* a dos?
@ 2013-08-27 0:17 Mike Wright
2013-08-27 0:35 ` Jon Lewis
0 siblings, 1 reply; 3+ messages in thread
From: Mike Wright @ 2013-08-27 0:17 UTC (permalink / raw)
To: netfilter
Hi all,
Don't know if this is the appropriate place to ask so if not please just
ignore.
There is some unexplained, non-stop traffic that won't go away.
27.50.2.191:80 keeps calling me at 63.192.15.229:4460.
tcpdump shows 2 types of Flags: [S.] and [.], each one's packet numbers
never change. Almost all of the packets are type 1.
1)
16:27:05.947510 IP 27.50.2.191.80 > 63.192.15.229.4460: Flags [S.], seq
777598812, ack 3826171711, win 65535, length 0
2)
16:27:06.100035 IP 27.50.2.191.80 > 63.192.15.229.4460: Flags [.], ack
1246380345, win 0, length 0
There is nothing listening at 63.192.15.229.
Would any network gurus be willing to explain to me what may be going on
or provide me insight?
Something puzzling was that the source IP may be related to the DEBOGON
Project?
I know I can't stop incomers. Do I just put up with this until it a)
gets fixed; b) goes away?
Thanks
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: a dos?
2013-08-27 0:17 a dos? Mike Wright
@ 2013-08-27 0:35 ` Jon Lewis
2013-08-27 1:13 ` Mike Wright
0 siblings, 1 reply; 3+ messages in thread
From: Jon Lewis @ 2013-08-27 0:35 UTC (permalink / raw)
To: Mike Wright; +Cc: netfilter
On Mon, 26 Aug 2013, Mike Wright wrote:
> Hi all,
>
> Don't know if this is the appropriate place to ask so if not please just
> ignore.
>
> There is some unexplained, non-stop traffic that won't go away.
>
> 27.50.2.191:80 keeps calling me at 63.192.15.229:4460.
>
> tcpdump shows 2 types of Flags: [S.] and [.], each one's packet numbers never
> change. Almost all of the packets are type 1.
The [S.] is likely step 2 of the 3-way handshake in making a TCP
connection. If you're not sending syns to 27.50.2.191:80, then perhaps
someone else is, either as an attack against 27.50.2.191, or because
they're using your IP space (likely on a private network) and have leaky
NAT.
> Something puzzling was that the source IP may be related to the DEBOGON
> Project?
Why do you think that?
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
| therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: a dos?
2013-08-27 0:35 ` Jon Lewis
@ 2013-08-27 1:13 ` Mike Wright
0 siblings, 0 replies; 3+ messages in thread
From: Mike Wright @ 2013-08-27 1:13 UTC (permalink / raw)
To: netfilter
08/26/2013 05:35 PM, Jon Lewis wrote:
> On Mon, 26 Aug 2013, Mike Wright wrote:
>
>> Hi all,
>>
>> Don't know if this is the appropriate place to ask so if not please
>> just ignore.
>>
>> There is some unexplained, non-stop traffic that won't go away.
>>
>> 27.50.2.191:80 keeps calling me at 63.192.15.229:4460.
>>
>> tcpdump shows 2 types of Flags: [S.] and [.], each one's packet
>> numbers never change. Almost all of the packets are type 1.
>
Thanks for your help.
> The [S.] is likely step 2 of the 3-way handshake in making a TCP
> connection. If you're not sending syns to 27.50.2.191:80, then perhaps
> someone else is, either as an attack against 27.50.2.191, or because
> they're using your IP space (likely on a private network) and have leaky
> NAT.
>
>> Something puzzling was that the source IP may be related to the
>> DEBOGON Project?
>
> Why do you think that?
>
From their whois info:
route: 27.50.0.0/22
descr: APNIC debogon project testing
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-08-27 1:13 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-08-27 0:17 a dos? Mike Wright
2013-08-27 0:35 ` Jon Lewis
2013-08-27 1:13 ` Mike Wright
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.