Re: simple rules and unexpected traffic

["christophe barbé" <christophe.barbe.ml@online.fr>]

[-- Attachment #1: Type: text/plain, Size: 3568 bytes --]

I have found at http://www.cavebear.com/CaveBear/Ethernet/multicast.html
that ff:ff:ff:ff:0:30 could be a multicast ethernet address
(03-00-FF-FF-FF-FF) for 'All Stations Address'.

Is it something commonly used by script kiddies ?

If I undersatnd correctly, nothing has changed at the router, but
somebody connected at the same router is doing bad stuff. Is it right ?

What I still don't understand is why I can see this traffic with my
iptables rules. Is the traffic exposed (to user-space tools) before
entering the iptables processing ?

Christophe

On Thu, Jul 04, 2002 at 10:10:48AM -0400, christophe barbé wrote:
> Hi,
> 
> I use a simple set of iptables rules for my laptop to reject everything
> from outside using ip_conntrack (from the howto) :
> 
> # Generated by iptables-save v1.2.6a on Thu Jul  4 09:54:11 2002
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [43965:4118502]
> :block - [0:0]
> -A INPUT -j block 
> -A FORWARD -j block 
> -A block -m state --state RELATED,ESTABLISHED -j ACCEPT 
> -A block -i ! eth0 -m state --state NEW -j ACCEPT 
> -A block -i eth0 -m limit --limit 3/hour -j LOG --log-prefix "Bad packet from eth0:" 
> -A block -i ! eth0 -m limit --limit 3/hour -j LOG --log-prefix "Bad packet not from eth0:" 
> -A block -j DROP 
> COMMIT
> # Completed on Thu Jul  4 09:54:11 2002
> 
> I have a ADSL connection and only a hub between my laptop and the
> ADSL-modem. Recently something changed, I guess on the router from my
> provider and now I see unexpected traffic.
> 
> I see it with the eth0 monitor in gkrellm and with iftop but not with
> lsof -i.
> I was not expecting this traffic and the pattern seems strange : a
> constant 20kB incoming traffic during a few seconds. So I started
> looking closer. With ethereal I saw that it was a kind of flooding
> most of the time a lot of SYN packet but also netbios ....
> Each time both IPs are not one of my computer. For example I see during
> one of this flooding with 'tcpdump -c 2 -e'
> 
> tcpdump: listening on eth0
> 10:00:39.946940 0:0:c:c3:a:88 ff:ff:ff:ff:0:30 ip 62: 216-203-233-196.customer.algx.net.3574 > adsl-216-158-52-76.cust.oldcity.dca.net.www: S 2011680397:2011680397(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 10:00:39.949401 0:0:c:c3:a:88 ff:ff:ff:ff:0:30 ip 62: 216-203-233-196.customer.algx.net.3574 > adsl-216-158-52-76.cust.oldcity.dca.net.www: S 2011680397:2011680397(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
>  
> I am not sure how to interpret 'ff:ff:ff:ff:0:30' is it a kind of
> broadcasting at the ethernet level ?
> 
> Why can I see these packets that are not for me ?
> 
> Why this traffic is not dropped by netfilter ? 
> 
> It seems to be a miss-configuration of my ISP router, no ? I believe it's
> harmless (except for my bandwidth) but I don't understand why I see
> (with gkrellm) this traffic which seems to be rejected before netfilter.
> Is gkrellm using packets information before the iptable processing ?
> 
> I have tried to set /proc/.../eth0/rp_filter to 0 without any
> difference.
> 
> Thanks,
> Christophe
> 
> -- 
> Christophe Barbé <christophe.barbe@ufies.org>
> GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8  F67A 8F45 2F1E D72C B41E
> 
> Dogs come when they're called;
> cats take a message and get back to you later. --Mary Bly



-- 
Christophe Barbé <christophe.barbe@ufies.org>
GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8  F67A 8F45 2F1E D72C B41E

Dogs believe they are human. Cats believe they are God.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]