I have found at http://www.cavebear.com/CaveBear/Ethernet/multicast.html that ff:ff:ff:ff:0:30 could be a multicast ethernet address (03-00-FF-FF-FF-FF) for 'All Stations Address'. Is it something commonly used by script kiddies ? If I undersatnd correctly, nothing has changed at the router, but somebody connected at the same router is doing bad stuff. Is it right ? What I still don't understand is why I can see this traffic with my iptables rules. Is the traffic exposed (to user-space tools) before entering the iptables processing ? Christophe On Thu, Jul 04, 2002 at 10:10:48AM -0400, christophe barbé wrote: > Hi, > > I use a simple set of iptables rules for my laptop to reject everything > from outside using ip_conntrack (from the howto) : > > # Generated by iptables-save v1.2.6a on Thu Jul 4 09:54:11 2002 > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [43965:4118502] > :block - [0:0] > -A INPUT -j block > -A FORWARD -j block > -A block -m state --state RELATED,ESTABLISHED -j ACCEPT > -A block -i ! eth0 -m state --state NEW -j ACCEPT > -A block -i eth0 -m limit --limit 3/hour -j LOG --log-prefix "Bad packet from eth0:" > -A block -i ! eth0 -m limit --limit 3/hour -j LOG --log-prefix "Bad packet not from eth0:" > -A block -j DROP > COMMIT > # Completed on Thu Jul 4 09:54:11 2002 > > I have a ADSL connection and only a hub between my laptop and the > ADSL-modem. Recently something changed, I guess on the router from my > provider and now I see unexpected traffic. > > I see it with the eth0 monitor in gkrellm and with iftop but not with > lsof -i. > I was not expecting this traffic and the pattern seems strange : a > constant 20kB incoming traffic during a few seconds. So I started > looking closer. With ethereal I saw that it was a kind of flooding > most of the time a lot of SYN packet but also netbios .... > Each time both IPs are not one of my computer. For example I see during > one of this flooding with 'tcpdump -c 2 -e' > > tcpdump: listening on eth0 > 10:00:39.946940 0:0:c:c3:a:88 ff:ff:ff:ff:0:30 ip 62: 216-203-233-196.customer.algx.net.3574 > adsl-216-158-52-76.cust.oldcity.dca.net.www: S 2011680397:2011680397(0) win 16384 (DF) > 10:00:39.949401 0:0:c:c3:a:88 ff:ff:ff:ff:0:30 ip 62: 216-203-233-196.customer.algx.net.3574 > adsl-216-158-52-76.cust.oldcity.dca.net.www: S 2011680397:2011680397(0) win 16384 (DF) > > I am not sure how to interpret 'ff:ff:ff:ff:0:30' is it a kind of > broadcasting at the ethernet level ? > > Why can I see these packets that are not for me ? > > Why this traffic is not dropped by netfilter ? > > It seems to be a miss-configuration of my ISP router, no ? I believe it's > harmless (except for my bandwidth) but I don't understand why I see > (with gkrellm) this traffic which seems to be rejected before netfilter. > Is gkrellm using packets information before the iptable processing ? > > I have tried to set /proc/.../eth0/rp_filter to 0 without any > difference. > > Thanks, > Christophe > > -- > Christophe Barbé > GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8 F67A 8F45 2F1E D72C B41E > > Dogs come when they're called; > cats take a message and get back to you later. --Mary Bly -- Christophe Barbé GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8 F67A 8F45 2F1E D72C B41E Dogs believe they are human. Cats believe they are God.