
More information about the Discuss
mailing list