-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hiya gang, I happened to notice last night that my RD light on my modem was goin' ape-crazy, and my TD was only once in a while (maybe every 3 or 4 seconds) blinking, so I knew not much was going 'out'. I couldn't for the life of me remember where to look at logs for the firewall, until just now. This is a sample of what I found: Jul 29 19:44:56 linux kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=204.1.226.229 DST=(correct local address) LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=32768 PROTO=TCP SPT=65143 DPT=1054 WINDOW=8192 RES=0x00 SYN URGP=0 Okay, I checked and the SRC was *not* my ISP's remote address, the DST was correct though as *my* assigned address at the time (dial-up modem). I counted 'one second' of these, and had 65 instances within one second. The *only* thing changing at each instance during the one second, was the DPT , which seemed to start at 1024 and go up to 1054, then start at 1024 all over again. So, what I'd like to ask of anyone who knows is... Starting with 'LEN' and going to 'URGP', what do each of those things mean (I think I understand the 'PROTO', heh)? I tried looking some of them up, but wasn't getting anything clear enough for an 'idiot' to understand. Why would only the 'DPT' change, and why only that range? Is/was this a DDoS? It sure didn't bother me any, since I could start a download or surf the web without any noticeable slowdown. Does this mean that SuSEFirewall2 was doing its job well? (I'm leaning strongly toward 'it did a fantastic job') Thanks if anyone finds these questions worth any answers. The curiosity is killin' me. lol John - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/Kcu3H5oDXyLKXKQRAurxAKDBNACVL5NH1EHZgJMEvCF2cGLpmQCglvfU GdjLvXK7gDNzsm9uFqK3Rv4= =Ukf6 -----END PGP SIGNATURE-----
On Thursday 31 July 2003 22:08 pm, John wrote:
Hiya gang,
I happened to notice last night that my RD light on my modem was goin' ape-crazy, and my TD was only once in a while (maybe every 3 or 4 seconds) blinking, so I knew not much was going 'out'. I couldn't for the life of me remember where to look at logs for the firewall, until just now. This is a sample of what I found:
Jul 29 19:44:56 linux kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=204.1.226.229 DST=(correct local address) LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=32768 PROTO=TCP SPT=65143 DPT=1054 WINDOW=8192 RES=0x00 SYN URGP=0
Okay, I checked and the SRC was *not* my ISP's remote address, the DST was correct though as *my* assigned address at the time (dial-up modem). I counted 'one second' of these, and had 65 instances within one second. The *only* thing changing at each instance during the one second, was the DPT , which seemed to start at 1024 and go up to 1054, then start at 1024 all over again. So, what I'd like to ask of anyone who knows is... Starting with 'LEN' and going to 'URGP', what do each of those things mean (I think I understand the 'PROTO', heh)? I tried looking some of them up, but wasn't getting anything clear enough for an 'idiot' to understand. Why would only the 'DPT' change, and why only that range? Is/was this a DDoS? It sure didn't bother me any, since I could start a download or surf the web without any noticeable slowdown. Does this mean that SuSEFirewall2 was doing its job well? (I'm leaning strongly toward 'it did a fantastic job')
Thanks if anyone finds these questions worth any answers. The curiosity is killin' me. lol
John --
linux1:/var/log # whois 204.1.226.229 OrgName: Verio, Inc. OrgID: VRIO Address: 8005 South Chester Street Address: Suite 200 City: Englewood StateProv: CO PostalCode: 80112 Country: US ReferralServer: rwhois://rwhois.verio.net:4321/ NetRange: 204.0.0.0 - 204.3.255.255 CIDR: 204.0.0.0/14 NetName: VRIO-204-000 NetHandle: NET-204-0-0-0-1 Parent: NET-204-0-0-0-0 NetType: Direct Allocation NameServer: NS0.VERIO.NET NameServer: NS1.VERIO.NET NameServer: NS2.VERIO.NET NameServer: NS3.VERIO.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE Comment: Comment: ******************************************** Comment: Reassignment information for this block is Comment: available at rwhois.verio.net port 4321 Comment: ******************************************** RegDate: 2000-07-26 Updated: 2003-07-10 TechHandle: VIA4-ORG-ARIN TechName: Verio, Inc. TechPhone: +1-303-645-1900 TechEmail: vipar@verio.net OrgAbuseHandle: VAC5-ARIN OrgAbuseName: Verio Abuse Contact OrgAbusePhone: +1-800-551-1630 OrgAbuseEmail: abuse@verio.net OrgNOCHandle: VSC-ARIN OrgNOCName: Verio Support Contact OrgNOCPhone: +1-800-551-1630 OrgNOCEmail: support@verio.net OrgTechHandle: VIA4-ORG-ARIN OrgTechName: Verio, Inc. OrgTechPhone: +1-303-645-1900 OrgTechEmail: vipar@verio.net -- +----------------------------------------------------------------------------+ + Bruce S. Marshall bmarsh@bmarsh.com Bellaire, MI 07/31/03 22:20 + +----------------------------------------------------------------------------+ "Why do we drive on Parkways, and park on Driveways?"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 31 July 2003 21:20, Bruce Marshall wrote: <snip>
linux1:/var/log # whois 204.1.226.229
OrgName: Verio, Inc. OrgID: VRIO Address: 8005 South Chester Street Address: Suite 200 City: Englewood StateProv: CO PostalCode: 80112 Country: US
<snip>
+-------------------------------------------------------------------------- --+ + Bruce S. Marshall bmarsh@bmarsh.com Bellaire, MI 07/31/03 22:20 + +-------------------------------------------------------------------------- --+ "Why do we drive on Parkways, and park on Driveways?"
Thanks Bruce, but I'd got that stuff, I was hoping someone would explain what 'LEN' and 'DPT' and 'SPT' etc, meant, or where I could look each definition up, and what the corresponding numbers after each one was...that kind of stuff. BTW, that sig reminded me of a Gallagher(sp?) quote I heard him say once (he'd got it from his daughter when she was very young): Why do they call them Apartments, when they're all stuck together? John -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/KejqH5oDXyLKXKQRAvuUAJwKUBhTw2UnHGk2lbkzVpxTbErcUQCeICef PJqzPZ5yrGABZnm4Kp0AZnk= =rHTZ -----END PGP SIGNATURE-----
John wrote:
I happened to notice last night that my RD light on my modem was goin' ape-crazy, and my TD was only once in a while (maybe every 3 or 4 seconds) blinking, so I knew not much was going 'out'. I couldn't for the life of me remember where to look at logs for the firewall, until just now. This is a sample of what I found:
Jul 29 19:44:56 linux kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=204.1.226.229 DST=(correct local address) LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=32768 PROTO=TCP SPT=65143 DPT=1054 WINDOW=8192 RES=0x00 SYN URGP=0
Okay, I checked and the SRC was *not* my ISP's remote address, the DST was correct though as *my* assigned address at the time (dial-up modem). I counted 'one second' of these, and had 65 instances within one second. The *only* thing changing at each instance during the one second, was the DPT , which seemed to start at 1024 and go up to 1054, then start at 1024 all over again. So, what I'd like to ask of anyone who knows is... Starting with 'LEN' and going to 'URGP', what do each of those things mean (I think I understand the 'PROTO', heh)? I tried looking some of them up, but wasn't getting anything clear enough for an 'idiot' to understand. Why would only the 'DPT' change, and why only that range? Is/was this a DDoS? It sure didn't bother me any, since I could start a download or surf the web without any noticeable slowdown. Does this mean that SuSEFirewall2 was doing its job well? (I'm leaning strongly toward 'it did a fantastic job')
Thanks if anyone finds these questions worth any answers. The curiosity is killin' me. lol
Well, I'm no expert, but I've been looking at such things for a little while (I got curious about some log entries, same as you). SuSE-FW-DROP-DEFAULT means that the packet has been silently dropped, which is a *good* thing. LEN is the length of the packet. TOS,PREC,TTL,ID are of little interest. SPT is the source port DPT is the destination port. It looks like someone probing your ports, although why they would stick to that range of ports is a bit strange. Is it the RIAA (what port does Kazaa use???). If you're real curious, its interesting to capture packets for a while, and then peek inside them, for which I use ethereal. The log above gives the time of the packet of interest, then you can look at the contents of the packet through etheral. HTH helps, if anyone has more in depth info, it would be good. cheers, jalal -- GPG fingerprint = 3D45 5509 D380 26A4 523E A9D8 A66A 5F38 CA43 BB0E
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 01 August 2003 02:13, jalal wrote: <snip>
Well, I'm no expert, but I've been looking at such things for a little while (I got curious about some log entries, same as you).
SuSE-FW-DROP-DEFAULT means that the packet has been silently dropped, which is a *good* thing. LEN is the length of the packet. TOS,PREC,TTL,ID are of little interest. SPT is the source port DPT is the destination port.
It looks like someone probing your ports, although why they would stick to that range of ports is a bit strange. Is it the RIAA (what port does Kazaa use???).
If you're real curious, its interesting to capture packets for a while, and then peek inside them, for which I use ethereal. The log above gives the time of the packet of interest, then you can look at the contents of the packet through etheral.
HTH helps, if anyone has more in depth info, it would be good.
cheers, jalal
Yessir, that helped a lot, since you've now made me just a tad less ignorant. As for it being RIAA...who knows, but if it was, they were looking in the wrong spot(s) I guess, since anyone else who's wanted to has been able to look at the files in my shared directory...and not had to take almost 4 minutes doing so, heh. I think I tried to install ethereal once, but some dependency I had to install for it to work wouldn't install, so I gave up. I'll look into it again though...maybe something's changed somewhere. Thanks again, I appreciate it. John -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/KoylH5oDXyLKXKQRAjFYAJ4saW8sIa7ZATxc+1z23ywagNFvBACfVGPL I3vZbaqMNs2p5zRgpyWlr8c= =ku5B -----END PGP SIGNATURE-----
The 03.07.31 at 21:08, John wrote:
I counted 'one second' of these, and had 65 instances within one second. The *only* thing changing at each instance during the one second, was the DPT , which seemed to start at 1024 and go up to 1054, then start at 1024 all over again.
You were being probed, but only a small range of ports. Why they should be repeating the probe, I don't understand, computers do not change opinions easily (a no is a no). If you want to know what those ports are for, look at /etc/services.
So, what I'd like to ask of anyone who knows is... Starting with 'LEN' and going to 'URGP', what do each of those things mean (I think I understand the 'PROTO', heh)?
I think a good place would be Mr. Togan docs: |> Table 4. SuSEfirewall2 log explanations and |> The details of the header fields can be found in the RFC documents on |> TCP and IP rfc793, rfc791). Also, there is some documentation in /usr/share/doc/packages/SuSEfirewall2/*
Why would only the 'DPT' change, and why only that range?
They probe ports one by one to see which one, if any, responds (ie,it's open). Why that range, I don't know; perhaps it's used by some sharing software.
Is/was this a DDoS?
Denial of Service Attack? I don't think so, many more packets would be needed - till the bandwidth were all used.
Does this mean that SuSEFirewall2 was doing its job well?
Yes :-)
Thanks if anyone finds these questions worth any answers. The curiosity is killin' me. lol
Curiosity is the mother of invention, or something like that, they say. -- Cheers, Carlos Robinson
participants (4)
-
Bruce Marshall
-
Carlos E. R.
-
jalal
-
John