LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-16-2006, 12:39 PM   #1
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Ubuntu 12.04, Antix19.3
Posts: 3,797

Rep: Reputation: 282Reputation: 282Reputation: 282
Shocking firewall results; what is it?


I'm running Ubuntu Dapper as a desltop machine. Connected to the internet this evening (pppoe) and with a 3 minutes I had over 100 hits from different ips on port 18176.

Below a part of the firestarter log
Code:
Time:Nov 16 19:01:15 Direction: Unknown In:ppp0 Out: Port:18176 Source:88.46.212.42 Destination:196.2.119.209 Length:91 TOS:0x00 Protocol:UDP Service:Unknown
Time:Nov 16 19:01:18 Direction: Unknown In:ppp0 Out: Port:18176 Source:68.58.213.4 Destination:196.2.119.209 Length:91 TOS:0x00 Protocol:UDP Service:Unknown
...
...
Time:Nov 16 19:04:39 Direction: Unknown In:ppp0 Out: Port:18176 Source:89.132.75.150 Destination:196.2.119.209 Length:48 TOS:0x00 Protocol:TCP Service:Unknown
Time:Nov 16 19:04:42 Direction: Unknown In:ppp0 Out: Port:18176 Source:76.185.195.31 Destination:196.2.119.209 Length:93 TOS:0x00 Protocol:UDP Service:Unknown
Time:Nov 16 19:04:43 Direction: Unknown In:ppp0 Out: Port:18176 Source:68.213.80.26 Destination:196.2.119.209 Length:91 TOS:0x00 Protocol:UDP Service:Unknown
Time:Nov 16 19:04:47 Direction: Unknown In:ppp0 Out: Port:18176 Source:219.74.229.222 Destination:196.2.119.209 Length:70 TOS:0x00 Protocol:UDP Service:Unknown
Disconnected and reconnected again (got new ip-address) and it was gone.

Wonder what this is/was?

Last edited by Wim Sturkenboom; 11-16-2006 at 12:47 PM.
 
Old 11-16-2006, 01:59 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
It's an ephemeral port. Without details it could be anything, like filesharing.
 
Old 11-16-2006, 11:03 PM   #3
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Ubuntu 12.04, Antix19.3
Posts: 3,797

Original Poster
Rep: Reputation: 282Reputation: 282Reputation: 282
Thanks for the reply.

Sorry, but what is ephemeral?

I'm not so worried about the port number as I don't have anything running on it (to my knowlege). And maybe I should have phrased the question better:

Is this some kind of ddos or what is it?
 
Old 11-17-2006, 07:28 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Ephemeral as in "high ports" those that are used for short-lived server-client transactions as governed by the net.ipv4.ip_local_port_range sysctl. I don't think this is DoS-related, more likely it's just "ghosting": connections between the previous owner of the IP address and other hosts on the 'net due to filesharing and the like.

Last edited by unSpawn; 11-17-2006 at 12:19 PM. Reason: //((expl++))
 
Old 11-17-2006, 09:22 AM   #5
//////
Member
 
Registered: Nov 2005
Location: Land of Linux :: Finland
Distribution: Pop!_OS && Windows 10 && Arch Linux
Posts: 830

Rep: Reputation: 350Reputation: 350Reputation: 350Reputation: 350
Quote:
Originally Posted by Wim Sturkenboom
Disconnected and reconnected again (got new ip-address) and it was gone.

Wonder what this is/was?
If you want to know what kind of traffick it is/was you could capture couple of packets with ethereal, search for something readable and do a google search. It quite often produces results.
 
Old 11-17-2006, 01:28 PM   #6
the.madjack
Member
 
Registered: Apr 2006
Distribution: Slackware 10.2
Posts: 52

Rep: Reputation: 15
Quote:
Originally Posted by Wim Sturkenboom
Thanks for the reply.

Sorry, but what is ephemeral?

I'm not so worried about the port number as I don't have anything running on it (to my knowlege). And maybe I should have phrased the question better:

Is this some kind of ddos or what is it?
you can run 'netstat -tunlp' command to see which ports are listening on your linux box.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
router billion 5102 has firewall and software firewall tests aus9 Linux - Security 6 12-31-2006 11:09 PM
Unfamiliar "Shields Up!" Firewall Test Results Woodsman Slackware 13 09-22-2006 06:54 AM
nmap results richlawson Linux - Security 6 12-16-2003 04:26 PM
Firewall Builder sample firewall policy file ? (.xml) nuwanguy Linux - Networking 0 09-13-2003 01:32 PM
networking... a shocking lack therof acid_kewpie General 2 03-01-2002 09:00 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration