Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
Re: [suse-security] martian source messages
  • From: Roland Freeman <rolandfreeman@xxxxxxxxx>
  • Date: Thu, 18 Sep 2003 14:47:55 +0200
  • Message-id: <200309181447.55536.rolandfreeman@xxxxxxxxx>
Alle 10:23, giovedì 18 settembre 2003, Pep Serrano ha scritto:
> But is this the real cause of our martian logs?
>
> > On Sep 18, Roland Freeman <rolandfreeman@xxxxxxxxx> wrote:
> > > Pep, we have the same problem. My P-t-P router has a private ip address
> > > too. Everything works properly, except the marsians log.
> >
> > A private IP address as gateway is not necessarily a problem. ISP's use
> > this to save IP addresses and it is in no way bad for anyone. As long as
> > they are not used in the route back to you, which isn't the case as you
> > stated.
>
> Last night I spent some time with ethereal tracking my traffic between the
> loopback and my ppp0. I could see there are some packets from localhost on
> port 80 to random ports of ppp0. This packet repeats abour every minute. I
> closed almost all services, disabled routing, no applications... lsof
> didn't show any process using localhost:80, and yet the werid traffic was
> still there.
>
>
> Cheers
> Pep Serrano.

I did the same, and found the same results. All the packets are from port 80
to a high port on ppp0. Logs report "ll header: 45:00:00:28"
While receiving this packets (from localhost:80) I am not even surfing the
web, but they still arrives.
All tcp packets I have seen have the RST ACK flags set.

< Previous Next >