|
I am on Shaw, but none of these addresses are used for anything to do with my network.
I am doing some pretty anal filtering, but then again, I may be missing something pretty obvious. I have rp_filter at 2 and source routing disabled.
PS: I am getting MANY of these packets. These packets are not getting through to their targets, but if someone is persistent enough to keep trying, I assume they must be able to do something malicious.
-----Original Message-----
Both IP addresses are assigned to cable ISPs…
Name: h24-87-243-251.vc.shawcable.net Address: 24.87.243.251
Name: d57-108-11.home.cgocable.net Address: 24.57.108.11
Not sure if either of them are your ISP? But I would contact both ISPs with your log data if you really cared. Are you running squid? A webserver?
From:
netfilter-admin@xxxxxxxxxxxxxxxxxxx
[mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On
Behalf Of Daniel Chemko
I am getting some disturbing packet traffic hitting my firewall. Here goes:
IN=eth4 OUT=eth5 SRC="" DST=24.57.108.11 LEN=76 TOS=0x00 PREC=0xC0 TTL=25 4 ID=17431 PROTO=ICMP TYPE=3 CODE=3 [SRC="" DST=24.87.243.251 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=15860 DF PROTO=TCP SPT= 3161 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 ]
None of the addresses listed in the packets are from my networks, but what is more disturbing is that eth4 is my internal network interface. Can anyone see (baring an internal intrusion has occurred) how this can happen?
It definitely appears to be an exploit on my configuration or something.
|
