On Mon, 14 May 2001, Bob Johnson wrote: > Don't know if you ever figured this out. The only place I've ever > seen port 8 used is a Telocity DSL modem in a friend's office. [snip] > Mikael Fors wrote: > > May 9 10:03:36 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1 a.b.c.d:8 192.168.22.2:0 L=60 S=0x00 I=29112 F=0x0000 T=126 (#24) [snip] that logline should tell you everything you need to know. its a deficiency, however, of the logging that is causing your confusion. from /etc/protocols (and the IANA list) icmp 1 ICMP # internet control message protocol so ... PROTO=1 means 'ICMP'. now for the 'port 8' (from a.b.c.d:8 in the logfile), this is the deficiency: ICMP doesn't use ports, it uses types an codes. so, you saw an ICMP type 8 is 'echo request', aka our friend 'ping'. as such, it looks like someone was pinging you. there are a variety of legit reasons why someone could be pinging you, including napster (uses it to get latencies and estimated bandwidth between the two endpoints of a connection), and gaming. the frequency doesn't appear to be anything special, so i wouldn't presume a DoS attempt. figure 6.3 of stevens' 'TCP/IP Illustrated Vol 1' should be useful here. the main culprit is the crappy mistake in the logging. whoever hacked it together (the code) needs to be beaten with a blunt object for only thinking about protocols 6 and 17 (UDP and TCP). other protocols usually get barfed on as well for 'port numbers', especially when the concept of a port is absent in the protocol definition. hope this helps, ____________________________ jose nazario joseat_private PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu)
This archive was generated by hypermail 2b30 : Mon May 14 2001 - 19:28:05 PDT