On 10/04/2008, Chris Smith <[EMAIL PROTECTED]> wrote: > I block and log rfc 1918 connection attempts and am seeing the following > in pflog continuously ad nauseum: > > Apr 10 15:10:21.414289 rule 9/(match) block in on fxp1: > 172.21.153.70.6293 > 68.61.77.3.50716: [|tcp] (DF) [tos 0x20] > Apr 10 15:10:22.833822 rule 9/(match) block in on fxp1: > 172.21.233.57.6293 > 68.61.77.3.54518: [|tcp] (DF) [tos 0x20] > Apr 10 15:10:23.789209 rule 9/(match) block in on fxp1: > 172.21.153.22.6293 > 68.61.77.3.57836: [|tcp] (DF) [tos 0x20] > Apr 10 15:10:24.256891 rule 9/(match) block in on fxp1: > 172.21.97.2.6293 > 68.61.77.3.50417: [|tcp] (DF) [tos 0x20] > Apr 10 15:10:24.821674 rule 9/(match) block in on fxp1: > 172.21.225.72.6293 > 68.61.77.3.53965: [|tcp] [tos 0x20] > Apr 10 15:11:28.559238 rule 9/(match) block in on fxp1: > 172.21.240.45.6293 > 68.61.77.3.58733: [|tcp] (DF) [tos 0x20] > Apr 10 15:11:29.397925 rule 9/(match) block in on fxp1: > 172.21.240.63.6293 > 68.61.77.3.62274: [|tcp] [tos 0x20] > > The source IP addresses do repeat (but not in a specific order) and the > source port remains constant at 6293. > > As these addresses (AFAIK) aren't generally routed I'm wondering about > their source. > > Possibly all spoofed, but as I'm using cable service, they could also be > from a system on the local shared subnet. Another thought is that the > ISP (Comcast) is using and routing them for their own purposes (VOIP > service, etc.). Any ideas? > > Thanks. > > -- > > Chris > >
I would highly doubt that you are seeing internal traffic from your ISP, what ever it is, its pointing directly at you, its not just stray traffic thats passing on your link. I would suggest contacting your ISP concerning this, they may be able to track it and/or prevent it. It is possible that its not really ment for you, but perhaps your modem, something along the lines of a modem checkin? hypothetically speaking, if your modem was trying to "report home" sourcing from your public ip but the public was actaully assigned on your router, you could see return traffic from your modem "report home" <-- that is of course a stretch and highly unlikely. Any isp that set up something like that would be retarded beyond the capability of their sales team. -- -Lawrence
