In article <(E-Mail Removed) >,
Tobias Skytte wrote:
>What's happening is this: our server (ip 196.28.yyy.zzz), running RH 9,
>sends out via that ip but receives via a receiveonly satlink with ip
>(196.36.aaa.bbb). Also the server is a NAT for a lan behind it. So
>normally we dont receive much on the 196.28.yyy.zzz link but mostly
>transmit.
OK - I'm sure you also know what the normal stuff looks like.
>In the last coupple days though I'm seing alot of traffic
>(see dump below ) which I don't know what is.
The hosts all appear to be residential type DSL. Hard to say much more
without seeing more of the packets, but all of them appear to think
that they have established a connection, yet the ACK numbers are low
(0 or 1) meaning that they haven't heard much from you.
With the exception of the last one, these packet look as if they are
aimed at a client ("you" initiated the conversation) on a system that
hasn't been running very long OR an O/S that tends to reuse originating
ephemeral ports. I'm not really used to seeing that many packets with
the 'P' (PUSH) flag set.
>So as far as I can figure out these packets are 'un-solicited'. They are
>also going to ports that are firewalled in the server and they don't show
>up in netstat or ip_conntrack.
Do you see any earlier stuff. For example
>15:52:59.630421 80.222.196.4.3786 > 196.28.yyy.zzz.1053: P
12572:14032(1460) ack 1 win 31660 (DF)
>15:52:59.804400 80.222.196.4.3786 > 196.28.yyy.zzz.1053: P
14032:15360(1328) ack 1 win 31660 (DF)
If you look at "his" sequence numbers, 12572 suggests that 9 data packets
(maybe more - 12572/1460 = 8.6 ) preceded this one, nevermind the stuff
needed to open the connection.
>So what are these packets? Currently it's a problem because it's consuming
>50% of our available bandwidth which is only 64k for transmitting.
These aren't showing any transmit on your side, so it's just sucking up
your received bandwidth.
>What can I do to find out more about this traffic? any hint's would be
>much appreciated.
I'd suggest looking at different tools. 'snort' and 'p0f' come to mind.
Neither comes with RH9. A google search should find them.
>Like, I need to know if these packets are being dropped or if not
>where are they going etc.
You aren't showing them going anywhere, or any responses, but that could
be your tcpdump command line. What is your firewall rules defaults for
this - drop or reject?
>Am I under attack?
Somebody is slinging packets at you - as to whether it's an attack or not
is difficult to say.
Old guy
|
Similar Threads
Linear Mode
