Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Questions about rejected packets, Linux

2 views
Skip to first unread message

Matthew J. Hellman

unread,
Aug 25, 1999, 3:00:00 AM8/25/99
to
I'm seeing a ton of packets being rejected from various IP's using the
following ports. I would appreciate anyone's input as to what the
various ports are used for. Is everyone and their mother hacker trying
to get into my firewall or am I being paranoid? Following are some
samples:

Packet log: input REJECT eth0 PROTO=17 38.31.85.229:68
255.255.255.255:67 L=576 S=0x00 I=57600 F=0x0000 T=128
Packet log: input REJECT eth1 PROTO=17 12.13.21.86:259
216.161.118.253:137 L=78 S=0x00 I=60031 F=0x0000 T=112
Packet log: input REJECT eth1 PROTO=17 12.19.137.241:137
216.161.118.253:137 L=78 S=0x00 I=47289 F=0x0000 T=114
Packet log: input REJECT eth1 PROTO=1 216.161.163.157:8
216.161.118.248:0 L=84 S=0x00 I=28749 F=0x4000 T=242

TIA, Matt

Robert Graham

unread,
Aug 25, 1999, 3:00:00 AM8/25/99
to
Matthew J. Hellman wrote:
>
> I'm seeing a ton of packets being rejected from various IP's using the
> following ports. I would appreciate anyone's input as to what the
> various ports are used for. Is everyone and their mother hacker trying
> to get into my firewall or am I being paranoid? Following are some
> samples:
>
> Packet log: input REJECT eth0 PROTO=17 38.31.85.229:68
> 255.255.255.255:67 L=576 S=0x00 I=57600 F=0x0000 T=128

http://www.robertgraham.com/pubs/firewall-seen.html#port68
It's normal bootp traffic

> Packet log: input REJECT eth1 PROTO=17 12.13.21.86:259
> 216.161.118.253:137 L=78 S=0x00 I=60031 F=0x0000 T=112
> Packet log: input REJECT eth1 PROTO=17 12.19.137.241:137
> 216.161.118.253:137 L=78 S=0x00 I=47289 F=0x0000 T=114

http://www.robertgraham.com/pubs/firewall-seen.html#port137
It's (probably) normal name resolution traffic

> Packet log: input REJECT eth1 PROTO=1 216.161.163.157:8
> 216.161.118.248:0 L=84 S=0x00 I=28749 F=0x4000 T=242

http://www.robertgraham.com/pubs/firewall-seen.html#icmp8
It's a (somewhat) normal ping.

The answer is YES, hackers are probably continuously scanning you
for open ports, but these particular entries don't look too
aggressive. You would need a sniffing program or an intrusion
detection system in order to actually analyze the packet contents
to make that determination. Packet firewalls just examine the
headers, so it's hard to make such diagnosises.

--

Robert Graham
robn @ NetworkICE DOT com

Matthew J. Hellman

unread,
Aug 25, 1999, 3:00:00 AM8/25/99
to
Ok, thanks Robert and Barry. Could you give me a link to an updated list of
known ports and their uses? The one I'm using is a little old and
incomplete.
TIA,
Matt

Matthew J. Hellman

unread,
Aug 25, 1999, 3:00:00 AM8/25/99
to

Barry Margolin

unread,
Aug 26, 1999, 3:00:00 AM8/26/99
to
In article <37C45E6C...@uswest.net>,

Matthew J. Hellman <mhel...@uswest.net> wrote:
>I'm seeing a ton of packets being rejected from various IP's using the
>following ports. I would appreciate anyone's input as to what the
>various ports are used for. Is everyone and their mother hacker trying
>to get into my firewall or am I being paranoid? Following are some
>samples:
>
>Packet log: input REJECT eth0 PROTO=17 38.31.85.229:68
>255.255.255.255:67 L=576 S=0x00 I=57600 F=0x0000 T=128

This looks like a normal BOOTP/DHCP query. Packets to 255.255.255.255
should not be routed across a WAN, so I'm not sure how this is showing up
on your LAN, unless 38.31.85.229 is one of your local addresses. It's also
possible that someone sent it to the directed broadcast address of your
LAN, and your router translated the directed broadcast address to the
limited broadcast address (I think Cisco routers will do this). You should
probably configure your router to block directed broadcasts, since they're
used in SMURF attacks and are rarely needed.

>Packet log: input REJECT eth1 PROTO=17 12.13.21.86:259
>216.161.118.253:137 L=78 S=0x00 I=60031 F=0x0000 T=112
>Packet log: input REJECT eth1 PROTO=17 12.19.137.241:137
>216.161.118.253:137 L=78 S=0x00 I=47289 F=0x0000 T=114

137 is NetBIOS Name Service, used for finding things like Windows servers
with file sharing enabled.

>Packet log: input REJECT eth1 PROTO=1 216.161.163.157:8
>216.161.118.248:0 L=84 S=0x00 I=28749 F=0x4000 T=242

This is a ping (ICMP Echo).

--
Barry Margolin, bar...@bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

Marc Haber

unread,
Aug 26, 1999, 3:00:00 AM8/26/99
to
"Matthew J. Hellman" <mhel...@uswestREMOVECAPS.net> wrote:
>Ok, thanks Robert and Barry. Could you give me a link to an updated list of
>known ports and their uses? The one I'm using is a little old and
>incomplete.

See /etc/services on almost any UNIX system.

Greetings
Marc

--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29

Philipp Buehler

unread,
Aug 26, 1999, 3:00:00 AM8/26/99
to
On Thu, 26 Aug 1999 14:15:28 GMT, Marc Haber
<Marc.Hab...@gmx.de> wrote:
>See /etc/services on almost any UNIX system.
Uh, you did not see many UNIX Systems, LInux geek, you ;-)

Better try for official and complete information:
http://www.isi.edu/in-notes/iana/assignments/port-numbers

ciao
--
Philipp Buehler, aka fIpS | BOFH | NUCH | double-p on IRC
VAX/OpenVMS: 24/365 No compromise computing.
"god awful waste-of-space, dumb degenerated low-life mal-adjusted freaks..
what you see is what you get then we have nothing to regret.." PSI, 1998

Robert Graham

unread,
Aug 26, 1999, 3:00:00 AM8/26/99
to
Matthew J. Hellman wrote:
>
> Ok, thanks Robert and Barry. Could you give me a link to an updated list of
> known ports and their uses? The one I'm using is a little old and
> incomplete.

The official list is at:
http://www.isi.edu/in-notes/rfc1700.txt

This won't be all that helpful, though, which is why I'm trying to create a useful
list in my FAQ. Also, this is why you need intrusion detection systems: simply
knowing what ports are being rejected doesn't give nearly as complete information as
actually analyzing the data in the packets.

Barry Margolin

unread,
Aug 26, 1999, 3:00:00 AM8/26/99
to
In article <37C59B...@example.com>,

Robert Graham <12345r...@example.com> wrote:
>Matthew J. Hellman wrote:
>>
>> Ok, thanks Robert and Barry. Could you give me a link to an updated list of
>> known ports and their uses? The one I'm using is a little old and
>> incomplete.
>
>The official list is at:
>http://www.isi.edu/in-notes/rfc1700.txt

Actually, RFC 1700 is several years old. The file that gets updated
regularly is <ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers>.

>This won't be all that helpful, though, which is why I'm trying to create
>a useful
>list in my FAQ. Also, this is why you need intrusion detection systems: simply
>knowing what ports are being rejected doesn't give nearly as complete
>information as
>actually analyzing the data in the packets.

Agreed. Many of the entries in the IANA port assignments list are due to
someone registering a port years ago; even though the application was never
deployed widely, or may be obsolete now, the port assignment remains.
Meanwhile, script kiddies and game developers pick ports at random, not
caring what it says in the above file.

0 new messages