[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Wierd IPF log...

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: Wierd IPF log...
From: Rémi Guyomarch <rguyom_(_at_)_321_(_dot_)_net>
Date: Tue, 10 Oct 2000 06:39:24 +0200

On Mon, Oct 09, 2000 at 06:25:02PM -0500, Frank Clements wrote:
> I noticed a wired log in my ipf log today and was wondering what exactly
> this ment:
> 
> Oct  9 09:53:18 mirage ipmon[15476]: 09:53:18.121783             fxp0
> @0:3 b 206.132.191.198 -> 24.229.24.32 PR icmp len 20 56 icmp 3/1 for
> 24.229.24.32,33836 - 216.225.7.190,6667 PR tcp len 20 10240 IN
> 
> I've never seen an icmp packet come in and say `for ....'  The
> 216.225.7.190 IP resolves to irc.freei.net.

Somebody is launching a SYN flood (DoS) against irc.freei.net spoofing
its source address as your public IP.
A router (206.132.191.198) in the path between the IRC server and the
bad guy was configured to reject the flood and send you ICMP error
packets. Since this ICMP wasn't part of a normal communication between
you and irc.freei.net, ipf reject this ICMP error and log it.

-- 
Rémi

References:
- Wierd IPF log...
  - From: Frank Clements

Prev by Date: Re: IP-IP Tunnel?
Next by Date: curses patch not in CVS
Previous by thread: Re: Wierd IPF log...
Next by thread: RE: Wierd IPF log...
Index(es):
- Date
- Thread

Visit your host, monkey.org