Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Mysterious packet
49 views
Skip to first unread message
Hendrik Boom
Nov 8, 2012, 10:30:02 AM11/8/12
to
I've started getting messages like the following:
[12332.047451] IN=ppp0 OUT=ppp0 SRC=74.125.133.188 DST=25.46.128.71 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=46353 PROTO=TCP SPT=5228 DPT=44380 WINDOW=0 RES=0x00 RST URGP=0
[111179.489288] IN=ppp0 OUT=ppp0 SRC=74.125.133.188 DST=25.45.89.15 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=25315 PROTO=TCP SPT=5228 DPT=43491 WINDOW=0 RES=0x00 RST URGP=0
Now these IP numbers are not on my LAN, which is masqueraded. They also
bear no relationship to my external-world IP number. If it's about a
packet being sent from 4.125.133.188 to either of the others, my ISP
shouldn't even be sending it to me. Do I understand the message
correctly?
What's could be going on here?
-- hendrik
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/k7giuv$ruu$1...@ger.gmane.org
[12332.047451] IN=ppp0 OUT=ppp0 SRC=74.125.133.188 DST=25.46.128.71 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=46353 PROTO=TCP SPT=5228 DPT=44380 WINDOW=0 RES=0x00 RST URGP=0
[111179.489288] IN=ppp0 OUT=ppp0 SRC=74.125.133.188 DST=25.45.89.15 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=25315 PROTO=TCP SPT=5228 DPT=43491 WINDOW=0 RES=0x00 RST URGP=0
Now these IP numbers are not on my LAN, which is masqueraded. They also
bear no relationship to my external-world IP number. If it's about a
packet being sent from 4.125.133.188 to either of the others, my ISP
shouldn't even be sending it to me. Do I understand the message
correctly?
What's could be going on here?
-- hendrik
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/k7giuv$ruu$1...@ger.gmane.org
Darac Marjal
Nov 8, 2012, 12:00:01 PM11/8/12
to
On Thu, Nov 08, 2012 at 03:26:23PM +0000, Hendrik Boom wrote:
> I've started getting messages like the following:
>
> [12332.047451] IN=ppp0 OUT=ppp0 SRC=74.125.133.188 DST=25.46.128.71 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=46353 PROTO=TCP SPT=5228 DPT=44380 WINDOW=0 RES=0x00 RST URGP=0
> [111179.489288] IN=ppp0 OUT=ppp0 SRC=74.125.133.188 DST=25.45.89.15 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=25315 PROTO=TCP SPT=5228 DPT=43491 WINDOW=0 RES=0x00 RST URGP=0
>
> Now these IP numbers are not on my LAN, which is masqueraded. They also
> bear no relationship to my external-world IP number. If it's about a
> packet being sent from 4.125.133.188 to either of the others, my ISP
> shouldn't even be sending it to me. Do I understand the message
> correctly?
Yep. As I understand it 74.125.133.188:5228 is sending a RESET packet
> I've started getting messages like the following:
>
> [12332.047451] IN=ppp0 OUT=ppp0 SRC=74.125.133.188 DST=25.46.128.71 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=46353 PROTO=TCP SPT=5228 DPT=44380 WINDOW=0 RES=0x00 RST URGP=0
> [111179.489288] IN=ppp0 OUT=ppp0 SRC=74.125.133.188 DST=25.45.89.15 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=25315 PROTO=TCP SPT=5228 DPT=43491 WINDOW=0 RES=0x00 RST URGP=0
>
> Now these IP numbers are not on my LAN, which is masqueraded. They also
> bear no relationship to my external-world IP number. If it's about a
> packet being sent from 4.125.133.188 to either of the others, my ISP
> shouldn't even be sending it to me. Do I understand the message
> correctly?
to 25.46.128.71:44380. By the looks of things, though, your kernel is
responding as you'd expect it to and re-routing the packet back out your
PPP connection (that is, it came in on ppp0, it's not for you, so you
pass it back out on the default route which I imagine is ppp0).
According to whois, 74.125.133.188 belongs to Google, while 25.46.128.71
belongs to the UK Ministry of Defence (MOD). I thought it might be worth
checking if either IP was a reserved one such as a multicast address,
but no, they look normal.
>
> What's could be going on here?
it's regular, capture some of the data using Wireshark and/or report it
to your ISP. Or, alternatively, just firewall it out.
Neal Murphy
Nov 8, 2012, 12:20:02 PM11/8/12
to
On Thursday, November 08, 2012 11:58:33 AM Darac Marjal wrote:
> On Thu, Nov 08, 2012 at 03:26:23PM +0000, Hendrik Boom wrote:
> > I've started getting messages like the following:
> >
> > [12332.047451] IN=ppp0 OUT=ppp0 SRC=74.125.133.188 DST=25.46.128.71
> > LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=46353 PROTO=TCP SPT=5228 DPT=44380
> > WINDOW=0 RES=0x00 RST URGP=0 [111179.489288] IN=ppp0 OUT=ppp0
> > SRC=74.125.133.188 DST=25.45.89.15 LEN=40 TOS=0x00 PREC=0x00 TTL=50
> > ID=25315 PROTO=TCP SPT=5228 DPT=43491 WINDOW=0 RES=0x00 RST URGP=0
> >
> > Now these IP numbers are not on my LAN, which is masqueraded. They also
> > bear no relationship to my external-world IP number. If it's about a
> > packet being sent from 4.125.133.188 to either of the others, my ISP
> > shouldn't even be sending it to me. Do I understand the message
> > correctly?
>
> Yep. As I understand it 74.125.133.188:5228 is sending a RESET packet
> to 25.46.128.71:44380. By the looks of things, though, your kernel is
> responding as you'd expect it to and re-routing the packet back out your
> PPP connection (that is, it came in on ppp0, it's not for you, so you
> pass it back out on the default route which I imagine is ppp0).
Presented this way, it could be a DDoS attack on either the src or the dest.
> On Thu, Nov 08, 2012 at 03:26:23PM +0000, Hendrik Boom wrote:
> > I've started getting messages like the following:
> >
> > [12332.047451] IN=ppp0 OUT=ppp0 SRC=74.125.133.188 DST=25.46.128.71
> > LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=46353 PROTO=TCP SPT=5228 DPT=44380
> > WINDOW=0 RES=0x00 RST URGP=0 [111179.489288] IN=ppp0 OUT=ppp0
> > SRC=74.125.133.188 DST=25.45.89.15 LEN=40 TOS=0x00 PREC=0x00 TTL=50
> > ID=25315 PROTO=TCP SPT=5228 DPT=43491 WINDOW=0 RES=0x00 RST URGP=0
> >
> > Now these IP numbers are not on my LAN, which is masqueraded. They also
> > bear no relationship to my external-world IP number. If it's about a
> > packet being sent from 4.125.133.188 to either of the others, my ISP
> > shouldn't even be sending it to me. Do I understand the message
> > correctly?
>
> Yep. As I understand it 74.125.133.188:5228 is sending a RESET packet
> to 25.46.128.71:44380. By the looks of things, though, your kernel is
> responding as you'd expect it to and re-routing the packet back out your
> PPP connection (that is, it came in on ppp0, it's not for you, so you
> pass it back out on the default route which I imagine is ppp0).
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Hendrik Boom
Nov 9, 2012, 2:50:02 PM11/9/12
to
On Thu, 08 Nov 2012 12:15:55 -0500, Neal Murphy wrote:
> On Thursday, November 08, 2012 11:58:33 AM Darac Marjal wrote:
>> On Thu, Nov 08, 2012 at 03:26:23PM +0000, Hendrik Boom wrote:
>> > I've started getting messages like the following:
>> >
>> > [12332.047451] IN=ppp0 OUT=ppp0 SRC=74.125.133.188 DST=25.46.128.71
>> > LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=46353 PROTO=TCP SPT=5228
>> > DPT=44380 WINDOW=0 RES=0x00 RST URGP=0 [111179.489288] IN=ppp0
>> > OUT=ppp0 SRC=74.125.133.188 DST=25.45.89.15 LEN=40 TOS=0x00 PREC=0x00
>> > TTL=50 ID=25315 PROTO=TCP SPT=5228 DPT=43491 WINDOW=0 RES=0x00 RST
>> > URGP=0
>> >
>> > Now these IP numbers are not on my LAN, which is masqueraded. They
>> > also bear no relationship to my external-world IP number. If it's
>> > about a packet being sent from 4.125.133.188 to either of the others,
>> > my ISP shouldn't even be sending it to me. Do I understand the
>> > message correctly?
>>
>> Yep. As I understand it 74.125.133.188:5228 is sending a RESET packet
>> to 25.46.128.71:44380. By the looks of things, though, your kernel is
>> responding as you'd expect it to and re-routing the packet back out
>> your PPP connection (that is, it came in on ppp0, it's not for you, so
>> you pass it back out on the default route which I imagine is ppp0).
>
> Presented this way, it could be a DDoS attack on either the src or the
> dest.
That's plausible. There's probably no real reason for assuming that
> On Thursday, November 08, 2012 11:58:33 AM Darac Marjal wrote:
>> On Thu, Nov 08, 2012 at 03:26:23PM +0000, Hendrik Boom wrote:
>> > I've started getting messages like the following:
>> >
>> > [12332.047451] IN=ppp0 OUT=ppp0 SRC=74.125.133.188 DST=25.46.128.71
>> > LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=46353 PROTO=TCP SPT=5228
>> > DPT=44380 WINDOW=0 RES=0x00 RST URGP=0 [111179.489288] IN=ppp0
>> > OUT=ppp0 SRC=74.125.133.188 DST=25.45.89.15 LEN=40 TOS=0x00 PREC=0x00
>> > TTL=50 ID=25315 PROTO=TCP SPT=5228 DPT=43491 WINDOW=0 RES=0x00 RST
>> > URGP=0
>> >
>> > Now these IP numbers are not on my LAN, which is masqueraded. They
>> > also bear no relationship to my external-world IP number. If it's
>> > about a packet being sent from 4.125.133.188 to either of the others,
>> > my ISP shouldn't even be sending it to me. Do I understand the
>> > message correctly?
>>
>> Yep. As I understand it 74.125.133.188:5228 is sending a RESET packet
>> to 25.46.128.71:44380. By the looks of things, though, your kernel is
>> responding as you'd expect it to and re-routing the packet back out
>> your PPP connection (that is, it came in on ppp0, it's not for you, so
>> you pass it back out on the default route which I imagine is ppp0).
>
> Presented this way, it could be a DDoS attack on either the src or the
> dest.
the SRC address is where the packet originated.
Two more of htem arrived today, with a new SRC, 74.125.142.138
(different but similar to yesterday's), but different destinations,
25.46 37.163 and 25.44.254.232.
-- hendrik
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Tom Furie
Nov 9, 2012, 6:40:02 PM11/9/12
to
the 25.0.0.0/8 block belongs to the UK's MoD. Looks like some sort of
attack attempt to me.
Cheers,
Tom
--
We don't need no education, we don't need no thought control.
-- Pink Floyd
Neal Murphy
Nov 9, 2012, 6:50:01 PM11/9/12
to
On Friday, November 09, 2012 06:30:37 PM Tom Furie wrote:
> Not sure it helps any, but the 74.125.0.0/16 block belongs to Google and
> the 25.0.0.0/8 block belongs to the UK's MoD. Looks like some sort of
> attack attempt to me.
Were I a paranoid type, I might think that someone was inventing a new attack,
> Not sure it helps any, but the 74.125.0.0/16 block belongs to Google and
> the 25.0.0.0/8 block belongs to the UK's MoD. Looks like some sort of
> attack attempt to me.
where they try to induce two large sites to DoS each other, or try to clog a
trans-oceanic cable.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Tom Furie
Nov 9, 2012, 7:10:01 PM11/9/12
to
On Fri, Nov 09, 2012 at 06:50:30PM -0500, Neal Murphy wrote:
> Were I a paranoid type, I might think that someone was inventing a new attack,
> where they try to induce two large sites to DoS each other, or try to clog a
> trans-oceanic cable.
Reminds of a line from a film, "Strange Days", I think (paraphrased) - "It's not a
> Were I a paranoid type, I might think that someone was inventing a new attack,
> where they try to induce two large sites to DoS each other, or try to clog a
> trans-oceanic cable.
question of if you're paranoid, are you paranoid *enough*?"
Cheers,
Tom
0 new messages