LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-16-2015, 03:17 PM   #1
rey
Member
 
Registered: Sep 2011
Posts: 49

Rep: Reputation: Disabled
lots of SYN packets from Google addresses


hello
lately, my iptables log shows lots of SYN packets coming from google,
it looks so strange, they come from different addresses in a few blocks
owned by google, you can check that by performing a whois on the
ip addresses

so far my theories about this phaneomena are:

zombie pcs inside google
hackers or trojan horses inside google
rebel or frustrated employees
the so-called quantum pwn

so what's going on here?, here are a few logs:

Code:
64.233.169.132          Google Inc.            GOGL 
64.233.168.84          Google Inc.            GOGL 
64.233.169.157          Google Inc.            GOGL 
74.125.194.132          Google Inc.            GOGL 
74.125.30.155          Google Inc.            GOGL 
173.194.64.84          Google Inc.            GOGL 
64.233.179.83          Google Inc.            GOGL 
173.194.118.55          Google Inc.            GOGL 
173.194.64.132          Google Inc.            GOGL 
64.233.168.132          Google Inc.            GOGL 
64.233.180.132          Google Inc.            GOGL 
74.125.198.132          Google Inc.            GOGL 
64.233.178.17          Google Inc.            GOGL 
173.194.115.222          Google Inc.            GOGL 
173.194.77.82          Google Inc.            GOGL

please tell me your opinion on this subject, thanks for your help!

Last edited by rey; 02-16-2015 at 03:19 PM.
 
Old 02-16-2015, 04:47 PM   #2
fogpipe
Member
 
Registered: Mar 2011
Distribution: Slackware 64 -current,
Posts: 550

Rep: Reputation: 196Reputation: 196
I seem to be getting lots of null packets from google too. The ip is 173.194.123.7. Google is not my default search engine, im not logged in to google mail or any of their other services. Im using duckduckgo for search.

Just lines and lines of this stuff in syslog
Code:
Feb 16 04:41:37 localhost kernel: [380856.789365] IN=eth0 OUT= MAC=00:1a:a0:eb:62:02:00:1d:88:4b:6c:99:08:00 SRC=173.194.123.27 DST=192.168.15.3 LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=6444 PROTO=TCP SPT=443 DPT=51177 WINDOW=0 RES=0x00 RST URGP=0
What are the source and destination ports of the packets you are getting?

Last edited by fogpipe; 02-16-2015 at 05:01 PM. Reason: Im dumb :) and misread something
 
Old 02-16-2015, 05:36 PM   #3
rey
Member
 
Registered: Sep 2011
Posts: 49

Original Poster
Rep: Reputation: Disabled
Code:
Feb 16 16:24:03 localhost kernel: [23488.944476] fwl.recent IN=eth1 OUT= MAC=18:0d:5c:b0:55:75:74:54:7d:e1:c1:cf:08:00 SRC=74.125.198.83 DST=192.168.0.12 LEN=40 TOS=0x00 PREC=0x00 TTL=39 ID=17225 PROTO=TCP SPT=443 DPT=58359 WINDOW=0 RES=0x00 RST URGP=0 
Feb 16 17:00:17 localhost kernel: [25663.117004] fwl.recent IN=eth1 OUT= MAC=18:0d:5c:b0:55:75:74:54:7d:e1:c1:cf:08:00 SRC=74.125.227.62 DST=192.168.0.12 LEN=40 TOS=0x00 PREC=0x00 TTL=47 ID=15535 PROTO=TCP SPT=443 DPT=56837 WINDOW=0 RES=0x00 RST URGP=0 
Feb 16 17:06:41 localhost kernel: [26046.748086] fwl.recent IN=eth1 OUT= MAC=18:0d:5c:b0:55:75:74:54:7d:e1:c1:cf:08:00 SRC=74.125.227.94 DST=192.168.0.12 LEN=40 TOS=0x00 PREC=0x00 TTL=47 ID=47037 PROTO=TCP SPT=443 DPT=33510 WINDOW=0 RES=0x00 RST URGP=0 
Feb 16 17:25:00 localhost kernel: [27146.294962] fwl.recent IN=eth1 OUT= MAC=18:0d:5c:b0:55:75:74:54:7d:e1:c1:cf:08:00 SRC=74.125.198.83 DST=192.168.0.12 LEN=40 TOS=0x00 PREC=0x00 TTL=39 ID=26134 PROTO=TCP SPT=443 DPT=58789 WINDOW=0 RES=0x00 RST URGP=0 
Feb 16 17:29:46 localhost kernel: [27431.692754] fwl.recent IN=eth1 OUT= MAC=18:0d:5c:b0:55:75:74:54:7d:e1:c1:cf:08:00 SRC=74.125.198.18 DST=192.168.0.12 LEN=40 TOS=0x00 PREC=0x00 TTL=39 ID=43012 PROTO=TCP SPT=443 DPT=33395 WINDOW=0 RES=0x00 RST URGP=0

Last edited by rey; 02-16-2015 at 05:38 PM.
 
Old 02-16-2015, 05:43 PM   #4
rey
Member
 
Registered: Sep 2011
Posts: 49

Original Poster
Rep: Reputation: Disabled
to say the best about this, it may happen that google servers use those packets
as part of their custom protocols and they get logged by the firewalls, they may
serve some obscure reason, like resetting the ssl connections, or something like that

however using those null and reset packets usually looks suspicious to firewalls
because some attacks use them,

that may explain the resets, but what about the SYNC ACK, the request for new connections?

here are a few from google and from facebook too

Code:
Feb 14 11:13:10 localhost kernel: [ 5986.918500] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=74.125.198.18 DST=192.168.0.13 LEN=117 TOS=0x00 PREC=0x00 TTL=39 ID=44799 PROTO=TCP SPT=443 DPT=45005 WINDOW=806 RES=0x00 ACK PSH URGP=0 
Feb 14 23:44:44 localhost kernel: [ 5375.375305] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=74.125.30.155 DST=192.168.0.13 LEN=117 TOS=0x00 PREC=0x00 TTL=39 ID=35210 PROTO=TCP SPT=443 DPT=41832 WINDOW=418 RES=0x00 ACK PSH URGP=0 
Feb 14 23:52:50 localhost kernel: [ 5860.942398] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=74.125.198.157 DST=192.168.0.13 LEN=117 TOS=0x00 PREC=0x00 TTL=39 ID=64991 PROTO=TCP SPT=443 DPT=51302 WINDOW=357 RES=0x00 ACK PSH URGP=0 
Feb 14 23:52:50 localhost kernel: [ 5860.942448] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=74.125.198.157 DST=192.168.0.13 LEN=97 TOS=0x00 PREC=0x00 TTL=39 ID=64992 PROTO=TCP SPT=443 DPT=51302 WINDOW=357 RES=0x00 ACK PSH URGP=0 
Feb 14 23:52:50 localhost kernel: [ 5861.454780] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=74.125.198.157 DST=192.168.0.13 LEN=117 TOS=0x00 PREC=0x00 TTL=39 ID=64994 PROTO=TCP SPT=443 DPT=51302 WINDOW=357 RES=0x00 ACK PSH URGP=0 
Feb 14 23:52:51 localhost kernel: [ 5862.062837] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=74.125.198.157 DST=192.168.0.13 LEN=117 TOS=0x00 PREC=0x00 TTL=39 ID=64996 PROTO=TCP SPT=443 DPT=51302 WINDOW=357 RES=0x00 ACK PSH URGP=0 
Feb 15 09:39:51 localhost kernel: [ 1031.150257] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=74.125.194.125 DST=192.168.0.13 LEN=152 TOS=0x00 PREC=0x00 TTL=41 ID=14465 PROTO=TCP SPT=5222 DPT=39720 WINDOW=400 RES=0x00 ACK PSH URGP=0 
Feb 15 09:40:01 localhost kernel: [ 1041.151942] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=74.125.194.125 DST=192.168.0.13 LEN=152 TOS=0x00 PREC=0x00 TTL=41 ID=20085 PROTO=TCP SPT=5222 DPT=39720 WINDOW=400 RES=0x00 ACK PSH URGP=0 
Feb 15 09:40:11 localhost kernel: [ 1051.154326] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=74.125.194.125 DST=192.168.0.13 LEN=152 TOS=0x00 PREC=0x00 TTL=41 ID=23899 PROTO=TCP SPT=5222 DPT=39720 WINDOW=400 RES=0x00 ACK PSH URGP=0 
Feb 15 10:02:54 localhost kernel: [   80.965474] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=74.125.198.125 DST=192.168.0.13 LEN=78 TOS=0x00 PREC=0x00 TTL=39 ID=5999 PROTO=TCP SPT=5222 DPT=33815 WINDOW=400 RES=0x00 ACK PSH URGP=0 
Feb 15 10:03:04 localhost kernel: [   90.967849] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=74.125.198.125 DST=192.168.0.13 LEN=78 TOS=0x00 PREC=0x00 TTL=39 ID=6015 PROTO=TCP SPT=5222 DPT=33815 WINDOW=400 RES=0x00 ACK PSH URGP=0 
Feb 15 10:03:24 localhost kernel: [  110.971278] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=74.125.198.125 DST=192.168.0.13 LEN=78 TOS=0x00 PREC=0x00 TTL=39 ID=6060 PROTO=TCP SPT=5222 DPT=33815 WINDOW=400 RES=0x00 ACK PSH URGP=0

Code:
Feb 13 18:06:41 localhost kernel: [14524.442385] fwl.known.SYNC IN=eth2 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=173.252.106.17 DST=192.168.0.13 LEN=190 TOS=0x00 PREC=0x40 TTL=75 ID=47351 DF PROTO=TCP SPT=5222 DPT=50491 WINDOW=254 RES=0x00 ACK PSH URGP=0 
Feb 14 22:58:37 localhost kernel: [ 2607.812033] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=173.252.106.17 DST=192.168.0.13 LEN=222 TOS=0x00 PREC=0x00 TTL=75 ID=10833 DF PROTO=TCP SPT=5222 DPT=47928 WINDOW=233 RES=0x00 ACK PSH URGP=0 
Feb 14 23:00:37 localhost kernel: [ 2728.155287] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=173.252.106.17 DST=192.168.0.13 LEN=222 TOS=0x00 PREC=0x00 TTL=75 ID=10834 DF PROTO=TCP SPT=5222 DPT=47928 WINDOW=233 RES=0x00 ACK PSH URGP=0 
Feb 14 23:02:37 localhost kernel: [ 2848.492483] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=173.252.106.17 DST=192.168.0.13 LEN=222 TOS=0x00 PREC=0x00 TTL=75 ID=10835 DF PROTO=TCP SPT=5222 DPT=47928 WINDOW=233 RES=0x00 ACK PSH URGP=0 
Feb 14 23:45:33 localhost kernel: [ 5424.406844] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=173.252.106.17 DST=192.168.0.13 LEN=318 TOS=0x00 PREC=0x00 TTL=75 ID=57523 DF PROTO=TCP SPT=5222 DPT=48597 WINDOW=195 RES=0x00 ACK PSH URGP=0 
Feb 14 23:47:33 localhost kernel: [ 5544.492215] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=173.252.106.17 DST=192.168.0.13 LEN=318 TOS=0x00 PREC=0x00 TTL=75 ID=57524 DF PROTO=TCP SPT=5222 DPT=48597 WINDOW=195 RES=0x00 ACK PSH URGP=0 
Feb 14 23:49:34 localhost kernel: [ 5664.832423] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=173.252.106.17 DST=192.168.0.13 LEN=318 TOS=0x00 PREC=0x00 TTL=75 ID=57525 DF PROTO=TCP SPT=5222 DPT=48597 WINDOW=195 RES=0x00 ACK PSH URGP=0 
Feb 14 23:53:34 localhost kernel: [ 5905.512903] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=173.252.106.17 DST=192.168.0.13 LEN=318 TOS=0x00 PREC=0x00 TTL=75 ID=57527 DF PROTO=TCP SPT=5222 DPT=48597 WINDOW=195 RES=0x00 ACK PSH URGP=0 
Feb 15 09:27:54 localhost kernel: [  314.108821] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=173.252.75.17 DST=192.168.0.13 LEN=302 TOS=0x00 PREC=0x00 TTL=73 ID=32133 DF PROTO=TCP SPT=5222 DPT=57334 WINDOW=71 RES=0x00 ACK PSH URGP=0 
Feb 15 09:29:54 localhost kernel: [  434.449222] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=173.252.75.17 DST=192.168.0.13 LEN=302 TOS=0x00 PREC=0x00 TTL=73 ID=32134 DF PROTO=TCP SPT=5222 DPT=57334 WINDOW=71 RES=0x00 ACK PSH URGP=0 
Feb 15 09:37:26 localhost kernel: [  886.263104] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=173.252.75.17 DST=192.168.0.13 LEN=190 TOS=0x00 PREC=0x00 TTL=73 ID=57359 DF PROTO=TCP SPT=5222 DPT=57377 WINDOW=75 RES=0x00 ACK PSH URGP=0 
Feb 15 09:40:05 localhost kernel: [ 1045.252704] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=173.252.106.17 DST=192.168.0.13 LEN=190 TOS=0x00 PREC=0x40 TTL=75 ID=45222 DF PROTO=TCP SPT=5222 DPT=47491 WINDOW=69 RES=0x00 ACK PSH URGP=0 
Feb 15 09:41:27 localhost kernel: [ 1126.688472] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=173.252.75.17 DST=192.168.0.13 LEN=190 TOS=0x00 PREC=0x00 TTL=73 ID=57361 DF PROTO=TCP SPT=5222 DPT=57377 WINDOW=75 RES=0x00 ACK PSH URGP=0 
Feb 15 09:43:27 localhost kernel: [ 1247.028795] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=173.252.75.17 DST=192.168.0.13 LEN=190 TOS=0x00 PREC=0x00 TTL=73 ID=57362 DF PROTO=TCP SPT=5222 DPT=57377 WINDOW=75 RES=0x00 ACK PSH URGP=0 
Feb 15 10:03:37 localhost kernel: [  124.618762] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=173.252.106.17 DST=192.168.0.13 LEN=222 TOS=0x00 PREC=0x40 TTL=75 ID=45305 DF PROTO=TCP SPT=5222 DPT=47491 WINDOW=86 RES=0x00 ACK PSH URGP=0 
Feb 15 10:04:07 localhost kernel: [  154.135452] fwl.known.SYNC IN=eth1 OUT= MAC=00:a1:b0:60:2b:b4:74:54:7d:e1:c1:cf:08:00 SRC=173.252.75.17 DST=192.168.0.13 LEN=238 TOS=0x00 PREC=0x00 TTL=73 ID=52022 DF PROTO=TCP SPT=5222 DPT=57675 WINDOW=65 RES=0x00 ACK PSH URGP=0

Last edited by rey; 02-16-2015 at 05:49 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: How to capture TCP SYN, ACK and FIN packets with tcpdump LXer Syndicated Linux News 0 09-14-2014 04:54 PM
Java program to generate SYN packets davender84 Linux - General 0 06-15-2009 04:32 AM
nmap SYN scan packets capture with wireshark adityaj123 Linux - Security 5 02-13-2008 10:14 AM
syn packets crash88 Linux - Networking 2 07-02-2006 06:17 AM
syn packets badlya Linux - Security 3 04-24-2004 04:07 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:24 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration