Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Is this traffic normal?

From: Archi2K Archi2K <archi2k () ALTERN ORG>
Date: Tue, 6 Mar 2001 10:37:51 +0100
Hi,
Strange packets are reaching my fw box, all coming from the same domain name but from lots of different IPs (probably 
20 or
more).
This box act as a firewall and forward TCP/80 and TCP/443 packets to a simple apache wserver.


All this packets look like the following ones :

TCP Port 18245 -> 21536
or
TCP Port 32808 -> 259
or
TCP Port 5635 -> 0
or
TCP Port 65535 -> 65535

What do I have to do? Do you think I have to contact the domain name owner?
Any help would be appreciated.


a2k,,

@

Mar 4 13:02:35 my kernel: Packet log: inet-if DENY eth0 PROTO=6 195.242.76.31:18245 AAA.BBB.CCC.DDD:21536 L=223 S=0x00 
I=3344 F=0x4000 T=56
Mar 4 13:02:39 my kernel: Packet log: inet-if DENY eth0 PROTO=6 195.242.76.31:18245 AAA.BBB.CCC.DDD:21536 L=394 S=0x00 
I=7952 F=0x4000 T=56 SYN
Mar 4 13:02:39 my kernel: Packet log: inet-if DENY eth0 PROTO=6 195.242.76.31:18245 AAA.BBB.CCC.DDD:21536 L=393 S=0x00 
I=8464 F=0x4000 T=56 SYN
Mar 4 13:02:46 my kernel: Packet log: inet-if DENY eth0 PROTO=6 195.242.76.31:18245 AAA.BBB.CCC.DDD:21536 L=423 S=0x00 
I=35344 F=0x4000 T=56
Mar 4 13:02:46 my kernel: Packet log: inet-if DENY eth0 PROTO=6 195.242.76.31:18245 AAA.BBB.CCC.DDD:21536 L=404 S=0x00 
I=35856 F=0x4000 T=56
Mar 4 13:02:46 my kernel: Packet log: inet-if DENY eth0 PROTO=6 195.242.76.31:18245 AAA.BBB.CCC.DDD:21536 L=404 S=0x00 
I=36112 F=0x4000 T=56
Mar 4 13:02:46 my kernel: Packet log: inet-if DENY eth0 PROTO=6 195.242.76.31:18245 AAA.BBB.CCC.DDD:21536 L=405 S=0x00 
I=36368 F=0x4000 T=56
Mar 4 13:02:46 my kernel: Packet log: inet-if DENY eth0 PROTO=6 195.242.76.31:18245 AAA.BBB.CCC.DDD:21536 L=406 S=0x00 
I=36624 F=0x4000 T=56
Mar 4 13:02:47 my kernel: Packet log: inet-if DENY eth0 PROTO=6 195.242.76.31:18245 AAA.BBB.CCC.DDD:21536 L=403 S=0x00 
I=36880 F=0x4000 T=56


Another ip from the same domain

Mar  5 20:28:41 my kernel: Packet log: inet-if DENY eth0 PROTO=6 212.232.26.211:18245 AAA.BBB.CCC.DDD:21536 L=468 
S=0x00 I=30213 F=0x4000 T=120


Other kind of packets, from the same box

Mar  5 20:28:46 my kernel: Packet log: inet-if DENY eth0 PROTO=6 212.232.26.211:32808 AAA.BBB.CCC.DDD:259 L=62 S=0x00 
I=41221 F=0x4000 T=120 SYN
Mar  5 20:28:51 my kernel: Packet log: inet-if DENY eth0 PROTO=6 212.232.26.211:5635 AAA.BBB.CCC.DDD:0 L=106 S=0x00 
I=45829 F=0x4000 T=120
Mar  5 20:28:56 my kernel: Packet log: inet-if DENY eth0 PROTO=6 212.232.26.211:5635 AAA.BBB.CCC.DDD:0 L=106 S=0x00 
I=51461 F=0x4000 T=120
Mar  5 20:28:56 my kernel: Packet log: inet-if DENY eth0 PROTO=6 212.232.26.211:5635 AAA.BBB.CCC.DDD:0 L=106 S=0x00 
I=52485 F=0x4000 T=120

Other boxes, same src & dst ports

Mar  5 20:30:19 my kernel: Packet log: inet-if DENY eth0 PROTO=6 195.242.123.76:65535 AAA.BBB.CCC.DDD:65535 L=20 S=0x00 
I=2054 F=0x4000 T=120
Mar  5 21:39:26 my kernel: Packet log: inet-if DENY eth0 PROTO=6 195.242.104.140:18245 AAA.BBB.CCC.DDD:21536 L=339 
S=0x00 I=23040 F=0x4000 T=120
Mar  5 21:39:30 my kernel: Packet log: inet-if DENY eth0 PROTO=6 195.242.104.140:18245 AAA.BBB.CCC.DDD:21536 L=306 
S=0x00 I=27392 F=0x4000 T=120 SYN
Mar  5 21:39:38 my kernel: Packet log: inet-if DENY eth0 PROTO=6 195.242.104.140:18245 AAA.BBB.CCC.DDD:21536 L=317 
S=0x00 I=58368 F=0x4000 T=120
Mar  5 21:40:14 my kernel: Packet log: inet-if DENY eth0 PROTO=6 195.242.104.140:32835 AAA.BBB.CCC.DDD:259 L=89 S=0x00 
I=43521 F=0x4000 T=120
Mar  5 21:40:21 my kernel: Packet log: inet-if DENY eth0 PROTO=6 195.242.104.140:5635 AAA.BBB.CCC.DDD:0 L=116 S=0x00 
I=47105 F=0x4000 T=120
Mar  5 21:40:26 my kernel: Packet log: inet-if DENY eth0 PROTO=6 195.242.104.140:5635 AAA.BBB.CCC.DDD:0 L=116 S=0x00 
I=50689 F=0x4000 T=120
Mar  5 21:40:32 my kernel: Packet log: inet-if DENY eth0 PROTO=6 195.242.104.140:5635 AAA.BBB.CCC.DDD:0 L=116 S=0x00 
I=56065 F=0x4000 T=120
Mar  5 21:40:32 my kernel: Packet log: inet-if DENY eth0 PROTO=6 195.242.104.140:5635 AAA.BBB.CCC.DDD:0 L=116 S=0x00 
I=56833 F=0x4000 T=120
Mar  5 21:40:36 my kernel: Packet log: inet-if DENY eth0 PROTO=6 195.242.104.140:5635 AAA.BBB.CCC.DDD:0 L=116 S=0x00 
I=3074 F=0x4000 T=120
Mar  5 21:40:40 my kernel: Packet log: inet-if DENY eth0 PROTO=6 195.242.104.140:5635 AAA.BBB.CCC.DDD:0 L=116 S=0x00 
I=6146 F=0x4000 T=120
Mar  5 21:40:40 my kernel: Packet log: inet-if DENY eth0 PROTO=6 195.242.104.140:5635 AAA.BBB.CCC.DDD:0 L=116 S=0x00 
I=6914 F=0x4000 T=120
Previous By Date Next
Previous By Thread Next

Current thread: