From owner-freebsd-stable Wed Aug 9 5:33: 1 2000 Delivered-To: freebsd-stable@freebsd.org Received: from morpheus.skynet.be (morpheus.skynet.be [195.238.2.39]) by hub.freebsd.org (Postfix) with ESMTP id B046E37B556 for ; Wed, 9 Aug 2000 05:32:57 -0700 (PDT) (envelope-from blk@skynet.be) Received: from [195.238.1.121] (brad.techos.skynet.be [195.238.1.121]) by morpheus.skynet.be (Postfix) with ESMTP id 6546DD9F6 for ; Wed, 9 Aug 2000 14:32:51 +0200 (MET DST) Mime-Version: 1.0 X-Sender: blk@pop.skynet.be Message-Id: Date: Wed, 9 Aug 2000 14:32:35 +0200 To: FreeBSD-STABLE Mailing List From: Brad Knowles Subject: Weird responses to queso on broadcast address... Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Folks, I had just done some pings of the broadcast address on one of our networks (so that I could easily see the MAC addresses of all the responding hosts), and decided that it might be interesting to try the same sort of thing with queso. However, I got some strange stuff logged in /var/log/messages. In particular, it looks like the machine thinks it saw a large number of incoming connections from the specified port on the broadcast address, addressed to a port on the local IP address on which there was not a process listening. For example, I did[0]: $ queso -p 22 123.45.67.63 And in /var/log/messages, I saw stuff like: Aug 9 13:42:10 sample /kernel: Connection attempt to TCP 123.45.67.42:10428 from 123.45.67.63:22 Aug 9 13:42:10 sample /kernel: Connection attempt to TCP 123.45.67.42:10430 from 123.45.67.63:22 Aug 9 13:42:35 sample /kernel: Connection attempt to TCP 123.45.67.42:10424 from 123.45.67.63:22 Aug 9 13:42:35 sample /kernel: Connection attempt to TCP 123.45.67.42:10428 from 123.45.67.63:22 Aug 9 13:42:35 sample /kernel: Connection attempt to TCP 123.45.67.42:10430 from 123.45.67.63:22 Aug 9 13:43:26 sample /kernel: Connection attempt to TCP 123.45.67.42:10424 from 123.45.67.63:22 Aug 9 13:43:26 sample /kernel: Connection attempt to TCP 123.45.67.42:10428 from 123.45.67.63:22 Aug 9 13:43:26 sample /kernel: Connection attempt to TCP 123.45.67.42:10430 from 123.45.67.63:22 Now, it seems to me that these connections should have been detected as duplicates from a variety of addresses, the same way that ping does when you ping the broadcast address. Therefore, I could have seen a lot of messages like "Connection attempt to TCP 123.45.67.42:10424" but with a variety of different source addresses. Unfortunately, this is not what I saw. Frankly, this is so bizarre that I don't have even the slightest clue as to how I'd go about trying to look something like this on the web pages or in the archives of the mailing list. If you've got any pointers on what keywords I could use for doing that, or any suggested documentation I should read, I would greatly appreciate your letting me know. Thanks! [0] The hostname and CIDR block /24 network address portions of the /26 network in question have been changed to protect the guilty. ;-) -- These are my opinions -- not to be taken as official Skynet policy ====================================================================== Brad Knowles, || Belgacom Skynet SA/NV Systems Architect, Mail/News/FTP/Proxy Admin || Rue Colonel Bourg, 124 Phone/Fax: +32-2-706.13.11/12.49 || B-1140 Brussels http://www.skynet.be || Belgium "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message