[ale] Strange activity on net
John Clinton
john at mysnmp.org
Thu Sep 4 05:42:21 EDT 2008
Scott,
What I do to pinpoint traffic identification is run a software based
firewall. I personally use FreeBSD and IPFilter. However, Linux has
options too. In any event, I log all traffic blocked and then I can
determine what ports are being targeted. Once I have port numbers than I
can lookup (via google of course) what activity normally uses the port(s).
In a lot of case I usally find windows based exploits.
I have even taken this a step further when unpermitted traffic is high, say
many attempts to hit my port 22. I then send an email to the network's
abuse address and inform them about the issue.
I get at least one denied packet per minute and sometimes several packets a
minute. I sometimes see port walking too.
Good luck,
John
On Wed, Sep 3, 2008 at 5:30 PM, Scott Castaline <hscast at charter.net> wrote:
> I've suddenly noticed a very high level of activity on my broadband
> connection. When I view the logs on my router one IP sticks out,
> 24.64.254.20. nslookup gives: Non-authoritative answer:
> 20.254.64.24.in-addr.arpa name = S010600161726dd6b.cg.shawcable.net.
>
> Authoritative answers can be found from:
> 254.64.24.in-addr.arpa nameserver = ns1.so.cg.shawcable.net.
> 254.64.24.in-addr.arpa nameserver = ns2.so.cg.shawcable.net.
>
> And tracert gives:
>
> > [root at ncc1701f ~]# tracert 24.64.254.20
> > traceroute to 24.64.254.20 (24.64.254.20), 30 hops max, 40 byte packets
> > 1 192.168.11.1 (192.168.11.1) 0.469 ms 0.601 ms 0.755 ms
> > 2 10.226.128.1 (10.226.128.1) 9.591 ms 9.616 ms 9.771 ms
> > 3 172.26.102.197 (172.26.102.197) 9.766 ms 9.906 ms 10.024 ms
> > 4 24-197-160-34.static.gwnt.ga.charter.com (24.197.160.34) 10.808 ms
> 10.810 ms 11.011 ms
> > 5 so-7-0-0.edge2.Atlanta2.Level3.net (4.78.63.9) 16.032 ms 16.030 ms
> 16.152 ms
> > 6 ae-72-52.ebr2.Atlanta2.Level3.net (4.68.103.61) 20.014 ms
> ae-73-52.ebr3.Atlanta2.Level3.net (4.68.103.62) 12.676 ms
> ae-72-52.ebr2.Atlanta2.Level3.net (4.68.103.61) 15.941 ms
> > 7 ae-72-70.ebr2.Atlanta2.Level3.net (4.69.138.19) 16.202 ms 22.283
> ms ae-3.ebr2.Chicago1.Level3.net (4.69.132.73) 38.718 ms
> > 8 ae-3.ebr2.Chicago1.Level3.net (4.69.132.73) 38.730 ms
> ae-21-56.car1.Chicago1.Level3.net (4.68.101.162) 29.987 ms 29.489 ms
> > 9 ae-21-56.car1.Chicago1.Level3.net (4.68.101.162) 29.883 ms 39.977
> ms 39.858 ms
> > 10 BIG-PIPE-IN.car1.Chicago1.Level3.net (4.79.208.150) 40.018 ms
> rc1nr-pos0-7-0-0.wp.shawcable.net (66.163.76.173) 119.556 ms
> BIG-PIPE-IN.car1.Chicago1.Level3.net (4.79.208.150) 32.356 ms
> > 11 rc2nr-pos14-0.wp.shawcable.net (66.163.76.173) 119.644 ms
> rc1so-pos14-0-0.cg.shawcable.net (66.163.77.157) 87.529 ms
> rc1nr-pos0-7-0-0.wp.shawcable.net (66.163.76.173) 81.661 ms
> > 12 rc1so-pos14-0-0.cg.shawcable.net (66.163.77.157) 102.119 ms 86.584
> ms 90.816 ms
> > 13 rd1so-ge2-0-0.cg.shawcable.net (66.163.71.78) 90.886 ms 91.067 ms
> dx1ok-g1.cg.shawcable.net (64.59.140.249) 92.241 ms
> > 14 dx1ok-g1.cg.shawcable.net (64.59.140.249) 97.235 ms 92.374 ms *
> > 15 * * *
> > 16 * * *
> > 17 * * *
> > 18 * * *
> > 19 * * *
> > 20 * * *
> > 21 * * *
> > 22 * * *
> > 23 * * *
> > 24 * * *
> > 25 * * *
> > 26 * * *
> > 27 * * *
> > 28 * * *
> > 29 * * *
> > 30 * * *
>
> I do not have anything going on other than ntpd and I do remain logged
> into my iGoogle account as well as weather.com/gold and I was logged
> into Fedora Forums. Nothing else. Why would I be receiving traffic from
> Shaw Cable in (if memory serves me ) Toronto Canada? It seems mostly UDP
> packets. Is there anything else that I can use to see what's really
> going on?
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
--
John Clinton
john at mysnmp.org
Mobile: 404.200.7333
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20080904/847bcca7/attachment-0001.html
More information about the Ale
mailing list