> Date: Tue, 26 Mar 2002 21:10:23 -0800 > From: William L. Thomson Jr. <[EMAIL PROTECTED]>
> We used to be colo'ed, but now we have a couple SDSL lines and a pair of > Netopia routers. I have been considering getting a Cisco PIX or > something to inspect packets and etc. that could most likely assist in > this situation. I will have to look into that. At the moment due to the A PIX would work. As would a <insert favorite flavor of> *ix box. I rather like the latter. But, then, I like tinkering. > limited space on the Netopia routers I am blocking them out from the XTR > using ipchains on the XTR. > > I have not had a problem on any other machines, but this XTR is the only > one that runs a web server publicly. Okay. > No I am running NAT or PAT to be specific. So they are not local > machines, definitely remote. Now I'm confused. These packets are being sent to 192.168.1.x on the local host... were those IPs changed, or how are those bound? Something is sending to your MAC address. How does it know to send 192.168.1.x to you? A. You used 192.168.1.x for public view, and that's not the real netblock used by the machine B. Your router translates public <--> 192.168.1.x C. It has to be something that can directly specify the MAC address, which means it CANNOT cross a router, because that subnet will NOT be routed by any competent provider. > > If you are running a firewall, I almost have to wonder... might > > there be a problem with something such as ECN blocking legitimate > > requests? Might the heavy hitters be proxy caches? > > I do not think so, but I may have to look into that. I, too, rather doubt it, but it's possible. It could be that the other end has a firewall that gags on ECN. > Yes, and it is not normal web traffic because my apache logs do not show The three-way handshake was never completed. I don't believe Apache sees the connection until socket is CONNECTED. I'd need to check this to be absolutely positive, but I'm pretty sure. > the IP's. If someone is using port 854 on the other end, then maybe they > have root access, and know what they are doing? Either that or some service running as root is really pounding away. I've noticed at home that Squid will send several requests when Apache bombs... I do a fair amount of hacking Apache, and do slip in some bad code (read: segfaults) now and then... Squid keeps trying, and I end up with a handful of console messages complaining that httpd bombed. > Scratch that, after rescanning, all responded and I have records of the scans. > > Each is not your average user. Each has some sort of firewall. I'll take your word. So far it looks like you've been quite thorough. > It sure seems like it. From a variety of IP's so I am not to sure if > it's one person using one of his platoons one me. Also possible. > Some of the more recent ones have had DNS records. One was > cruel.and.passively.rotted.org 65.116.181.236 Interesting. Sounds a bit odd for a coincidence. > I am still a little skeptical, but at least I know I am not blocking out > the average surfer with broadband and a mouse. :) :-) Eddy Brotsman & Dreger, Inc. - EverQuick Internet Division Phone: +1 (316) 794-8922 Wichita/(Inter)national Phone: +1 (785) 865-5885 Lawrence -- Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <[EMAIL PROTECTED]>, or you are likely to be blocked. _______________________________________________ cobalt-developers mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-developers
