On Thursday, November 08, 2012 11:58:33 AM Darac Marjal wrote: > On Thu, Nov 08, 2012 at 03:26:23PM +0000, Hendrik Boom wrote: > > I've started getting messages like the following: > > > > [12332.047451] IN=ppp0 OUT=ppp0 SRC=74.125.133.188 DST=25.46.128.71 > > LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=46353 PROTO=TCP SPT=5228 DPT=44380 > > WINDOW=0 RES=0x00 RST URGP=0 [111179.489288] IN=ppp0 OUT=ppp0 > > SRC=74.125.133.188 DST=25.45.89.15 LEN=40 TOS=0x00 PREC=0x00 TTL=50 > > ID=25315 PROTO=TCP SPT=5228 DPT=43491 WINDOW=0 RES=0x00 RST URGP=0 > > > > Now these IP numbers are not on my LAN, which is masqueraded. They also > > bear no relationship to my external-world IP number. If it's about a > > packet being sent from 4.125.133.188 to either of the others, my ISP > > shouldn't even be sending it to me. Do I understand the message > > correctly? > > Yep. As I understand it 74.125.133.188:5228 is sending a RESET packet > to 25.46.128.71:44380. By the looks of things, though, your kernel is > responding as you'd expect it to and re-routing the packet back out your > PPP connection (that is, it came in on ppp0, it's not for you, so you > pass it back out on the default route which I imagine is ppp0).
Presented this way, it could be a DDoS attack on either the src or the dest. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201211081215.55984.neal.p.mur...@alum.wpi.edu
