LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-02-2007, 02:32 AM   #1
ohcarol
Member
 
Registered: Dec 2004
Location: Nepal
Posts: 86

Rep: Reputation: 15
What type of traffic is this?


While doing tcpdump in my linux gateway server I saw lots of traffic coming from my client pc. Is this DOS attack? How can I block this traffic without blocking his surfing? If I block the source port 91787 with firewall rules then source port will change to 61578. If I block udp port with this rules " iptables -A FORWARD -p udp -s 202.xx.xx.214 --sport 61000: -j DROP" then his browsing will not work. Any suggestions?



13:05:58.798516 202.xx.xx.214.61787 > 218.190.229.123.9956: udp 23
0x0000 4500 0033 a221 0000 7e11 da38 ca4f 35d6 E..3.!..~..8.O5.
0x0010 dabe e57b f15b 26e4 001f 6245 e310 d06d ...{.[&...bE...m
0x0020 a7ff 5bfc 6d19 ef69 4bd5 46cd 1c36 0000 ..[.m..iK.F..6..
0x0030 00f4 01 ...
13:05:58.800883 202.xx.xx.214.61787 > 217.117.115.176.22801: udp 25
0x0000 4500 0035 a222 0000 7e11 4d4a ca4f 35d6 E..5."..~.MJ.O5.
0x0010 d975 73b0 f15b 5911 0021 d558 e30c 58e4 .us..[Y..!.X..X.
0x0020 e59b 7828 c7c3 fc04 cd29 7500 6189 ca4f ..x(.....)u.a..O
0x0030 35d6 9142 00 5..B.
13:05:58.806499 202.xx.xx.214.61787 > 24.151.42.130.22505: udp 25
0x0000 4500 0035 a223 0000 7e11 5756 ca4f 35d6 E..5.#..~.WV.O5.
0x0010 1897 2a82 f15b 57e9 0021 e08d e30c 58e4 ..*..[W..!....X.
0x0020 e59b 7828 c7c3 fc04 cd29 7500 6189 ca4f ..x(.....)u.a..O
0x0030 35d6 9142 00 5..B.
13:05:58.806570 202.xx.xx.214.61787 > 125.143.234.26.21420: udp 25
0x0000 4500 0035 a224 0000 7e11 32c4 ca4f 35d6 E..5.$..~.2..O5.
0x0010 7d8f ea1a f15b 53ac 0021 c039 e30c 58e4 }....[S..!.9..X.
0x0020 e59b 7828 c7c3 fc04 cd29 7500 6189 ca4f ..x(.....)u.a..O
0x0030 35d6 9142 00 5..B.
13:05:58.808489 202.xx.xx.214.61787 > 66.61.39.222.3291: udp 25
0x0000 4500 0035 a225 0000 7e11 3052 ca4f 35d6 E..5.%..~.0R.O5.
0x0010 423d 27de f15b 0cdb 0021 049a e30c 58e4 B='..[...!....X.
0x0020 e59b 7828 c7c3 fc04 cd29 7500 6189 ca4f ..x(.....)u.a..O
0x0030 35d6 9142 00 5..B.
13:05:58.811148 202.xx.xx.214.61787 > 62.133.182.39.11204: udp 25
0x0000 4500 0035 a226 0000 7e11 a5bf ca4f 35d6 E..5.&..~....O5.
0x0010 3e85 b627 f15b 2bc4 0021 5b1f e30c 58e4 >..'.[+..![...X.
0x0020 e59b 7828 c7c3 fc04 cd29 7500 6189 ca4f ..x(.....)u.a..O
0x0030 35d6 9142 00 5..B.
13:05:58.811204 202.xx.xx.214.61787 > 221.252.185.115.19739: udp 25
0x0000 4500 0035 a227 0000 7e11 02fb ca4f 35d6 E..5.'..~....O5.
0x0010 ddfc b973 f15b 4d1b 0021 9704 e30c 58e4 ...s.[M..!....X.
0x0020 e59b 7828 c7c3 fc04 cd29 7500 6189 ca4f ..x(.....)u.a..O
0x0030 35d6 9142 00 5..B.
13:05:58.811516 202.xx.xx.214.61787 > 75.70.123.148.3531: udp 25
0x0000 4500 0035 a228 0000 7e11 d38f ca4f 35d6 E..5.(..~....O5.
0x0010 4b46 7b94 f15b 0dcb 0021 a6ea e30c 58e4 KF{..[...!....X.
0x0020 e59b 7828 c7c3 fc04 cd29 7500 6189 ca4f ..x(.....)u.a..O
0x0030 35d6 9142 00 5..B.
13:05:58.816826 202.xx.xx.214.61787 > 75.42.155.246.9308: udp 25
0x0000 4500 0035 a229 0000 7e11 b348 ca4f 35d6 E..5.)..~..H.O5.
0x0010 4b2a 9bf6 f15b 245c 0021 7013 e30c 58e4 K*...[$\.!p...X.
0x0020 e59b 7828 c7c3 fc04 cd29 7500 6189 ca4f ..x(.....)u.a..O
0x0030 35d6 9142 00 5..B.
13:05:58.816899 202.xx.xx.214.61787 > 75.4.22.15.22505: udp 25
0x0000 4500 0035 a22a 0000 7e11 3955 ca4f 35d6 E..5.*..~.9U.O5.
0x0010 4b04 160f f15b 57e9 0021 c293 e30c 58e4 K....[W..!....X.
0x0020 e59b 7828 c7c3 fc04 cd29 7500 6189 ca4f ..x(.....)u.a..O
0x0030 35d6 9142 00 5..B.
13:05:58.818827 202.xx.xx.214.61787 > 143.215.130.34.9671: udp 25
0x0000 4500 0035 a22b 0000 7e11 886d ca4f 35d6 E..5.+..~..m.O5.
0x0010 8fd7 8222 f15b 25c7 0021 43cf e30c 58e4 ...".[%..!C...X.
0x0020 e59b 7828 c7c3 fc04 cd29 7500 6189 ca4f ..x(.....)u.a..O
0x0030 35d6 9142 00 5..B.
13:05:58.818908 202.xx.xx.214.61787 > 221.137.80.246.1936: udp 25
0x0000 4500 0035 a22c 0000 7e11 6be6 ca4f 35d6 E..5.,..~.k..O5.
0x0010 dd89 50f6 f15b 0790 0021 4580 e30c 58e4 ..P..[...!E...X.
0x0020 e59b 7828 c7c3 fc04 cd29 7500 6189 ca4f ..x(.....)u.a..O
0x0030 35d6 9142 00 5..B.
13:05:58.819199 202.xx.xx.214.61787 > 82.133.191.151.7181: udp 25
0x0000 4500 0035 a22d 0000 7e11 8848 ca4f 35d6 E..5.-..~..H.O5.
0x0010 5285 bf97 f15b 1c0d 0021 4d66 e30c 58e4 R....[...!Mf..X.
0x0020 e59b 7828 c7c3 fc04 cd29 7500 6189 ca4f ..x(.....)u.a..O
0x0030 35d6 9142 00 5..B.
13:05:58.819271 202.xx.xx.214.61787 > 85.230.180.136.30843: udp 25
0x0000 4500 0035 a22e 0000 7e11 8ff5 ca4f 35d6 E..5....~....O5.
0x0010 55e6 b488 f15b 787b 0021 f8a5 e30c 58e4 U....[x{.!....X.
0x0020 e59b 7828 c7c3 fc04 cd29 7500 6189 ca4f ..x(.....)u.a..O
0x0030 35d6 9142 00 5..B.
13:05:58.823473 202.xx.xx.214.61787 > 75.50.118.27.32914: udp 25
0x0000 4500 0035 a22f 0000 7e11 d915 ca4f 35d6 E..5./..~....O5.
0x0010 4b32 761b f15b 8092 0021 39b0 e30c 58e4 K2v..[...!9...X.
0x0020 e59b 7828 c7c3 fc04 cd29 7500 6189 ca4f ..x(.....)u.a..O
0x0030 35d6 9142 00 5..B.
13:05:58.823554 202.xx.xx.214.61787 > 58.8.129.176.5178: udp 25
0x0000 4500 0035 a230 0000 7e11 dea9 ca4f 35d6 E..5.0..~....O5.
0x0010 3a08 81b0 f15b 143a 0021 ab9d e30c 58e4 :....[.:.!....X.
0x0020 e59b 7828 c7c3 fc04 cd29 7500 6189 ca4f ..x(.....)u.a..O
0x0030 35d6 9142 00 5..B.
 
Old 09-02-2007, 03:36 AM   #2
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682
Could you examine what kind of email he is sending and if it looks like he is compromised fix the problem at the source?
Maybe you could block all traffic from him where the dport is 25 in the mean time.
 
Old 09-02-2007, 06:14 AM   #3
ohcarol
Member
 
Registered: Dec 2004
Location: Nepal
Posts: 86

Original Poster
Rep: Reputation: 15
hi jschiwal

Destined port is not 25, please check the destination address and port in the above post.

13:05:58.823473 202.xx.xx.214.61787 > 75.50.118.27.32914: udp 25
0x0000 4500 0035 a22f 0000 7e11 d915 ca4f 35d6 E..5./..~....O5.
0x0010 4b32 761b f15b 8092 0021 39b0 e30c 58e4 K2v..[...!9...X.
0x0020 e59b 7828 c7c3 fc04 cd29 7500 6189 ca4f ..x(.....)u.a..O
0x0030 35d6 9142 00 5..B.
13:05:58.823554 202.xx.xx.214.61787 > 58.8.129.176.5178: udp 25
0x0000 4500 0035 a230 0000 7e11 dea9 ca4f 35d6 E..5.0..~....O5.
0x0010 3a08 81b0 f15b 143a 0021 ab9d e30c 58e4 :....[.:.!....X.
0x0020 e59b 7828 c7c3 fc04 cd29 7500 6189 ca4f ..x(.....)u.a..O
0x0030 35d6 9142 00 5..B.
 
Old 09-02-2007, 07:01 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
- The packets are sent at a certain rate.
- The source is one address, the destinations are many.
- Almost all of the destination addresses are in ISP ranges and none have a meaningful FQDN (linking them to a particular service or purpose).
- The protocol shown is UDP-only (UDP "means" you don't care if a single packet arrives or not).
- The single source port UDP/61787 isn't linked to any know application (or `getent services 61787` or Seifried). ISC lists the port as a troublesome destination port, but most likely this concerns TCP, not UDP.
- The destination ports are ephemeral ports, in other words not linked to an application.
- The destination ports vary, meaning some remote hosts are more loaded than others.
- The packet contents, illegible as they are, seem more or less similar.

Why no detailed conclusion? I shouldn't conclude anything because the data is inconclusive to begin with. The packet capture is one-sided: we only get to see this side of the conversation while we should see both for better understanding. The OP didn't post the tcpdump commandline: we don't know if there's a BPF filter attached that doesn't show other traffic between this and other hosts. Next to that we don't know if the OP manually scrubbed other related traffic between this and remote hosts, what O.S. and services the suspect box runs.

Last edited by unSpawn; 09-02-2007 at 07:08 AM.
 
Old 09-03-2007, 12:59 AM   #5
ohcarol
Member
 
Registered: Dec 2004
Location: Nepal
Posts: 86

Original Poster
Rep: Reputation: 15
Ok here is the tcpdump command I used

root# tcpdump -Xn src 202.xx.xx.214 -p


Well the output posted are not scrubbed. I am running Redhat linux 8 with Kernel 2.4.22. This host is running as a gateway to wireless client.

Last edited by ohcarol; 09-03-2007 at 01:04 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Traffic shaping (limiting outgoing bandwidth of all TCP-traffic except FTP/HTTP) ffkodd Linux - Networking 3 10-25-2008 12:09 AM
prioritising traffic by type Arkaanis Linux - Networking 1 07-02-2005 01:03 AM
Traffic Shaping (by type of packet) snufferz Linux - Networking 1 06-07-2004 11:40 AM
Traffic Shaping (by type of packet) snufferz Linux - Software 0 06-07-2004 10:46 AM
Route all traffic of a given type to an interface tsweatt Linux - Networking 0 09-01-2003 12:24 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration