I'm gonna wing it here, I have seen a fair amount of unsavory behavior
routing back to HSACORP net ip's and I would suspect that it is indeed cable
modems getting hijacked and that the extra IP addresses relate to source
routed packets.
Craig
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Devon
> Sent: Thursday, July 19, 2001 10:43 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Iptables and odd ICMP packets
>
>
> On Friday 20 July 2001 12:55 am, Jack Bowling wrote:
> > On Thu, 19 Jul 2001 20:20:47 -0400
>
> > ---------
> > # whois 24.241.42.144
> > High Speed Access Corp (NETBLK-HSACORP-2BLK) HSACORP-2BLK
> > ------------------
> > High Speed Access Corp is an ISP situated in Denver, CO. The netblk
> > listed is within the home.com network so they are probably licensed
> > to use part of the @home cable network. Type 11 Code 0 ICMP packets
> > are the "time exceeded" packets used in traceroute. Perhaps somebody
> > is trying to see if your box is alive for some reason.
>
> I know who they are. I pay them monthly, as that's my machine. ;)
>
> 24-241-42-144.hsacorp.net was just too boring, so through the wonders
> of the dyn.dns service:
> # host tuxfan.homeip.net
> tuxfan.homeip.net. has address 24.241.42.144
>
>
> What I don't understand, is why there are *2* other ips in the log
> message for each packet, or why they are being generated. If it is
> someone trying to traceroute to my machine, it's the most cryptic log
> message imaginable.
>
> Jul 19 09:30:34 tuxfan kernel: PACKET DROPPED:IN=eth0 OUT=
> MAC=00:a0:cc:e5:09:4e:00:d0:ba:a8:02:70:08:00 SRC=202.97.33.9
> DST=24.241.42.144 LEN=56 TOS=0x00 PREC=0x00 TTL=244 ID=0 PROTO=ICMP
> TYPE=11 CODE=0 [SRC=24.241.42.144 DST=205.216.80.23 LEN=48 TOS=0x00
> PREC=0x00 TTL=1 ID=6662 DF PROTO=TCP SPT=1202 DPT=1244 WINDOW=0
> RES=0x00 URGP=0 ]
>
> listed as the source address in one line is:
> # host 202.97.33.9
> 9.33.97.202.in-addr.arpa. domain name pointer p-13-0-r1-c-bjbj-1.cn.net.
> Then further into the message, listed as the destination is:
> # host 205.216.80.23
> 23.80.216.205.in-addr.arpa. domain name pointer gravestone.net.
> 23.80.216.205.in-addr.arpa. domain name pointer irc.gravestone.net.
>
> Nothing on my end is intentionally trying to connect to either machine.
> The fact that one of the listings appears to be an irc server, doesn't
> make me feel any better.
>
> Here are a couple more, with different addresses. Makes me wonder what
> packets might be getting through, and not logged....
>
> Jul 19 20:44:52 tuxfan kernel: PACKET DROPPED:IN=eth0 OUT=
> MAC=00:a0:cc:e5:09:4e:00:d0:ba:a8:02:70:08:00 SRC=152.63.84.193
> DST=24.241.42.144 LEN=56 TOS=0x00 PREC=0x00 TTL=247 ID=0 PROTO=ICMP
> TYPE=3 CODE=1 [SRC=24.241.42.144 DST=209.212.134.35 LEN=48 TOS=0x00
> PREC=0x00 TTL=116 ID=47750 DF PROTO=TCP SPT=1235 DPT=1187 WINDOW=0
> RES=0x00 URGP=0 ]
>
> Jul 19 20:59:16 tuxfan kernel: PACKET DROPPED:IN=eth0 OUT=
> MAC=00:a0:cc:e5:09:4e:00:d0:ba:a8:02:70:08:00 SRC=157.130.52.209
> DST=24.241.42.144 LEN=56 TOS=0x00 PREC=0x00 TTL=247 ID=0 PROTO=ICMP
> TYPE=3 CODE=1 [SRC=24.241.42.144 DST=209.212.128.47 LEN=48 TOS=0x00
> PREC=0x00 TTL=122 ID=14980 DF PROTO=TCP SPT=1268 DPT=1241 WINDOW=12332
> RES=0x28 URG ACK URGP=0 ]
>
> Thanks,
>
> -D
>
>
>
> _______________________________________________
> Seawolf-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/seawolf-list
>
_______________________________________________
Seawolf-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/seawolf-list
