Date: Thu, 9 Jun 2005 22:47:37 -0400 From: Ean Kingston <ean@hedron.org> To: freebsd-questions@freebsd.org Subject: Re: help! Strange traffic Message-ID: <200506092247.37367.ean@hedron.org> In-Reply-To: <42A8F897.6060305@edgefocus.com> References: <42A8F897.6060305@edgefocus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On June 9, 2005 10:19 pm, Karan Gupta wrote: > Hi > Im running a fBSD T1 router(a gatewat with a sangoma 514 csu/dsu card) > that performs dhcp, nat, ipfw firewall. > FreeBSD rtr-eee.eeee.com 4.8-RELEASE FreeBSD 4.8-RELEASE #4: Thu Jul 31 > 04:47:04 PDT 2003 root@:/usr/src/sys/compile/GENERIC i386 > > Im seeing the following traffic on doing tcpdump on the external interface > 01:12:15.875308 201.93.36.43.1913 > web.visp.ashosting.nl.http: S > 1396310016:1396310016(0) win 16384 > 01:12:15.876288 201.93.36.41.1587 > web.visp.ashosting.nl.http: S > 802357248:802357248(0) win 16384 > 01:12:15.885340 201.93.37.127.cuillamartin > web.visp.ashosting.nl.http: > S 1656750080:1656750080(0) win 16384 > 01:12:15.886056 201.93.36.250.1194 > web.visp.ashosting.nl.http: S > 1188954112:1188954112(0) win 16384 > 01:12:15.886794 201.93.36.118.1613 > web.visp.ashosting.nl.http: S > 474546176:474546176(0) win 16384 > 01:12:15.887628 201.93.36.120.1135 > web.visp.ashosting.nl.http: S > 224526336:224526336(0) win 16384 > 01:12:15.895344 201.93.37.129.1073 > web.visp.ashosting.nl.http: S > 5767168:5767168(0) win 16384 > 01:12:15.896286 201.93.37.131.timbuktu-srv3 > > web.visp.ashosting.nl.http: S 2056323072:2056323072(0) win 16384 > 01:12:15.905302 201.93.37.225.1341 > web.visp.ashosting.nl.http: S > 2125070336:2125070336(0) win 16384 > 01:12:15.906042 201.93.37.223.docstor > web.visp.ashosting.nl.http: S > 1558642688:1558642688(0) win 16384 > 01:12:15.915253 201.93.38.91.1842 > web.visp.ashosting.nl.http: S > 1312751616:1312751616(0) win 16384 > 01:12:15.916105 201.93.38.89.1326 > web.visp.ashosting.nl.http: S > 1620377600:1620377600(0) win 16384 > > The 201.x.x.x is NOT from my local network. That would mean that > web.visp.ashosting.nl is being hosted on my network(weird!!)) ???? This > name doesnt resolve to any IP address either. How do i block this. I > tried blocking 201.93.0.0/16 but then the traffic started coming from > 195.x.x.x First, try the tcpdump again but without name resolution. That way you can verify where web.visp.ashosting.nl is. If the address for web.visp.ashosting.nl is not in your network then someone probably has a routing issue. Once you verify that the routing issue isn't on your side you need to talk to your upstream provider to help fix it. If the address for web.visp.ashosting.nl is in your network, chase it down and see if it is having problems. You may also want to do some more detailed sniffing of the traffic to see exactly what that http session is doing. -- Ean Kingston E-Mail: ean AT hedron DOT org URL: http://www.hedron.org/ I am currently looking for work. If you need competent system/network administration please feel free to contact me directly.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200506092247.37367.ean>