Help - Search - Members - Calendar
Full Version: Bombarded
Linuxhelp > Support > Technical Support
nobby355
Help

I have a system running SuSE 8

I am getting bombarded by all sorts of traffic from all over the world, mostly porn, through port 8000. Because I use this system to connect remote sites, using cipe, I need to have the flexibility of keeping this port open especially with the connections to other manufacturers systems. Here is a dump using tcpdump on cipcb0;
13:14:49.947294 172.16.7.250.brvread > 10.48.29.1.domain: 18346+ PTR? 96.108.17
.216.in-addr.arpa. (44) (DF) [tos 0x10]
13:14:50.135735 172.16.7.250.cap > 10.48.29.1.domain: 1884+ A? ad.uk.doubleclick.net. (39) (DF) [tos 0x10]
13:14:50.642121 10.48.29.1.domain > 172.16.7.250.brvread: 18346* 1/3/3 PTR[|domain]
13:14:50.681149 10.48.29.1.domain > 172.16.7.250.cap: 1884 2/0/0 CNAME ad.3uk.doubleclick.net., (76)
13:14:54.221404 172.16.7.250.cap > 10.48.29.1.domain: 1885+ A? m2.doubleclick.net. (36) (DF) [tos 0x10]
13:14:54.824094 10.48.29.1.domain > 172.16.7.250.cap: 1885 3/0/0 CNAME[|domain]
13:14:55.991259 172.16.7.250.brvread > 10.48.29.1.domain: 18347+ PTR? 19.112.208.217.in-addr.arpa. (45) (DF) [tos 0x10]
13:14:56.504446 172.16.7.250.cap > 10.48.29.1.domain: 1886+ A? ad.uk.doubleclick.net. (39) (DF) [tos 0x10]
13:14:56.798178 10.48.29.1.domain > 172.16.7.250.cap: 1886 2/0/0 CNAME ad.3uk.doubleclick.net., (76)
13:14:56.834076 10.48.29.1.domain > 172.16.7.250.brvread: 18347* 1/2/2 PTR[|domain]
13:14:58.685292 172.16.7.250.cap > 10.48.29.1.domain: 1887+ A? l6.login.scd.yahoo.com. (40) (DF) [tos 0x10]
13:14:59.341921 10.48.29.1.domain > 172.16.7.250.cap: 1887* 1/5/5 A 66.218.74.91 (226)
13:14:59.375647 172.16.7.250.cap > 10.48.29.1.domain: 1888+ A? www.centerfoldparadise.com. (44) (DF) [tos 0x10]
13:15:00.223759 10.48.29.1.domain > 172.16.7.250.cap: 1888* 1/1/1 A 216.66.18.191 (104)
13:15:00.244433 172.16.7.250.brvread > 10.48.29.1.domain: 18348+ PTR? 191.18.66.216.in-addr.arpa. (44) (DF) [tos 0x10]
13:15:01.117090 10.48.29.1.domain > 172.16.7.250.brvread: 18348* 1/3/3 PTR[|domain]
13:15:01.118450 172.16.7.250.cap > 10.48.29.1.domain: 1889+ A? ad.linksynergy.com. (36) (DF) [tos 0x10]
13:15:03.899364 172.16.7.250.cap > 10.48.29.1.domain: 1890+ A? www.awin1.com. (31) (DF) [tos 0x10]
13:15:04.802398 172.16.7.250.cap > 10.48.29.1.domain: 1891+ A? ad.uk.doubleclick.net. (39) (DF) [tos 0x10]
13:15:05.380718 10.48.29.1.domain > 172.16.7.250.cap: 1891 2/0/0 CNAME ad.3uk.doubleclick.net., (76)
13:15:08.528393 172.16.7.250.cap > 10.48.29.1.domain: 1892+ A? lawcrawler.com. (32) (DF) [tos 0x10]
13:15:08.738333 172.16.7.250.cap > 10.48.29.1.domain: 1893+ A? m2.doubleclick.net. (36) (DF) [tos 0x10]
13:15:09.150515 10.48.29.1.domain > 172.16.7.250.cap: 1893 3/0/0 CNAME[|domain]
13:15:09.274673 10.48.29.1.domain > 172.16.7.250.cap: 1892* 1/2/2 A 66.35.204.10 (129)
13:15:11.540087 172.16.7.250.cap > 10.48.29.1.domain: 1894+ A? www.katesplayground.com. (41) (DF) [tos 0x10]
13:15:11.671627 10.48.29.1.domain > 172.16.7.250.cap: 1894 1/0/0 A 66.197.127.140 (57)
13:15:12.071078 172.16.7.250.cap > 10.48.29.1.domain: 1895+ A? www.fh555.com. (31) (DF) [tos 0x10]
13:15:12.706632 10.48.29.1.domain > 172.16.7.250.cap: 1895 1/0/0 A 218.106.83.7 (47)
13:15:16.636925 172.16.7.250.cap > 10.48.29.1.domain: 1896+ A? l16.login.dcn.yahoo.com. (41) (DF) [tos 0x10]
13:15:16.816949 172.16.7.250.cap > 10.48.29.1.domain: 1897+ A? ad.linksynergy.com. (36) (DF) [tos 0x10]
13:15:16.996986 172.16.7.250.cap > 10.48.29.1.domain: 1898+ A? l16.login.dcn.yahoo.com. (41) (DF) [tos 0x10]
13:15:17.128594 10.48.29.1.domain > 172.16.7.250.cap: 1897 4/0/0 A 63.123.248.7, A 63.123.248.8[|domain]
13:15:17.977996 172.16.7.250.brvread > 10.48.29.1.domain: 18349+ PTR? 82.79.208.217.in-addr.arpa. (44) (DF) [tos 0x10]
13:15:18.232604 10.48.29.1.domain > 172.16.7.250.cap: 1896* 1/5/5 A 216.109.127.47 (227)
13:15:22.924926 172.16.7.250.cap > 10.48.29.1.domain: 1899+ A? www.legfreak.com. (34) (DF) [tos 0x10]
13:15:26.533908 172.16.7.250.cap > 10.48.29.1.domain: 1900+ A? www.all2men.com. (33) (DF) [tos 0x10]
13:15:26.833249 10.48.29.1.domain > 172.16.7.250.cap: 1900 1/0/0 A 211.94.204.42 (49)
13:15:28.291827 172.16.7.250.cap > 10.48.29.1.domain: 1901+ A? www.outwar.com. (32) (DF) [tos 0x10]
13:15:28.825572 172.16.7.250.cap > 10.48.29.1.domain: 1902+ A? www.sciencedirect.com. (39) (DF) [tos 0x10]
13:15:28.942481 10.48.29.1.domain > 172.16.7.250.cap: 1901 1/0/0 A 216.22.4.47 (48)
13:15:29.200763 172.16.7.250.cap > 10.48.29.1.domain: 1903+ A? www.realgalleries.com. (39) (DF) [tos 0x10]
13:15:29.431279 10.48.29.1.domain > 172.16.7.250.cap: 1902 2/0/0 CNAME sciencedirect.com., A[|domain]
Can anyone help please?
hughesjr
I'm not positive ... but it looks to me like 10.48.29.1 is a DNS server and the computer 172.16.7.250 is doing name lookups on it (10.48.29.1) through your tunnel.

It doesn't look like the traffic is originating from an external source to me....
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2017 Invision Power Services, Inc.