Re: constant barrage from rfc 1918 addresses source port 6293
I did find the following thread - users with the same problem: http://www.globalaffairs.org/forum//showthread.php?t=51413 However, not really any resolution. -- Chris
Re: constant barrage from rfc 1918 addresses source port 6293
On Monday 14 April 2008, Chris Smith wrote: > I took a tcpdump and they are all TCP RST packets. > > Further investigation shows that the destination ports match state > entries of gmail pop3s connections. I do use fetchmail on my server > to fetch my Google hosted email via pop3s. But why would TCP RST > packets be sent from these rfc1918 addresses? Also have since verified that if I stop my fetchmail service the TCP RST packets from 172.21.x.y stop as well. When I start fetchmail back up the TCP RST packets return. -- Chris
Re: constant barrage from rfc 1918 addresses source port 6293
On Thursday 10 April 2008, Lord Sporkton wrote: > It is possible that its not really ment for you, but perhaps your > modem, something along the lines of a modem checkin? I took a tcpdump and they are all TCP RST packets. Further investigation shows that the destination ports match state entries of gmail pop3s connections. I do use fetchmail on my server to fetch my Google hosted email via pop3s. But why would TCP RST packets be sent from these rfc1918 addresses? -- Chris
Re: constant barrage from rfc 1918 addresses source port 6293
On 10/04/2008, Chris Smith <[EMAIL PROTECTED]> wrote: > I block and log rfc 1918 connection attempts and am seeing the following > in pflog continuously ad nauseum: > > Apr 10 15:10:21.414289 rule 9/(match) block in on fxp1: > 172.21.153.70.6293 > 68.61.77.3.50716: [|tcp] (DF) [tos 0x20] > Apr 10 15:10:22.833822 rule 9/(match) block in on fxp1: > 172.21.233.57.6293 > 68.61.77.3.54518: [|tcp] (DF) [tos 0x20] > Apr 10 15:10:23.789209 rule 9/(match) block in on fxp1: > 172.21.153.22.6293 > 68.61.77.3.57836: [|tcp] (DF) [tos 0x20] > Apr 10 15:10:24.256891 rule 9/(match) block in on fxp1: > 172.21.97.2.6293 > 68.61.77.3.50417: [|tcp] (DF) [tos 0x20] > Apr 10 15:10:24.821674 rule 9/(match) block in on fxp1: > 172.21.225.72.6293 > 68.61.77.3.53965: [|tcp] [tos 0x20] > Apr 10 15:11:28.559238 rule 9/(match) block in on fxp1: > 172.21.240.45.6293 > 68.61.77.3.58733: [|tcp] (DF) [tos 0x20] > Apr 10 15:11:29.397925 rule 9/(match) block in on fxp1: > 172.21.240.63.6293 > 68.61.77.3.62274: [|tcp] [tos 0x20] > > The source IP addresses do repeat (but not in a specific order) and the > source port remains constant at 6293. > > As these addresses (AFAIK) aren't generally routed I'm wondering about > their source. > > Possibly all spoofed, but as I'm using cable service, they could also be > from a system on the local shared subnet. Another thought is that the > ISP (Comcast) is using and routing them for their own purposes (VOIP > service, etc.). Any ideas? > > Thanks. > > -- > > Chris > > I would highly doubt that you are seeing internal traffic from your ISP, what ever it is, its pointing directly at you, its not just stray traffic thats passing on your link. I would suggest contacting your ISP concerning this, they may be able to track it and/or prevent it. It is possible that its not really ment for you, but perhaps your modem, something along the lines of a modem checkin? hypothetically speaking, if your modem was trying to "report home" sourcing from your public ip but the public was actaully assigned on your router, you could see return traffic from your modem "report home" <-- that is of course a stretch and highly unlikely. Any isp that set up something like that would be retarded beyond the capability of their sales team. -- -Lawrence
constant barrage from rfc 1918 addresses source port 6293
I block and log rfc 1918 connection attempts and am seeing the following in pflog continuously ad nauseum: Apr 10 15:10:21.414289 rule 9/(match) block in on fxp1: 172.21.153.70.6293 > 68.61.77.3.50716: [|tcp] (DF) [tos 0x20] Apr 10 15:10:22.833822 rule 9/(match) block in on fxp1: 172.21.233.57.6293 > 68.61.77.3.54518: [|tcp] (DF) [tos 0x20] Apr 10 15:10:23.789209 rule 9/(match) block in on fxp1: 172.21.153.22.6293 > 68.61.77.3.57836: [|tcp] (DF) [tos 0x20] Apr 10 15:10:24.256891 rule 9/(match) block in on fxp1: 172.21.97.2.6293 > 68.61.77.3.50417: [|tcp] (DF) [tos 0x20] Apr 10 15:10:24.821674 rule 9/(match) block in on fxp1: 172.21.225.72.6293 > 68.61.77.3.53965: [|tcp] [tos 0x20] Apr 10 15:11:28.559238 rule 9/(match) block in on fxp1: 172.21.240.45.6293 > 68.61.77.3.58733: [|tcp] (DF) [tos 0x20] Apr 10 15:11:29.397925 rule 9/(match) block in on fxp1: 172.21.240.63.6293 > 68.61.77.3.62274: [|tcp] [tos 0x20] The source IP addresses do repeat (but not in a specific order) and the source port remains constant at 6293. As these addresses (AFAIK) aren't generally routed I'm wondering about their source. Possibly all spoofed, but as I'm using cable service, they could also be from a system on the local shared subnet. Another thought is that the ISP (Comcast) is using and routing them for their own purposes (VOIP service, etc.). Any ideas? Thanks. -- Chris
