On Wed, Oct 26, 2011 at 8:56 PM, Martin T <[email protected]> wrote: > I have a router interface with IP address 192.168.9.94/27. In > addition, I have following static routes in this router: > > ip route 192.168.9.112 255.255.255.240 192.168.9.65 > ip route 192.168.20.16 255.255.255.248 192.168.9.65 > ip route 192.168.20.24 255.255.255.248 192.168.9.65 > ip route 192.168.20.112 255.255.255.248 192.168.9.65 > ip route 192.168.2.128 255.255.255.128 192.168.9.65 > ip route 192.168.21.128 255.255.255.128 192.168.9.65 > ip route 10.10.10.0 255.255.255.0 192.168.9.65 > > As you see, all those point to 192.168.9.65 which is a first usable > address in 192.168.9.64/27 network. > > Now if I execute: > > # flow-cat 2011-10-26/* | flow-filter -f access-list.acl -Dacl | flow-print > > ..while "access-list.acl" looks following(in other words I want to > analyse all the networks associated with this connection): > > ip access-list standard acl permit 192.168.9.64 0.0.0.31 > ip access-list standard acl permit 192.168.9.112 0.0.0.15 > ip access-list standard acl permit 192.168.20.16 0.0.0.7 > ip access-list standard acl permit 192.168.20.24 0.0.0.7 > ip access-list standard acl permit 192.168.20.112 0.0.0.7 > ip access-list standard acl permit 192.168.2.128 0.0.0.127 > ip access-list standard acl permit 192.168.21.128 0.0.0.127 > ip access-list standard acl permit 10.10.10.0 0.0.0.255 > ip access-list standard acl deny any > > ..then 98% of lines looks like this: > > srcIP dstIP prot srcPort dstPort octets packets > I.I.P.P 192.168.2.196 6 3389 3799 55 1 > I.I.P.P 192.168.2.196 6 3389 4465 40 1 > I.I.P.P 192.168.2.196 6 3389 1940 74 1 > I.I.P.P 192.168.2.196 6 3389 2611 51 1 > I.I.P.P 192.168.2.196 6 3389 2356 141 1 > I.I.P.P 192.168.2.196 6 3389 2111 92 1 > I.I.P.P 192.168.2.196 6 3389 1151 339 1 > I.I.P.P 192.168.2.196 6 3389 2609 55 1 > I.I.P.P 192.168.2.196 6 3389 1386 1500 1 > I.I.P.P 192.168.2.196 6 3389 3133 1480 1 > I.I.P.P 192.168.2.196 6 3389 2684 3000 2 > > > "I.I.P.P" is a random public IP address. 192.168.2.196 is a Windows > Server 2003. As you can see, almost every connection is to ephemeral > port on 192.168.2.196 using the source port 3389. In addition, > download traffic for customer is 5x higher than upload traffic. > > What might cause such traffic? A virus? If yes, then how does this > behave.. Or have I misunderstood something? If no, then what traffic > might this be?
http://www.f-secure.com/weblog/archives/00002227.html -- Paul Halliday http://www.squertproject.org/ _______________________________________________ Flow-tools mailing list [email protected] http://mailman.splintered.net/mailman/listinfo/flow-tools
