[H-GEN] Network Nasties

Everist, Geoff everistg at switch.aust.com
Tue Feb 29 02:29:51 EST 2000


[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics.  Please observe the list's charter.          ]

We have been filtering some wierd packets on our permanent modem (ppp)
connections to our ISP (who shall remain nameless). We have two separate
problems on which I hope fellow listers can comment.

Number one is that we are getting connection attempts from packets with
presumably spoofed source addresses which are within the private address
range, vis:

Feb 29 16:01:16 firewall.ussbris kernel: Packet log: input DENY ppp0 PROTO=1
192.168.16.129:3 203.108.63.250:4 L=56 S=0x00 I=23245 F=0x0000 T=56 (#17)

and

Feb 27 15:26:35 firewall.ussbris kernel: Packet log: input DENY ppp0 PROTO=6
10.9.1.66:80 203.108.63.250:63223 L=305 S=0x00 I=15355 F=0x4000 T=236 (#15)

203.108.63.250 is our address.

Shouldn't these source addresses be rejected by the ISP routers? If they are
not then I guess the other conclusion is that they are originating from
inside the ISP's network. I am very sure that they are not coming from our
internal network. I have sent the logs to the ISP security people, but it is
too early to expect a response at this stage.

Number two is that we keep getting route connection attempts from the ISP
end of another ppp link, vis:

Feb 29 14:00:19 firewall.wa kernel: Packet log: input DENY ppp0 PROTO=17
203.108.225.15:520 203.108.45.207:520 L=52 S=0x00 I=17772 F=0x0000 T=30
(#44)

203.108.255.15 is the ISP network side of the ppp link, and 203.108.45.207
is our side of the link. Kinda wierd, because we do not (and never have) use
the route service; our routing arrangements are very simple and all static.
Is it possible the there is a router/terminal server configuration problem
here? We have contacted our ISP technical people about it, but it all seems
to go to /dev/null.

Any comments or advice will be most appreciated.

Cheers
Geoff Everist

--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.



More information about the General mailing list