Re: a lot of spoofed traffic for port 8, does anybody recon this?

From: Kevin Pietersma (kevat_private)
Date: Mon May 14 2001 - 11:54:20 PDT

  • Next message: Jose Nazario: "Re: a lot of spoofed traffic for port 8, does anybody recon this?" 

    What you are seeing are ICMP codes (ICMP Echo Request; itype: 8; icode: 
0).  Some one is  PINGing you.

kev


At 10:52 AM 5/14/01 -0400, Bob Johnson wrote:
>Don't know if you ever figured this out.  The only place I've ever seen port
>8 used is a Telocity DSL modem in a friend's office.  The modem queries
>port 8 on the client system (i.e. the system it is connecting to the
>Internet) at regular intervals.  It also updates DHCP info at regular
>intervals.  I don't know what the modem is looking for, but it seems to
>work fine if doesn't find anything.
>
>In his case the modem has a public IP number, so the probe packets come
>from that address.
>
>- Bob
>
>Mikael Fors wrote:
> >
> > Last 24 hours I've been receiving a lot of strange packets on my public 
> interface. Log has been sanitized.
> >
> > May  9 10:03:36 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1 
> a.b.c.d:8 192.168.22.2:0 L=60 S=0x00 I=29112 F=0x0000 T=126 (#24)
> > May  9 10:03:36 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1 
> a.b.c.d:8 192.168.22.2:0 L=60 S=0x00 I=29113 F=0x0000 T=127 (#24)
> > May  9 10:03:39 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1 
> a.b.c.d:8 192.168.22.2:0 L=60 S=0x00 I=29117 F=0x0000 T=127 (#24)
> > May  9 10:04:06 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1 
> a.b.c.d:8 192.168.5.1:0 L=60 S=0x00 I=29177 F=0x0000 T=126 (#24)
> > May  9 10:04:06 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1 
> a.b.c.d:8 192.168.5.1:0 L=60 S=0x00 I=29178 F=0x0000 T=127 (#24)
> > May  9 10:04:09 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1 
> a.b.c.d:8 192.168.5.1:0 L=60 S=0x00 I=29185 F=0x0000 T=127 (#24)
> > May  9 10:04:33 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1 
> a.b.c.d:8 192.168.255.1:0 L=60 S=0x00 I=29235 F=0x0000 T=126 (#24)
> > May  9 10:04:33 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1 
> a.b.c.d:8 192.168.255.1:0 L=60 S=0x00 I=29236 F=0x0000 T=127 (#24)
> > May  9 10:04:36 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1 
> a.b.c.d:8 192.168.255.1:0 L=60 S=0x00 I=29243 F=0x0000 T=127 (#24)
> >
> > These packets started trickling here about 48 hours ago, and I have no 
> clue what it can be. What resides on port 8 and why ICMP??? All of these 
> packets arrive on the public interface, and contains private networks, 
> mostly 192.168.x.x networks, but also 172.x.x.x networks show up.
> >
> > Mikael Fors
> > Mora Datorer AB
>
>--
>
>*********************************************************
>   Bob Johnson            Senior Systems Programmer
>   bobat_private        College of Engineering
>                          523 Weil Hall
>   352-392-9217 Office    University of Florida
>   352-392-7063 Fax       Gainesville, FL  32611
>*********************************************************
>   "Security is not a product, it's a mentality."           .         .

    This archive was generated by hypermail 2b30 : Mon May 14 2001 - 19:24:21 PDT