From owner-freebsd-questions@FreeBSD.ORG Fri Jun 10 02:47:16 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0FFD716A41C for ; Fri, 10 Jun 2005 02:47:16 +0000 (GMT) (envelope-from ean@hedron.org) Received: from prosporo.hedron.org (hedron.org [66.11.182.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B46C43D1D for ; Fri, 10 Jun 2005 02:47:15 +0000 (GMT) (envelope-from ean@hedron.org) Received: from localhost.hedron.org (localhost.hedron.org [127.0.0.1]) by prosporo.hedron.org (Postfix) with ESMTP id 1D170C2DC for ; Thu, 9 Jun 2005 22:47:38 -0400 (EDT) From: Ean Kingston To: freebsd-questions@freebsd.org Date: Thu, 9 Jun 2005 22:47:37 -0400 User-Agent: KMail/1.8 References: <42A8F897.6060305@edgefocus.com> In-Reply-To: <42A8F897.6060305@edgefocus.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200506092247.37367.ean@hedron.org> Subject: Re: help! Strange traffic X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jun 2005 02:47:16 -0000 On June 9, 2005 10:19 pm, Karan Gupta wrote: > Hi > Im running a fBSD T1 router(a gatewat with a sangoma 514 csu/dsu card) > that performs dhcp, nat, ipfw firewall. > FreeBSD rtr-eee.eeee.com 4.8-RELEASE FreeBSD 4.8-RELEASE #4: Thu Jul 31 > 04:47:04 PDT 2003 root@:/usr/src/sys/compile/GENERIC i386 > > Im seeing the following traffic on doing tcpdump on the external interface > 01:12:15.875308 201.93.36.43.1913 > web.visp.ashosting.nl.http: S > 1396310016:1396310016(0) win 16384 > 01:12:15.876288 201.93.36.41.1587 > web.visp.ashosting.nl.http: S > 802357248:802357248(0) win 16384 > 01:12:15.885340 201.93.37.127.cuillamartin > web.visp.ashosting.nl.http: > S 1656750080:1656750080(0) win 16384 > 01:12:15.886056 201.93.36.250.1194 > web.visp.ashosting.nl.http: S > 1188954112:1188954112(0) win 16384 > 01:12:15.886794 201.93.36.118.1613 > web.visp.ashosting.nl.http: S > 474546176:474546176(0) win 16384 > 01:12:15.887628 201.93.36.120.1135 > web.visp.ashosting.nl.http: S > 224526336:224526336(0) win 16384 > 01:12:15.895344 201.93.37.129.1073 > web.visp.ashosting.nl.http: S > 5767168:5767168(0) win 16384 > 01:12:15.896286 201.93.37.131.timbuktu-srv3 > > web.visp.ashosting.nl.http: S 2056323072:2056323072(0) win 16384 > 01:12:15.905302 201.93.37.225.1341 > web.visp.ashosting.nl.http: S > 2125070336:2125070336(0) win 16384 > 01:12:15.906042 201.93.37.223.docstor > web.visp.ashosting.nl.http: S > 1558642688:1558642688(0) win 16384 > 01:12:15.915253 201.93.38.91.1842 > web.visp.ashosting.nl.http: S > 1312751616:1312751616(0) win 16384 > 01:12:15.916105 201.93.38.89.1326 > web.visp.ashosting.nl.http: S > 1620377600:1620377600(0) win 16384 > > The 201.x.x.x is NOT from my local network. That would mean that > web.visp.ashosting.nl is being hosted on my network(weird!!)) ???? This > name doesnt resolve to any IP address either. How do i block this. I > tried blocking 201.93.0.0/16 but then the traffic started coming from > 195.x.x.x First, try the tcpdump again but without name resolution. That way you can verify where web.visp.ashosting.nl is. If the address for web.visp.ashosting.nl is not in your network then someone probably has a routing issue. Once you verify that the routing issue isn't on your side you need to talk to your upstream provider to help fix it. If the address for web.visp.ashosting.nl is in your network, chase it down and see if it is having problems. You may also want to do some more detailed sniffing of the traffic to see exactly what that http session is doing. -- Ean Kingston E-Mail: ean AT hedron DOT org URL: http://www.hedron.org/ I am currently looking for work. If you need competent system/network administration please feel free to contact me directly.