Incorrect destination addy on subnet traffic

af_dave · 08-21-2004, 08:33 PM

I've been getting a decent amount of traffic that has someone else listed on my subnet as the destination instead of myself. Generally some http traffic or port 6436. The source is always listed as someone on my subnet.

Could this just be portscan because of my strict firewall rules?

Capt_Caveman · 08-25-2004, 12:41 PM

Could you give us some examples of the traffic?

af_dave · 08-28-2004, 11:22 PM

packet received from xxx.xxx.xxx.25 to xxx.xxx.xxx.48

only my ip addy is xxx.xxx.xxx.15

Capt_Caveman · 08-29-2004, 12:05 AM

Could you expand on that...how you're seeing those packets (log messages/packet sniffer/etc), what type of connection do you have (DSL/Cable), are you on a LAN with systems that have those IPs? Also if you could use tcpdump to capture a few example packets (use the -e option to dump link-level info), that might be informative.

af_dave · 08-29-2004, 12:27 AM

Yea I have a dsl and its all appearing to come from the same subnet. was using snort and ethereal. was having some weird problems with my linux box so its down at the moment. I'm not on a lan, just my ISP's network.

chort · 08-29-2004, 02:43 AM

Your DSL connection may connect to a hub rather than a switch on the other side of the DSLAM, in which case the IP traffic would be echoed to all ports. That would be very, very strange though. It would also generate a huge amount of traffic if there are many other people in your area using DSL. It could be that there's so much traffic through the switch on your ISPs side that it actually floods the ARP cache and it briefly reverts to "hub mode". That would also be very weird.