Hi, there's a product called Global Dispatch (currently used by numerous providers and marketing companies such as Doubleclick) which measures bandwith between several servers and the user. Doubleclick for instance does this to ensure an uninterrupted flow of ads to your system :-( If you reverse-resolve the ip addresses which hit you you will see that they are owned by InterNAP Network Services, Seattle. Probably a provider. Global Dispatch records the delay of the icmp (PROTO=1) packets to/from you and probes your name server afterwards, in a way that it produces the syslog entry you mentioned. Global Dispatch also uses ports like echo (7) and chargen (19) for these network/host probes. I suggest that you disable ipchains-logging for icmp packets if you have snort up and running. Snort already records these incidents in its alert file, so you can reduce the growth of your system logs. All these log entries are quite annoying but IMO there's nothing to worry about. If unsure, try to get in touch with InterNAP and ask for explanation. Yours, Boris --- On 15-Jan-01 alastair@duncans.screaming.net wrote:

Hi all,

can anyone shed some light on to these firewall log entries and the messages log entries

Jan 14 18:54:45 wolfman kernel: Packet log: input DENY ppp0 PROTO=1 64.94.163.226:8 62.64.169.128:0 L=84 S=0x00 I=335 F=0x0000 T=50 (#131) Jan 14 18:54:45 wolfman kernel: Packet log: input DENY ppp0 PROTO=1 63.251.143.2:8 62.64.169.128:0 L=84 S=0x00 I=12076 F=0x0000 T=48 (#131) Jan 14 18:54:45 wolfman kernel: Packet log: input DENY ppp0 PROTO=1 216.52.125.38:8 62.64.169.128:0 L=84 S=0x00 I=34458 F=0x0000 T=50 (#131) Jan 14 18:54:45 wolfman kernel: Packet log: input DENY ppp0 PROTO=1 216.52.248.222:8 62.64.169.128:0 L=84 S=0x00 I=49103 F=0x0000 T=49 (#131)Jan 14 18:54:45 wolfman kernel: Packet log: input DENY ppp0 PROTO=1 216.52.172.130:8 62.64.169.128:0 L=84 S=0x00 I=1370 F=0x0000 T=49 (#131) Jan 14 18:54:55 wolfman kernel: Packet log: input DENY ppp0 PROTO=1 216.52.85.194:8 62.64.169.128:0 L=84 S=0x00 I=29649 F=0x0000 T=49 (#131) Jan 14 18:54:55 wolfman kernel: Packet log: input DENY ppp0 PROTO=1 216.52.172.130:8 62.64.169.128:0 L=84 S=0x00 I=1520 F=0x0000 T=49 (#131) Jan 14 18:54:55 wolfman kernel: Packet log: input DENY ppp0 PROTO=1 63.251.143.2:8 62.64.169.128:0 L=84 S=0x00 I=12221 F=0x0000 T=48 (#131) Jan 14 18:54:55 wolfman kernel: Packet log: input DENY ppp0 PROTO=1 216.52.44.194:8 62.64.169.128:0 L=84 S=0x00 I=19612 F=0x0000 T=49 (#131) Jan 14 18:54:55 wolfman kernel: Packet log: input DENY ppp0 PROTO=1 216.52.153.130:8 62.64.169.128:0 L=84 S=0x00 I=14678 F=0x0000 T=49 (#131)Jan 14 18:54:55 wolfman kernel: Packet log: input DENY ppp0 PROTO=1 64.94.163.226:8 62.64.169.128:0 L=84 S=0x00 I=474 F=0x0000 T=50 (#131) Jan 14 18:54:55 wolfman kernel: Packet log: input DENY ppp0 PROTO=1 209.155.224.130:8 62.64.169.128:0 L=84 S=0x00 I=20509 F=0x0000 T=40 (#131)

Jan 14 18:55:05 wolfman named[313]: refused query on non-query socket from [216.52.85.194].3506 Jan 14 18:55:05 wolfman named[313]: refused query on non-query socket from [216.52.153.130].3682 Jan 14 18:55:05 wolfman named[313]: refused query on non-query socket from [64.94.163.226].3422 Jan 14 18:55:05 wolfman named[313]: refused query on non-query socket from [209.155.224.130].2919 Jan 14 18:55:05 wolfman named[313]: refused query on non-query socket from [216.52.44.194].1247 Jan 14 18:55:05 wolfman named[313]: refused query on non-query socket from [216.52.172.130].3232 Jan 14 18:55:05 wolfman named[313]: refused query on non-query socket from [63.251.143.2].25806 Jan 14 18:55:05 wolfman named[313]: refused query on non-query socket from [216.52.248.222].2502 Jan 14 18:55:05 wolfman named[313]: refused query on non-query socket from [216.52.125.38].9795 Jan 14 18:55:15 wolfman named[313]: refused query on non-query socket from [216.52.85.194].3506 Jan 14 18:55:15 wolfman named[313]: refused query on non-query socket from [216.52.153.130].3682 Jan 14 18:55:15 wolfman named[313]: refused query on non-query socket from [64.94.163.226].3422 Jan 14 18:55:15 wolfman named[313]: refused query on non-query socket from [216.52.44.194].1247 Jan 14 18:55:15 wolfman named[313]: refused query on non-query socket from [209.155.224.130].2919 Jan 14 18:55:15 wolfman named[313]: refused query on non-query socket from [63.251.143.2].25806 Jan 14 18:55:15 wolfman named[313]: refused query on non-query socket from [216.52.172.130].3232 Jan 14 18:55:15 wolfman named[313]: refused query on non-query socket from [216.52.248.222].2502 Jan 14 18:55:15 wolfman named[313]: refused query on non-query socket from [216.52.125.38].9795

snort reports them as: [**] IDS152/Ping BSDtype [**] 01/14-18:54:55.654396 216.52.172.130 -> 62.64.169.128 ICMP TTL:49 TOS:0x0 ID:1520 ID:22384 Seq:41651 ECHO

[**] IDS152/Ping BSDtype [**] 01/14-18:54:55.674371 63.251.143.2 -> 62.64.169.128 ICMP TTL:48 TOS:0x0 ID:12221 ID:4905 Seq:35450 ECHO

[**] IDS152/Ping BSDtype [**] 01/14-18:54:55.694383 216.52.44.194 -> 62.64.169.128 ICMP TTL:49 TOS:0x0 ID:19612 ID:414 Seq:35927 ECHO

[**] IDS152/Ping BSDtype [**] 01/14-18:54:55.764391 216.52.153.130 -> 62.64.169.128 ICMP TTL:49 TOS:0x0 ID:14678 ID:17873 Seq:51298 ECHO

[**] IDS152/Ping BSDtype [**] 01/14-18:54:55.784388 64.94.163.226 -> 62.64.169.128 ICMP TTL:50 TOS:0x0 ID:474 ID:19664 Seq:46591 ECHO

[**] IDS152/Ping BSDtype [**] 01/14-18:54:55.904389 209.155.224.130 -> 62.64.169.128 ICMP TTL:40 TOS:0x0 ID:20509 ID:23026 Seq:32632 ECHO

They usually follow the same format denials and then refusals and are happening more frequently. The list of denials each time gets longer and longer with more machines joining in. The name server that is running is caching only for a small home network. SuSE 6.4 and the firwals package.

TIA

Alastair Duncan [...]

--- Boris Lorenz <bolo@lupa.de> System Security Admin *nix - *nux ---