weird sequence in packet filter log

From: Tobias Diedrich (ranmaat_private)
Date: Wed Jul 25 2001 - 07:12:24 PDT
Next message: Peter Krawczyk: "Tracking SirCam"
Previous message: Keith.Morgan: "Telnet scans"
Next in thread: George Bakos: "Re: weird sequence in packet filter log"
Reply: George Bakos: "Re: weird sequence in packet filter log"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,

I just noticed a interesting sequence of events in my packet filter log.
My system is running linux-2.4.7 with iptables.
iptables is configured so that incoming packets are rejected except for
ping (limited), http, ssh and RELATED, ESTABLISHED connections.

The pattern in this log file:

First a packet from 172.16.46.71 or 10.10.1.101 with SPT=80 and
DPT=4724 (172.16.46.71) or DPT=47965 (10.10.1.101).
Flags differ (ACK SYN or only ACK for 172.16.46.71, ACK PSH for 10.10.1.101).
After that a icmp destination unreachable packet from 62.155.254.18.

None of these hosts seems to have a reverse dns mapping.
whois shows that 62.155.254.18 belongs to the address space of my internet provider.
The other ip's (172.16.46.71 and 10.10.1.101) belong to network blocks reserved for
private networks (which should not be routed over the internet)

Very weird.
Any clues ?

Here is the log (Times are GMT +0200):

Jul 25 15:31:31 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=172.16.46.71 DST=m.y.i.p LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=45995 DF PROTO=TCP SPT=80 DPT=4724 WINDOW=25200 RES=0x00 ACK SYN URGP=0 
Jul 25 15:31:31 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=10.10.1.101 DST=m.y.i.p LEN=1452 TOS=0x00 PREC=0x00 TTL=238 ID=19311 DF PROTO=TCP SPT=80 DPT=47965 WINDOW=64952 RES=0x00 ACK PSH URGP=0 
Jul 25 15:31:32 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=62.155.254.18 DST=m.y.i.p LEN=56 TOS=0x00 PREC=0x00 TTL=254 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=m.y.i.p DST=172.16.46.71 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=4724 DPT=80 WINDOW=6144 RES=0x1a URG PSH SYN FIN URGP=3072 ] 
Jul 25 15:31:32 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=62.155.254.18 DST=m.y.i.p LEN=56 TOS=0x00 PREC=0x00 TTL=254 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=m.y.i.p DST=10.10.1.101 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=47965 DPT=80 WINDOW=12336 RES=0x00 URG ACK SYN URGP=19213 ] 
Jul 25 15:31:34 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=172.16.46.71 DST=m.y.i.p LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=45996 DF PROTO=TCP SPT=80 DPT=4724 WINDOW=25200 RES=0x00 ACK SYN URGP=0 
Jul 25 15:31:34 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=172.16.46.71 DST=m.y.i.p LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=45997 DF PROTO=TCP SPT=80 DPT=4724 WINDOW=25200 RES=0x00 ACK URGP=0 
Jul 25 15:31:35 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=62.155.254.18 DST=m.y.i.p LEN=56 TOS=0x00 PREC=0x00 TTL=254 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=m.y.i.p DST=172.16.46.71 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=4724 DPT=80 WINDOW=41254 RES=0x32 URG FIN URGP=46200 ] 
Jul 25 15:31:35 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=62.155.254.18 DST=m.y.i.p LEN=56 TOS=0x00 PREC=0x00 TTL=254 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=m.y.i.p DST=172.16.46.71 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=4724 DPT=80 WINDOW=54721 RES=0x13 URG PSH SYN URGP=11367 ] 
Jul 25 15:31:36 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=10.10.1.101 DST=m.y.i.p LEN=1452 TOS=0x00 PREC=0x00 TTL=238 ID=19312 DF PROTO=TCP SPT=80 DPT=47965 WINDOW=64952 RES=0x00 ACK PSH URGP=0 
Jul 25 15:31:36 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=62.155.254.18 DST=m.y.i.p LEN=56 TOS=0x00 PREC=0x00 TTL=254 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=m.y.i.p DST=10.10.1.101 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=47965 DPT=80 WINDOW=32781 RES=0x32 URG ACK RST URGP=7627 ] 
Jul 25 15:31:40 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=172.16.46.71 DST=m.y.i.p LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=45998 DF PROTO=TCP SPT=80 DPT=4724 WINDOW=25200 RES=0x00 ACK SYN URGP=0 
Jul 25 15:31:40 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=172.16.46.71 DST=m.y.i.p LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=45999 DF PROTO=TCP SPT=80 DPT=4724 WINDOW=25200 RES=0x00 ACK URGP=0 
Jul 25 15:31:41 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=62.155.254.18 DST=m.y.i.p LEN=56 TOS=0x00 PREC=0x00 TTL=254 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=m.y.i.p DST=172.16.46.71 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=4724 DPT=80 WINDOW=4417 RES=0x04 URG ACK SYN FIN URGP=14422 ] 
Jul 25 15:31:41 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=62.155.254.18 DST=m.y.i.p LEN=56 TOS=0x00 PREC=0x00 TTL=254 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=m.y.i.p DST=172.16.46.71 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=4724 DPT=80 WINDOW=21382 RES=0x14 URG SYN URGP=14421 ] 
Jul 25 15:31:45 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=10.10.1.101 DST=m.y.i.p LEN=1452 TOS=0x00 PREC=0x00 TTL=238 ID=19313 DF PROTO=TCP SPT=80 DPT=47965 WINDOW=64952 RES=0x00 ACK PSH URGP=0 
Jul 25 15:31:45 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=62.155.254.18 DST=m.y.i.p LEN=56 TOS=0x00 PREC=0x00 TTL=254 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=m.y.i.p DST=10.10.1.101 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=47965 DPT=80 WINDOW=51307 RES=0x29 URG RST URGP=12655 ] 
Jul 25 15:31:53 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=172.16.46.71 DST=m.y.i.p LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=46000 DF PROTO=TCP SPT=80 DPT=4724 WINDOW=25200 RES=0x00 ACK SYN URGP=0 
Jul 25 15:31:54 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=62.155.254.18 DST=m.y.i.p LEN=56 TOS=0x00 PREC=0x00 TTL=254 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=m.y.i.p DST=172.16.46.71 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=4724 DPT=80 WINDOW=0 RES=0x36 URG ACK SYN URGP=256 ] 
Jul 25 15:32:05 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=10.10.1.101 DST=m.y.i.p LEN=1452 TOS=0x00 PREC=0x00 TTL=238 ID=19314 DF PROTO=TCP SPT=80 DPT=47965 WINDOW=64952 RES=0x00 ACK PSH URGP=0 
Jul 25 15:32:05 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=62.155.254.18 DST=m.y.i.p LEN=56 TOS=0x00 PREC=0x00 TTL=254 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=m.y.i.p DST=10.10.1.101 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=47965 DPT=80 WINDOW=49147 RES=0x0e URG SYN FIN URGP=24317 ] 
Jul 25 15:32:20 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=172.16.46.71 DST=m.y.i.p LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=46001 DF PROTO=TCP SPT=80 DPT=4724 WINDOW=25200 RES=0x00 ACK SYN URGP=0 
Jul 25 15:32:20 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=62.155.254.18 DST=m.y.i.p LEN=56 TOS=0x00 PREC=0x00 TTL=254 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=m.y.i.p DST=172.16.46.71 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=4724 DPT=80 WINDOW=59154 RES=0x00 URG ACK PSH FIN URGP=56607 ] 
Jul 25 15:32:45 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=10.10.1.101 DST=m.y.i.p LEN=1452 TOS=0x00 PREC=0x00 TTL=238 ID=19315 DF PROTO=TCP SPT=80 DPT=47965 WINDOW=64952 RES=0x00 ACK PSH URGP=0 
Jul 25 15:32:46 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=62.155.254.18 DST=m.y.i.p LEN=56 TOS=0x00 PREC=0x00 TTL=254 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=m.y.i.p DST=10.10.1.101 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=47965 DPT=80 WINDOW=44162 RES=0x0e ACK RST SYN URGP=59329 ] 
Jul 25 15:33:13 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=172.16.46.71 DST=m.y.i.p LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=46002 DF PROTO=TCP SPT=80 DPT=4724 WINDOW=25200 RES=0x00 ACK SYN URGP=0 
Jul 25 15:33:14 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=62.155.254.18 DST=m.y.i.p LEN=56 TOS=0x00 PREC=0x00 TTL=254 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=m.y.i.p DST=172.16.46.71 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=4724 DPT=80 WINDOW=48641 RES=0x39 URG RST SYN FIN URGP=30465 ] 
Jul 25 15:34:06 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=10.10.1.101 DST=m.y.i.p LEN=1452 TOS=0x00 PREC=0x00 TTL=238 ID=55557 DF PROTO=TCP SPT=80 DPT=47965 WINDOW=64952 RES=0x00 ACK PSH URGP=0 
Jul 25 15:34:06 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=62.155.254.18 DST=m.y.i.p LEN=56 TOS=0x00 PREC=0x00 TTL=254 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=m.y.i.p DST=10.10.1.101 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=47965 DPT=80 WINDOW=40378 RES=0x0b URG RST SYN URGP=45758 ] 
Jul 25 15:34:12 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=172.16.46.71 DST=m.y.i.p LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=14007 DF PROTO=TCP SPT=80 DPT=4724 WINDOW=25200 RES=0x00 ACK SYN URGP=0 
Jul 25 15:34:13 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=62.155.254.18 DST=m.y.i.p LEN=56 TOS=0x00 PREC=0x00 TTL=254 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=m.y.i.p DST=172.16.46.71 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=4724 DPT=80 WINDOW=12228 RES=0x37 URGP=7172 ] 
Jul 25 15:35:12 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=172.16.46.71 DST=m.y.i.p LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=14008 DF PROTO=TCP SPT=80 DPT=4724 WINDOW=25200 RES=0x00 ACK RST URGP=0 
Jul 25 15:36:39 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=10.8.13.26 DST=m.y.i.p LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=7776 DF PROTO=TCP SPT=80 DPT=1396 WINDOW=0 RES=0x00 RST URGP=0 
Jul 25 15:36:48 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=10.10.1.101 DST=m.y.i.p LEN=1452 TOS=0x00 PREC=0x00 TTL=238 ID=21509 DF PROTO=TCP SPT=80 DPT=47965 WINDOW=64952 RES=0x00 ACK PSH URGP=0 
Jul 25 15:36:48 melchior kernel: ppp0-iIN=ppp0 OUT= MAC= SRC=62.155.254.18 DST=m.y.i.p LEN=56 TOS=0x00 PREC=0x00 TTL=254 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=m.y.i.p DST=10.10.1.101 LEN=40 TOS=0x00 PREC=0x00 TTL=254 ID=0 DF PROTO=TCP SPT=47965 DPT=80 WINDOW=32771 RES=0x09 PSH RST SYN FIN URGP=17411 ] 

-- 
Tobias							     PGP-Key: 0x9AC7E0BC
echo ${SIGNATURE}
application/pgp-signature attachment: stored
Next message: Peter Krawczyk: "Tracking SirCam"
Previous message: Keith.Morgan: "Telnet scans"
Next in thread: George Bakos: "Re: weird sequence in packet filter log"
Reply: George Bakos: "Re: weird sequence in packet filter log"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 09:55:43 PDT