[ale] Strange activity on net

John Clinton john at mysnmp.org
Thu Sep 4 05:42:21 EDT 2008


Scott,

What I do to pinpoint traffic identification is run a software based
firewall.  I personally use FreeBSD and IPFilter.  However, Linux has
options too.  In any event, I log all traffic blocked and then I can
determine what ports are being targeted.  Once I have port numbers than I
can lookup (via google of course) what activity normally uses the port(s).
In a lot of case I usally find windows based exploits.

I have even taken this a step further when unpermitted traffic is high, say
many attempts to hit my port 22.  I then send an email to the network's
abuse address and inform them about the issue.

I get at least one denied packet per minute and sometimes several packets a
minute.  I sometimes see port walking too.

Good luck,
John

On Wed, Sep 3, 2008 at 5:30 PM, Scott Castaline <hscast at charter.net> wrote:

> I've suddenly noticed a very high level of activity on my broadband
> connection. When I view the logs on my router one IP sticks out,
> 24.64.254.20. nslookup gives: Non-authoritative answer:
> 20.254.64.24.in-addr.arpa       name = S010600161726dd6b.cg.shawcable.net.
>
> Authoritative answers can be found from:
> 254.64.24.in-addr.arpa  nameserver = ns1.so.cg.shawcable.net.
> 254.64.24.in-addr.arpa  nameserver = ns2.so.cg.shawcable.net.
>
> And tracert gives:
>
> > [root at ncc1701f ~]# tracert 24.64.254.20
> > traceroute to 24.64.254.20 (24.64.254.20), 30 hops max, 40 byte packets
> >  1  192.168.11.1 (192.168.11.1)  0.469 ms  0.601 ms  0.755 ms
> >  2  10.226.128.1 (10.226.128.1)  9.591 ms  9.616 ms  9.771 ms
> >  3  172.26.102.197 (172.26.102.197)  9.766 ms  9.906 ms  10.024 ms
> >  4  24-197-160-34.static.gwnt.ga.charter.com (24.197.160.34)  10.808 ms
>  10.810 ms  11.011 ms
> >  5  so-7-0-0.edge2.Atlanta2.Level3.net (4.78.63.9)  16.032 ms  16.030 ms
>  16.152 ms
> >  6  ae-72-52.ebr2.Atlanta2.Level3.net (4.68.103.61)  20.014 ms
> ae-73-52.ebr3.Atlanta2.Level3.net (4.68.103.62)  12.676 ms
> ae-72-52.ebr2.Atlanta2.Level3.net (4.68.103.61)  15.941 ms
> >  7  ae-72-70.ebr2.Atlanta2.Level3.net (4.69.138.19)  16.202 ms  22.283
> ms ae-3.ebr2.Chicago1.Level3.net (4.69.132.73)  38.718 ms
> >  8  ae-3.ebr2.Chicago1.Level3.net (4.69.132.73)  38.730 ms
> ae-21-56.car1.Chicago1.Level3.net (4.68.101.162)  29.987 ms  29.489 ms
> >  9  ae-21-56.car1.Chicago1.Level3.net (4.68.101.162)  29.883 ms  39.977
> ms  39.858 ms
> > 10  BIG-PIPE-IN.car1.Chicago1.Level3.net (4.79.208.150)  40.018 ms
> rc1nr-pos0-7-0-0.wp.shawcable.net (66.163.76.173)  119.556 ms
> BIG-PIPE-IN.car1.Chicago1.Level3.net (4.79.208.150)  32.356 ms
> > 11  rc2nr-pos14-0.wp.shawcable.net (66.163.76.173)  119.644 ms
> rc1so-pos14-0-0.cg.shawcable.net (66.163.77.157)  87.529 ms
> rc1nr-pos0-7-0-0.wp.shawcable.net (66.163.76.173)  81.661 ms
> > 12  rc1so-pos14-0-0.cg.shawcable.net (66.163.77.157)  102.119 ms  86.584
> ms  90.816 ms
> > 13  rd1so-ge2-0-0.cg.shawcable.net (66.163.71.78)  90.886 ms  91.067 ms
> dx1ok-g1.cg.shawcable.net (64.59.140.249)  92.241 ms
> > 14  dx1ok-g1.cg.shawcable.net (64.59.140.249)  97.235 ms  92.374 ms *
> > 15  * * *
> > 16  * * *
> > 17  * * *
> > 18  * * *
> > 19  * * *
> > 20  * * *
> > 21  * * *
> > 22  * * *
> > 23  * * *
> > 24  * * *
> > 25  * * *
> > 26  * * *
> > 27  * * *
> > 28  * * *
> > 29  * * *
> > 30  * * *
>
> I do not have anything going on other than ntpd and I do remain logged
> into my iGoogle account as well as weather.com/gold and I was logged
> into Fedora Forums. Nothing else. Why would I be receiving traffic from
> Shaw Cable in (if memory serves me ) Toronto Canada? It seems mostly UDP
> packets. Is there anything else that I can use to see what's really
> going on?
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>



-- 
John Clinton
john at mysnmp.org
Mobile: 404.200.7333
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20080904/847bcca7/attachment-0001.html 


More information about the Ale mailing list