[opensuse] Unusual traffic through eth0
Last night, I noticed a regular pattern of blips in gkrellm's eth0 monitor. There were no internet active programs, such as e-mail or web browser running, so I started Wireshark to see what was happening. Apart from the expected chatter between this machine and the router, the following two lines repeated over and over, and it is continuing on rebooting the machine this morning: Source Destination Protocol Info 217.14.132.183 192.168.1.14 SIP Status: 100 Trying (0 bindings) 217.14.132.183 192.168.1.14 SIP Status: 401 Unauthorized (0 bindings) Is this entirely innocent, or should I contact abuse@Domainmaster (see below)? 09:21 bob@barrowhillfarm:~> whois 217.14.132.183 % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '217.14.128.0 - 217.14.143.255' inetnum: 217.14.128.0 - 217.14.143.255 descr: Domainmaster LTD org: ORG-DL12-RIPE netname: UK-DOMAINMASTER-20000901 country: GB admin-c: PM3847-RIPE tech-c: SJML1-RIPE status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-lower: DOMAINMASTER-NOC mnt-routes: DOMAINMASTER-NOC mnt-domains: DOMAINMASTER-NOC source: RIPE # Filtered organisation: ORG-DL12-RIPE org-name: Domainmaster LTD org-type: LIR address: Domainmaster LTD 9th Floor, Building 6 Harbour Exchange Square E14 9GE London United Kingdom phone: +44 207 127 9800 fax-no: +44 870 432 5505 e-mail: ripe@hotlinks.co.uk admin-c: DB admin-c: JO497-RIPE admin-c: PM3847-RIPE admin-c: SJML1-RIPE mnt-ref: DOMAINMASTER-NOC mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT source: RIPE # Filtered person: Panny Malialis address: DomainMaster Ltd address: C/o Redbus Interhouse address: 9th Floor, 6/7 Harbour Exchange Square address: London address: E14 9GE phone: +44 (0) 870 7878 975 fax-no: +44 (0) 870 7878 973 e-mail: panny@hotlinks.co.uk nic-hdl: PM3847-RIPE source: RIPE # Filtered person: Sylvaine Joelle Marie Lucas address: DomainMaster Ltd address: C/o Redbus Interhouse address: 9th Floor, 6/7 Harbour Exchange Square address: London address: E14 9GE phone: +44 (0) 870 7878 975 fax-no: +44 (0) 870 7878 973 e-mail: sylvaine@hotlinks.co.uk nic-hdl: SJML1-RIPE source: RIPE # Filtered -- Bob Williams System: Linux 3.1.9-1.4-desktop Distro: openSUSE 12.1 (x86_64) with KDE Development Platform: 4.7.2 (4.7.2) "release 5" Uptime: 18:00pm up 5 days 0:29, 3 users, load average: 0.23, 0.15, 0.14 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Bob Williams wrote:
Last night, I noticed a regular pattern of blips in gkrellm's eth0 monitor. There were no internet active programs, such as e-mail or web browser running, so I started Wireshark to see what was happening.
Apart from the expected chatter between this machine and the router, the following two lines repeated over and over, and it is continuing on rebooting the machine this morning:
Source Destination Protocol Info 217.14.132.183 192.168.1.14 SIP Status: 100 Trying (0 bindings) 217.14.132.183 192.168.1.14 SIP Status: 401 Unauthorized (0 bindings)
Is this entirely innocent, or should I contact abuse@Domainmaster (see below)?
Perhaps not entirely innocent (SIP attempts for VoIP), but I would have thought your firewall should be blocking such traffic? -- Per Jessen, Zürich (6.8°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/03/12 09:54, Per Jessen wrote:
Bob Williams wrote:
Last night, I noticed a regular pattern of blips in gkrellm's eth0 monitor. There were no internet active programs, such as e-mail or web browser running, so I started Wireshark to see what was happening.
Apart from the expected chatter between this machine and the router, the following two lines repeated over and over, and it is continuing on rebooting the machine this morning:
Source Destination Protocol Info 217.14.132.183 192.168.1.14 SIP Status: 100 Trying (0 bindings) 217.14.132.183 192.168.1.14 SIP Status: 401 Unauthorized (0 bindings)
Is this entirely innocent, or should I contact abuse@Domainmaster (see below)?
Perhaps not entirely innocent (SIP attempts for VoIP), but I would have thought your firewall should be blocking such traffic?
Really? I do run skype from time to time, and have tried out ekiga, so maybe the SIP protocol is allowed. The only services I have explicitly allowed in YaST Firewall Configuration are Rsync server, Secure Shell server and xntp server. All the above traffic seems to be one way, in other words, I never see my machine sending a reply, I am always the destination, never the source. Thanks for your help. Bob -- Bob Williams System: Linux 3.1.9-1.4-desktop Distro: openSUSE 12.1 (x86_64) with KDE Development Platform: 4.7.2 (4.7.2) "release 5" Uptime: 18:00pm up 5 days 0:29, 3 users, load average: 0.23, 0.15, 0.14 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Bob Williams wrote:
On 12/03/12 09:54, Per Jessen wrote:
Bob Williams wrote:
Last night, I noticed a regular pattern of blips in gkrellm's eth0 monitor. There were no internet active programs, such as e-mail or web browser running, so I started Wireshark to see what was happening.
Apart from the expected chatter between this machine and the router, the following two lines repeated over and over, and it is continuing on rebooting the machine this morning:
Source Destination Protocol Info 217.14.132.183 192.168.1.14 SIP Status: 100 Trying (0 bindings) 217.14.132.183 192.168.1.14 SIP Status: 401 Unauthorized (0 bindings)
Is this entirely innocent, or should I contact abuse@Domainmaster (see below)?
Perhaps not entirely innocent (SIP attempts for VoIP), but I would have thought your firewall should be blocking such traffic?
Really? I do run skype from time to time, and have tried out ekiga, so maybe the SIP protocol is allowed.
Skype is proprietary, I don't know what ekiga does. SIP is "Session Initiation Protocol" for standard VoIP. My Asterisk telephone server is regularly flooded by SIP requests, bordering on a DoS attack.
The only services I have explicitly allowed in YaST Firewall Configuration are Rsync server, Secure Shell server and xntp server.
I would expect that to mean that the SIP traffic is dropped or rejected. Maybe check your firewall log.
All the above traffic seems to be one way, in other words, I never see my machine sending a reply, I am always the destination, never the source.
Maybe gkrellm is reporting on traffic before the firewall drops it. -- Per Jessen, Zürich (9.8°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/03/12 11:33, Per Jessen wrote:
Bob Williams wrote:
On 12/03/12 09:54, Per Jessen wrote:
Bob Williams wrote:
Last night, I noticed a regular pattern of blips in gkrellm's eth0 monitor. There were no internet active programs, such as e-mail or web browser running, so I started Wireshark to see what was happening.
Apart from the expected chatter between this machine and the router, the following two lines repeated over and over, and it is continuing on rebooting the machine this morning:
Source Destination Protocol Info 217.14.132.183 192.168.1.14 SIP Status: 100 Trying (0 bindings) 217.14.132.183 192.168.1.14 SIP Status: 401 Unauthorized (0 bindings)
Is this entirely innocent, or should I contact abuse@Domainmaster (see below)?
Perhaps not entirely innocent (SIP attempts for VoIP), but I would have thought your firewall should be blocking such traffic?
Really? I do run skype from time to time, and have tried out ekiga, so maybe the SIP protocol is allowed.
Skype is proprietary, I don't know what ekiga does. SIP is "Session Initiation Protocol" for standard VoIP. My Asterisk telephone server is regularly flooded by SIP requests, bordering on a DoS attack.
Ekiga is a SIP client.
The only services I have explicitly allowed in YaST Firewall Configuration are Rsync server, Secure Shell server and xntp server.
I would expect that to mean that the SIP traffic is dropped or rejected. Maybe check your firewall log.
Well, the firewall log gives much the same information as wireshark. Although it's irritating, I don't think I'm vulnerable so I'll just monitor things for the time being. The last time something like this happened I was being attacked through ssh port 22, but they were definitely trying a dictionary attack with various username & password combinations.
All the above traffic seems to be one way, in other words, I never see my machine sending a reply, I am always the destination, never the source.
Maybe gkrellm is reporting on traffic before the firewall drops it.
Maybe Thanks, Bob -- Bob Williams System: Linux 3.1.9-1.4-desktop Distro: openSUSE 12.1 (x86_64) with KDE Development Platform: 4.7.2 (4.7.2) "release 5" Uptime: 18:00pm up 5 days 0:29, 3 users, load average: 0.23, 0.15, 0.14 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-03-12 13:36, Bob Williams wrote:
On 12/03/12 11:33, Per Jessen wrote:
Maybe gkrellm is reporting on traffic before the firewall drops it.
Maybe
On another computer on a computer room with a hub, I sometimes see high traffic in gkrelm, hundreds of kilobytes per second, while my computer is doing nothing. Looking with iptraf, I see that the traffic is from internet to another computer of the lan, a download. I don't know if perhaps the port is set to promiscuous mode, but the firewall is up on my lan side. It is curious. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk9ehswACgkQIvFNjefEBxoBjwCfflfSPkybUmcLV/lFV+MHZefl r+sAoKSRkXj8yvOY8NhybS3LrlLEpE9z =bOaP -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-03-12 13:36, Bob Williams wrote:
On 12/03/12 11:33, Per Jessen wrote:
Maybe gkrellm is reporting on traffic before the firewall drops it.
Maybe
On another computer on a computer room with a hub, I sometimes see high traffic in gkrelm, hundreds of kilobytes per second, while my computer is doing nothing. Looking with iptraf, I see that the traffic is from internet to another computer of the lan, a download.
I don't know if perhaps the port is set to promiscuous mode, but the firewall is up on my lan side. It is curious.
Check /var/log/messages to see if a device was placed in promiscuous mode. When you see traffic not destined for the device you're looking at, it is in promiscuous mode. -- Per Jessen, Zürich (3.9°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Bob Williams
-
Carlos E. R.
-
Per Jessen