Re: Iptables and odd ICMP packets

Devon Thu, 19 Jul 2001 22:18:47 -0700
On Friday 20 July 2001 12:55 am, Jack Bowling wrote:
> On Thu, 19 Jul 2001 20:20:47 -0400

> ---------
> # whois 24.241.42.144
> High Speed Access Corp (NETBLK-HSACORP-2BLK) HSACORP-2BLK
> ------------------
> High Speed Access Corp is an ISP situated in Denver, CO. The netblk
> listed is within the home.com network so they are probably licensed
> to use part of the @home cable network. Type 11 Code 0 ICMP packets
> are the "time exceeded" packets used in traceroute. Perhaps somebody
> is trying to see if your box is alive for some reason.

I know who they are. I pay them monthly, as that's my machine. ;)

24-241-42-144.hsacorp.net was just too boring, so through the wonders
of the dyn.dns service:
# host tuxfan.homeip.net
tuxfan.homeip.net. has address 24.241.42.144


What I don't understand, is why there are *2* other ips in the log 
message for each packet, or why they are being generated. If it is 
someone trying to traceroute to my machine, it's the most cryptic log 
message imaginable.

Jul 19 09:30:34 tuxfan kernel: PACKET DROPPED:IN=eth0 OUT= 
MAC=00:a0:cc:e5:09:4e:00:d0:ba:a8:02:70:08:00 SRC=202.97.33.9 
DST=24.241.42.144 LEN=56 TOS=0x00 PREC=0x00 TTL=244 ID=0 PROTO=ICMP 
TYPE=11 CODE=0 [SRC=24.241.42.144 DST=205.216.80.23 LEN=48 TOS=0x00 
PREC=0x00 TTL=1 ID=6662 DF PROTO=TCP SPT=1202 DPT=1244 WINDOW=0 
RES=0x00 URGP=0 ] 

listed as the source address in one line is:
# host 202.97.33.9
9.33.97.202.in-addr.arpa. domain name pointer p-13-0-r1-c-bjbj-1.cn.net.
Then further into the message, listed as the destination is:
# host 205.216.80.23
23.80.216.205.in-addr.arpa. domain name pointer gravestone.net.
23.80.216.205.in-addr.arpa. domain name pointer irc.gravestone.net.

Nothing on my end is intentionally trying to connect to either machine. 
The fact that one of the listings appears to be an irc server, doesn't 
make me feel any better.

Here are a couple more, with different addresses. Makes me wonder what 
packets might be getting through, and not logged....

Jul 19 20:44:52 tuxfan kernel: PACKET DROPPED:IN=eth0 OUT= 
MAC=00:a0:cc:e5:09:4e:00:d0:ba:a8:02:70:08:00 SRC=152.63.84.193 
DST=24.241.42.144 LEN=56 TOS=0x00 PREC=0x00 TTL=247 ID=0 PROTO=ICMP 
TYPE=3 CODE=1 [SRC=24.241.42.144 DST=209.212.134.35 LEN=48 TOS=0x00 
PREC=0x00 TTL=116 ID=47750 DF PROTO=TCP SPT=1235 DPT=1187 WINDOW=0 
RES=0x00 URGP=0 ] 

Jul 19 20:59:16 tuxfan kernel: PACKET DROPPED:IN=eth0 OUT= 
MAC=00:a0:cc:e5:09:4e:00:d0:ba:a8:02:70:08:00 SRC=157.130.52.209 
DST=24.241.42.144 LEN=56 TOS=0x00 PREC=0x00 TTL=247 ID=0 PROTO=ICMP 
TYPE=3 CODE=1 [SRC=24.241.42.144 DST=209.212.128.47 LEN=48 TOS=0x00 
PREC=0x00 TTL=122 ID=14980 DF PROTO=TCP SPT=1268 DPT=1241 WINDOW=12332 
RES=0x28 URG ACK URGP=0 ] 

Thanks,

-D



_______________________________________________
Seawolf-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/seawolf-list
Re: Iptables and odd ICMP packets

Reply via email to
