[EMAIL PROTECTED] wrote:
>
> Hello list,
>
> Quick question..
> I have recently been noticing large blocks, like the excerpt below, in
> my logs
> on one of my nameservers repeating sereral times per day.
> I am packet filtering on the machine (xxx.xxx.xxx.xxx) to restrict
> traffic from everyone on the internet except those who know about it and
>
> should be talking to it.
> Do these look like attempts to flood/compromise the server?
> Thanks for any input..
>
> May 3 08:23:41 ns3 kernel: Packet log: input DENY eth0 PROTO=6
> 216.220.39.42:59010 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=245
> (#37)
> May 3 08:23:41 ns3 kernel: Packet log: input DENY eth0 PROTO=6
> 216.33.35.214:16982 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=241
> (#37)
> May 3 08:23:41 ns3 kernel: Packet log: input DENY eth0 PROTO=6
> 64.37.200.46:28705 xxx.xxx.xxx.xxx:53 L=44 S=0x00 I=0 F=0x0000 T=243
> (#37)
They seem to stem from a load balancer that is spewing out unnecessary
traffic. This issue has been on the Linux Router Project's mailing list
as well, many others from different countries around the world have been
getting these in their logs with the same ip's showing up. If they're
bugging you just insert rules for each of them without logging them. You
will notice that the SYN flag isn't set at the end of the rule lines...
--
Patrick Benson
Stockholm, Sweden
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
