Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

odd incoming packets

I think my setup is fairly standard: a Linux box connected to a router
(Linksys BEFSR41) connected to a cable modem connected to a Comcast
cable.  The router is set up to forward SSH and nothing else.  The
Linux box has a firewall that drops some packets silently but logs
others.

I'd like to understand these entries in my syslog:

vanzandt:/var/log# grep Drop syslog|tail -6
Sep 12 20:19:14 vanzandt kernel: Dropping packet: IN=eth0 OUT=
MAC=00:50:ba:48:13:d8:00:06:25:dc:ad:a9:08:00 SRC=204.127.204.8
DST=192.168.1.102 LEN=78 TOS=0x00 PREC=0x00 TTL=242 ID=55166 DF
PROTO=UDP SPT=53 DPT=56639 LEN=58
Sep 12 20:19:34 vanzandt kernel: Dropping packet: IN=eth0 OUT=
MAC=00:50:ba:48:13:d8:00:06:25:dc:ad:a9:08:00 SRC=204.127.204.8
DST=192.168.1.102 LEN=80 TOS=0x00 PREC=0x00 TTL=242 ID=29685 DF
PROTO=UDP SPT=53 DPT=56758 LEN=60
Sep 12 20:19:38 vanzandt kernel: Dropping packet: IN=eth0 OUT=
MAC=00:50:ba:48:13:d8:00:06:25:dc:ad:a9:08:00 SRC=204.127.204.8
DST=192.168.1.102 LEN=81 TOS=0x00 PREC=0x00 TTL=242 ID=44989 DF
PROTO=UDP SPT=53 DPT=56759 LEN=61
Sep 12 20:39:11 vanzandt kernel: Dropping packet: IN=eth0 OUT=
MAC=00:50:ba:48:13:d8:00:06:25:dc:ad:a9:08:00 SRC=204.127.204.8
DST=192.168.1.102 LEN=79 TOS=0x00 PREC=0x00 TTL=242 ID=46535 DF
PROTO=UDP SPT=53 DPT=60321 LEN=59
Sep 12 20:59:30 vanzandt kernel: Dropping packet: IN=eth0 OUT=
MAC=00:50:ba:48:13:d8:00:06:25:dc:ad:a9:08:00 SRC=204.127.204.8
DST=192.168.1.102 LEN=79 TOS=0x00 PREC=0x00 TTL=242 ID=26430 DF
PROTO=UDP SPT=53 DPT=60479 LEN=59
Sep 12 21:19:39 vanzandt kernel: Dropping packet: IN=eth0 OUT=
MAC=00:50:ba:48:13:d8:00:06:25:dc:ad:a9:08:00 SRC=204.127.204.8
DST=192.168.1.102 LEN=81 TOS=0x00 PREC=0x00 TTL=242 ID=59248 DF
PROTO=UDP SPT=53 DPT=60515 LEN=61

The packets are coming from 204.127.204.8, which is one of the Comcast
domain name servers:

  vanzandt:~$ host 204.127.204.8
  Name: ns13.attbi.com
  Address: 204.127.204.8

First, why should their server send UDP packets to various
high-numbered ports on my machine?

Second, how are those packets getting through my router?

  
If their server is a Windows box, maybe it's been compromised.  I
suppose I *could* run nmap against it just to identify it.  They
might think that unfriendly, though.

	  - Jim Van Zandt
BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix / webmaster@blu.org