Unusual traffic through eth0

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Unusual traffic through eth0

Bob Williams
Last night, I noticed a regular pattern of blips in gkrellm's eth0
monitor. There were no internet active programs, such as e-mail or web
browser running, so I started Wireshark to see what was happening.

Apart from the expected chatter between this machine and the router, the
following two lines repeated over and over, and it is continuing on
rebooting the machine this morning:

Source Destination Protocol Info
217.14.132.183 192.168.1.14 SIP Status: 100 Trying (0 bindings)
217.14.132.183 192.168.1.14 SIP Status: 401 Unauthorized (0 bindings)

Is this entirely innocent, or should I contact abuse@Domainmaster (see
below)?

09:21 bob@barrowhillfarm:~> whois 217.14.132.183
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '217.14.128.0 - 217.14.143.255'

inetnum:         217.14.128.0 - 217.14.143.255
descr:           Domainmaster LTD
org:             ORG-DL12-RIPE
netname:         UK-DOMAINMASTER-20000901
country:         GB
admin-c:         PM3847-RIPE
tech-c:          SJML1-RIPE
status:          ALLOCATED PA
mnt-by:          RIPE-NCC-HM-MNT
mnt-lower:       DOMAINMASTER-NOC
mnt-routes:      DOMAINMASTER-NOC
mnt-domains:     DOMAINMASTER-NOC
source:          RIPE # Filtered


organisation:    ORG-DL12-RIPE

org-name:        Domainmaster LTD

org-type:        LIR
address:         Domainmaster LTD
                 9th Floor, Building 6
                 Harbour Exchange Square
                 E14 9GE London
                 United Kingdom
phone:           +44 207 127 9800
fax-no:          +44 870 432 5505
e-mail:          [hidden email]
admin-c:         DB
admin-c:         JO497-RIPE
admin-c:         PM3847-RIPE
admin-c:         SJML1-RIPE
mnt-ref:         DOMAINMASTER-NOC
mnt-ref:         RIPE-NCC-HM-MNT
mnt-by:          RIPE-NCC-HM-MNT
source:          RIPE # Filtered

person:       Panny Malialis
address:      DomainMaster Ltd
address:      C/o Redbus Interhouse
address:      9th Floor, 6/7 Harbour Exchange Square
address:      London
address:      E14 9GE
phone:        +44 (0) 870 7878 975
fax-no:       +44 (0) 870 7878 973
e-mail:       [hidden email]
nic-hdl:      PM3847-RIPE
source:       RIPE # Filtered

person:       Sylvaine Joelle Marie Lucas
address:      DomainMaster Ltd
address:      C/o Redbus Interhouse
address:      9th Floor, 6/7 Harbour Exchange Square
address:      London
address:      E14 9GE
phone:        +44 (0) 870 7878 975
fax-no:       +44 (0) 870 7878 973
e-mail:       [hidden email]
nic-hdl:      SJML1-RIPE
source:       RIPE # Filtered


--
Bob Williams
System:  Linux 3.1.9-1.4-desktop
Distro:  openSUSE 12.1 (x86_64) with KDE Development Platform: 4.7.2
(4.7.2) "release 5"
Uptime:  18:00pm up 5 days 0:29, 3 users, load average: 0.23, 0.15, 0.14
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Unusual traffic through eth0

Per Jessen-2
Bob Williams wrote:

> Last night, I noticed a regular pattern of blips in gkrellm's eth0
> monitor. There were no internet active programs, such as e-mail or web
> browser running, so I started Wireshark to see what was happening.
>
> Apart from the expected chatter between this machine and the router,
> the following two lines repeated over and over, and it is continuing
> on rebooting the machine this morning:
>
> Source                Destination     Protocol        Info
> 217.14.132.183        192.168.1.14    SIP             Status: 100 Trying (0 bindings)
> 217.14.132.183        192.168.1.14    SIP             Status: 401 Unauthorized (0 bindings)
>
> Is this entirely innocent, or should I contact abuse@Domainmaster (see
> below)?

Perhaps not entirely innocent (SIP attempts for VoIP), but I would have
thought your firewall should be blocking such traffic?


--
Per Jessen, Zürich (6.8°C)

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Unusual traffic through eth0

Bob Williams
On 12/03/12 09:54, Per Jessen wrote:

> Bob Williams wrote:
>
>> Last night, I noticed a regular pattern of blips in gkrellm's eth0
>> monitor. There were no internet active programs, such as e-mail or web
>> browser running, so I started Wireshark to see what was happening.
>>
>> Apart from the expected chatter between this machine and the router,
>> the following two lines repeated over and over, and it is continuing
>> on rebooting the machine this morning:
>>
>> Source                Destination     Protocol        Info
>> 217.14.132.183        192.168.1.14    SIP             Status: 100 Trying (0 bindings)
>> 217.14.132.183        192.168.1.14    SIP             Status: 401 Unauthorized (0 bindings)
>>
>> Is this entirely innocent, or should I contact abuse@Domainmaster (see
>> below)?
>
> Perhaps not entirely innocent (SIP attempts for VoIP), but I would have
> thought your firewall should be blocking such traffic?
>
>
Really? I do run skype from time to time, and have tried out ekiga, so
maybe the SIP protocol is allowed. The only services I have explicitly
allowed in YaST Firewall Configuration are Rsync server, Secure Shell
server and xntp server.

All the above traffic seems to be one way, in other words, I never see
my machine sending a reply, I am always the destination, never the source.

Thanks for your help.

Bob
--
Bob Williams
System:  Linux 3.1.9-1.4-desktop
Distro:  openSUSE 12.1 (x86_64) with KDE Development Platform: 4.7.2
(4.7.2) "release 5"
Uptime:  18:00pm up 5 days 0:29, 3 users, load average: 0.23, 0.15, 0.14
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Unusual traffic through eth0

Per Jessen-2
Bob Williams wrote:

> On 12/03/12 09:54, Per Jessen wrote:
>> Bob Williams wrote:
>>
>>> Last night, I noticed a regular pattern of blips in gkrellm's eth0
>>> monitor. There were no internet active programs, such as e-mail or
>>> web browser running, so I started Wireshark to see what was
>>> happening.
>>>
>>> Apart from the expected chatter between this machine and the router,
>>> the following two lines repeated over and over, and it is continuing
>>> on rebooting the machine this morning:
>>>
>>> Source                Destination     Protocol        Info
>>> 217.14.132.183        192.168.1.14    SIP             Status: 100
>>> Trying (0 bindings)
>>> 217.14.132.183        192.168.1.14    SIP             Status: 401
>>> Unauthorized (0 bindings)
>>>
>>> Is this entirely innocent, or should I contact abuse@Domainmaster
>>> (see below)?
>>
>> Perhaps not entirely innocent (SIP attempts for VoIP), but I would
>> have thought your firewall should be blocking such traffic?
>>
>>
> Really? I do run skype from time to time, and have tried out ekiga, so
> maybe the SIP protocol is allowed.

Skype is proprietary, I don't know what ekiga does.  SIP is "Session
Initiation Protocol" for standard VoIP.  My Asterisk telephone server
is regularly flooded by SIP requests, bordering on a DoS attack.

> The only services I have explicitly allowed in YaST Firewall
> Configuration are Rsync server, Secure Shell server and xntp server.

I would expect that to mean that the SIP traffic is dropped or rejected.
Maybe check your firewall log.

> All the above traffic seems to be one way, in other words, I never see
> my machine sending a reply, I am always the destination, never the
> source.

Maybe gkrellm is reporting on traffic before the firewall drops it.



--
Per Jessen, Zürich (9.8°C)

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Unusual traffic through eth0

Bob Williams
On 12/03/12 11:33, Per Jessen wrote:

> Bob Williams wrote:
>
>> On 12/03/12 09:54, Per Jessen wrote:
>>> Bob Williams wrote:
>>>
>>>> Last night, I noticed a regular pattern of blips in gkrellm's eth0
>>>> monitor. There were no internet active programs, such as e-mail or
>>>> web browser running, so I started Wireshark to see what was
>>>> happening.
>>>>
>>>> Apart from the expected chatter between this machine and the router,
>>>> the following two lines repeated over and over, and it is continuing
>>>> on rebooting the machine this morning:
>>>>
>>>> Source                Destination     Protocol        Info
>>>> 217.14.132.183        192.168.1.14    SIP             Status: 100
>>>> Trying (0 bindings)
>>>> 217.14.132.183        192.168.1.14    SIP             Status: 401
>>>> Unauthorized (0 bindings)
>>>>
>>>> Is this entirely innocent, or should I contact abuse@Domainmaster
>>>> (see below)?
>>>
>>> Perhaps not entirely innocent (SIP attempts for VoIP), but I would
>>> have thought your firewall should be blocking such traffic?
>>>
>>>
>> Really? I do run skype from time to time, and have tried out ekiga, so
>> maybe the SIP protocol is allowed.
>
> Skype is proprietary, I don't know what ekiga does.  SIP is "Session
> Initiation Protocol" for standard VoIP.  My Asterisk telephone server
> is regularly flooded by SIP requests, bordering on a DoS attack.
>
Ekiga is a SIP client.

>> The only services I have explicitly allowed in YaST Firewall
>> Configuration are Rsync server, Secure Shell server and xntp server.
>
> I would expect that to mean that the SIP traffic is dropped or rejected.
> Maybe check your firewall log.
>
Well, the firewall log gives much the same information as wireshark.
Although it's irritating, I don't think I'm vulnerable so I'll just
monitor things for the time being.

The last time something like this happened I was being attacked through
ssh port 22, but they were definitely trying a dictionary attack with
various username & password combinations.

>> All the above traffic seems to be one way, in other words, I never see
>> my machine sending a reply, I am always the destination, never the
>> source.
>
> Maybe gkrellm is reporting on traffic before the firewall drops it.
>
Maybe

Thanks, Bob
--
Bob Williams
System:  Linux 3.1.9-1.4-desktop
Distro:  openSUSE 12.1 (x86_64) with KDE Development Platform: 4.7.2
(4.7.2) "release 5"
Uptime:  18:00pm up 5 days 0:29, 3 users, load average: 0.23, 0.15, 0.14
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Unusual traffic through eth0

Carlos E. R.-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2012-03-12 13:36, Bob Williams wrote:
> On 12/03/12 11:33, Per Jessen wrote:

>> Maybe gkrellm is reporting on traffic before the firewall drops it.
>>
> Maybe

On another computer on a computer room with a hub, I sometimes see high
traffic in gkrelm, hundreds of kilobytes per second, while my computer is
doing nothing. Looking with iptraf, I see that the traffic is from internet
to another computer of the lan, a download.

I don't know if perhaps the port is set to promiscuous mode, but the
firewall is up on my lan side. It is curious.

- --
Cheers / Saludos,

                Carlos E. R.
                (from 11.4 x86_64 "Celadon" at Telcontar)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk9ehswACgkQIvFNjefEBxoBjwCfflfSPkybUmcLV/lFV+MHZefl
r+sAoKSRkXj8yvOY8NhybS3LrlLEpE9z
=bOaP
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Unusual traffic through eth0

Per Jessen-2
Carlos E. R. wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 2012-03-12 13:36, Bob Williams wrote:
>> On 12/03/12 11:33, Per Jessen wrote:
>
>>> Maybe gkrellm is reporting on traffic before the firewall drops it.
>>>
>> Maybe
>
> On another computer on a computer room with a hub, I sometimes see
> high traffic in gkrelm, hundreds of kilobytes per second, while my
> computer is doing nothing. Looking with iptraf, I see that the traffic
> is from internet to another computer of the lan, a download.
>
> I don't know if perhaps the port is set to promiscuous mode, but the
> firewall is up on my lan side. It is curious.

Check /var/log/messages to see if a device was placed in promiscuous
mode.  When you see traffic not destined for the device you're looking
at, it is in promiscuous mode.  



--
Per Jessen, Zürich (3.9°C)

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]