Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 2 Feb 2001 14:07:41 -0800
From:      "Renaud Waldura" <renaud@waldura.com>
To:        <freebsd-isp@freebsd.org>
Subject:   Strange Network Traffic: RST Packets From Port 226?
Message-ID:  <010601c08d64$90258d40$0402010a@biohz.net>
next in thread | raw e-mail | index | archive | help 
I'm seeing odd packets in my network I don't quite know what to think of.

My machine ebola.biohz.net [206.80.1.35] used to be the router to network
206.169.184.0/24. This network has been decomissioned, there hasn't been a
machine on it in over 2 years. The route should have been deleted, but for
various reasons it hasn't.

The network 206.169.184.0/24 is not in DNS, and as far as I can tell there
are no hostnames resolving to any of those addresses. Yet, I'm seeing many
packets coming from various Internet hosts addressed to non-existant
addresses of that network. Tcpdump shows:

Sample 1:

13:53:31.600209
206.48.255.100.netbios-ns > 206.169.184.38.netbios-ns:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
0x0000   4500 004e 077d 0000 7311 ebbc ce30 ff64        E..N.}..s....0.d
0x0010   cea9 b826 0089 0089 003a 379f 341a 0010        ...&.....:7.4...
0x0020   0001 0000 0000 0000 2043 4b41 4141 4141        .........CKAAAAA
0x0030   4141 4141 4141 4141 4141 4141 4141 4141        AAAAAAAAAAAAAAAA
0x0040   4141 4141 4141 4141 4100 0021 0001             AAAAAAAAA..!..

Sample 2:

13:28:53.430981
64.124.34.175.226 > 206.169.184.153.24768: R 0:0(0) ack 2028677938 win 0
0x0000   4500 0028 308a 0000 f806 a7d7 407c 22af        E..(0.......@|".
0x0010   cea9 b899 00e2 60c0 0000 0000 78eb 2b32        ......`.....x.+2
0x0020   5014 0000 bfa2 0000 0000 0000 0000             P.............

I don't quite know what to make of those packets. RST packets from port
226?! Why always this port? The source port is almost always 226, the
destination port seems random at first glance.

While this issue is non-critical, and easily taken care of with an ipfw
rule, I'd like to know what you guys think of this before shrugging it off
to the martians.

--Renaud



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?010601c08d64$90258d40$0402010a>