LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-20-2006, 09:57 PM   #1
echox
LQ Newbie
 
Registered: Mar 2003
Location: VN
Distribution: Linux7.1,7.3
Posts: 12

Rep: Reputation: 0
how block this traffic


Hi,

i saw many traffic from many ip like below while using tcpdump

09:50:02.177663 125.235.119.186 > myhost: icmp: 125.235.119.186 udp port 1231 unreachable (DF)
09:50:02.179520 125.235.131.156 > myhost: icmp: 125.235.131.156 udp port 1231 unreachable (DF)

What is this traffic and how can i block it?
Thanks & best regards
 
Old 06-20-2006, 11:32 PM   #2
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 116Reputation: 116
If your NIC is in promiscuous mode, then you are seeing all traffic that is on your wire, whether it is directed at you or not. If the traffic is directed at you then the only way to block it is to put a firewall appliance between your computer and the internet.
 
Old 06-21-2006, 12:56 AM   #3
fedora4002
Member
 
Registered: Mar 2004
Posts: 135

Rep: Reputation: 15
Quote:
Originally Posted by echox
Hi,

i saw many traffic from many ip like below while using tcpdump

09:50:02.177663 125.235.119.186 > myhost: icmp: 125.235.119.186 udp port 1231 unreachable (DF)
09:50:02.179520 125.235.131.156 > myhost: icmp: 125.235.131.156 udp port 1231 unreachable (DF)

What is this traffic and how can i block it?
Thanks & best regards
It shows that your host send a UDP packet to 125.235.119.186 at port 1231. However, that port is not open at 125.235.119.186. So 125.235.119.186 sent back an ICMP message telling you that that port is unreachable.
 
Old 06-21-2006, 04:25 AM   #4
echox
LQ Newbie
 
Registered: Mar 2003
Location: VN
Distribution: Linux7.1,7.3
Posts: 12

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by fedora4002
It shows that your host send a UDP packet to 125.235.119.186 at port 1231. However, that port is not open at 125.235.119.186. So 125.235.119.186 sent back an ICMP message telling you that that port is unreachable.
my host is send bad traffic, isn't it? Myhost is a DNS server, only tcp and udp package comming on port 53.
 
Old 06-21-2006, 04:46 AM   #5
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
my guess would be that your dns is answer too slow compared to the time that the requester closes its port (firewall or ip stack)

You need the complete icmp message to see if source port was 53/udp
 
Old 06-21-2006, 11:21 PM   #6
fedora4002
Member
 
Registered: Mar 2004
Posts: 135

Rep: Reputation: 15
it is also possible that someone spoof these traffic.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
possible to block msn traffic? flamesrock Linux - Software 3 05-26-2005 10:10 PM
Block outgoing traffic through router? Micro420 Linux - Networking 3 03-15-2005 08:01 AM
How can block my SMTP Traffic? krishnakishore Linux - Networking 3 06-19-2004 08:49 AM
Setting ip tables to block all traffic LinuxBAH Linux - Security 1 02-07-2004 07:15 AM
Block Kazaa2 traffic jekyl Linux - Security 4 03-13-2003 04:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:04 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration