Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Looking over my log files today, I noticed I've been getting flooded with these connection attempts for the past month. It's been constant, 5-10 per minute, always from different IP address, always port 59002.
Distribution: Debian 10 | Kali Linux | Ubuntu 20.04 LTS
Posts: 382
Rep:
The IP address shown in your log is blocked out to Charter Communications in North Carolina. They are an ISP, so you could report it to them and they will more than likely deal with it.
Probably, if your IP is dynamic, and you just reconnected, there might be some user were here just before you gained this IP. He was using some P2P network, perhaps it's bittorrent, and his P2P port was 59002. So, he didn't close his client and trackers and other peers not yet know about he left. You obtained his IP and you get this traffic. It's a normal situation.
If you have static IP and sure noone used P2P from it, this may be a DDoS but it's unlikely it's going that slow way. 5-10 packets/min points me to guess it's bittorrent client work. If you don't want to cause such troubles to other users, be sure to escape your P2P clients in a good way. Don't disconnect from internet without having all P2P applications closed. Termination of process usually causes same troubles: escape app the way it's meant to be exited.
I'd say it's a kinda internet etiquette in dynamic IP-networks.
You just have to wait some time, it will disappear soon.
If it doesn't go away, it's likely someone's got nothing to do. Can you show us an examples of packets you receive? Captures of wireshark/tcpdump are welcome.
Looking over my log files today, I noticed I've been getting flooded with these connection attempts for the past month. It's been constant, 5-10 per minute, always from different IP address, always port 59002.
Which can be found here, and has a link there for the ASCII output seen above.
As you can see in the chart above, the numbers indicate port 59002 isn't very popular as destinations go, be it UDP or TCP. This would indicate to me this traffic is very specific to your particular environment, not general scans seen coming from common virus/script related activity.
I checked my firewall logs, and since Jan 31st, I've only seen port 59002 ~20 times, all being source, all TCP.
Do you have a static IP, and do you offer services on your public interface? If you do, I would analyze the logs associated with whatever the service is. Look at your system logs for activity you can't verify.
I would take the advice already given and fire up traffic captures. A capture something like this might provide an indication as to the purpose of the traffic:
tcpdump -s 0 -vvvnni (interface) udp and port 59002
you can append that with 'and host xx.xx.xx.xx' if you want to tie it to a specific IP.
I agree with Web31337, could be residual traffic from a previous lease. If your IP rotates often on a dhcp lease, though, this would indicate it is following your dhcp lease, which would indicate to me something way out of the ordinary is happening.
Thanks for your help everyone! Here's some answers to you questions:
Quote:
The IP address shown in your log is blocked out to Charter Communications in North Carolina. They are an ISP, so you could report it to them and they will more than likely deal with it.
My log is full of entries like this one; this is just a sample from one IP address. They are from all different IP, not just one or two.
Quote:
Do you have a static IP, and do you offer services on your public interface?
Yes, I have a static IP, been mine for quite a few years. I have HTTP, FTP, SSH, IMAP, SMTP, and POP3 open. Is that what you were asking?
Quote:
That's definitely odd behavior, especially when looking at what SANS shows for activity on that port
I did look at that, and that's why I thought it was strange. I don't normally get too concerned when I see things like this; however, just seemed odd to me that I've been getting hit on this port for a month now and no one else has seen this kind of traffic.
Quote:
Captures of wireshark/tcpdump are welcome
Quote:
tcpdump -s 0 -vvvnni (interface) udp and port 59002
Got this running now, and wouldn't you know, after a month of steady traffic; as of midnight last night it started slowing to about 2-3 per hour and haven't gotten a hit for 2 hours now! lol
Doesn't seem like much to be concerned about, but makes me wonder what was causing it...
Ok, looks like it's picking up again now. Here's the output:
Code:
root@osiris:/var/log# tcpdump -s 0 -vvvnni eth1 port 59002
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 byte
s
17:08:53.108466 IP (tos 0x0, ttl 111, id 51388, offset 0, flags [none], proto UD
P (17), length 134) 190.82.177.198.17494 > 69.66.XX.XX.59002: [udp sum ok] UDP,
length 106
17:08:56.489058 IP (tos 0x0, ttl 112, id 56468, offset 0, flags [none], proto UD
P (17), length 131) 186.59.129.82.57451 > 69.66.XX.XX.59002: [udp sum ok] UDP, l
ength 103
17:08:58.949621 IP (tos 0x0, ttl 117, id 37113, offset 0, flags [none], proto UD
P (17), length 131) 142.167.116.21.12032 > 69.66.XX.XX.59002: [udp sum ok] UDP,
length 103
17:09:06.452192 IP (tos 0x0, ttl 112, id 11114, offset 0, flags [none], proto UD
P (17), length 131) 90.230.170.183.24635 > 69.66.XX.XX.59002: [udp sum ok] UDP,
length 103
17:09:06.463697 IP (tos 0x0, ttl 109, id 12111, offset 0, flags [none], proto UD
P (17), length 131) 81.111.65.151.43745 > 69.66.XX.XX.59002: [udp sum ok] UDP, l
ength 103
17:09:08.343871 IP (tos 0x0, ttl 112, id 38150, offset 0, flags [none], proto UD
P (17), length 131) 81.181.81.76.50483 > 69.66.XX.XX.59002: [udp sum ok] UDP, le
ngth 103
Nothing really unusual there other than the fact you're getting these packets for some reason. Probably the best thing to do to attempt to figure out why you are getting 131 byte UDP packets from those hosts is to add -X to your tcpdump command to see the actual payloads. I got some unusual UDP traffic before and searching google for a common string in the payload showed it was from Limewire even though I've never used it.
OlRoy is right, it's BitTorrent.
If you are sure noone uses it, perhaps someone made a stupid attempt to DDoS you by adding your IP on his own tracker, probably is popular, or I don't know. It's anyway shared somewhere in some cache.
If you don't run it anywhere, there's probably no way to stop this flood.
But, does that bother you? Do you have traffic payed? If not, then why worry?
Well, I can't say that that no one has EVER used it on my network, but I did check the 6 computers currently running on the network and didn't find any P2P software.
I wouldn't say I'm worried about it, just wondered what it was. Thanks for all the input!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.