strange packets from 192.168.1.126
Dear all,
I've recently noticed some packets coming in on port 22 (sshd) on my
external interface from the 192.168.1.0/24 network. I don't have any
local machines on this network and the packets are coming in on my WAN
interface (via my router). How is that possible? My understanding was
that this network was not routeable from the internet. I'm guessing
someone is try to get at my sshd server. Below are the packets. Is
there any way to get more info on where they are coming from?
Feb 20 20:02:14 tti kernel: iptables chain hostile: IN=eth1 OUT=
MAC=00:0e:0c:dd:73:16:00:11:6e:00:f9:70:08:00 SRC=192.168.1.126
DST=172.16.251.61 LEN=228 TOS=0x10 PREC=0x00 TTL=47 ID=19109 DF
PROTO=TCP SPT=38196 DPT=22 WINDOW=16022 RES=0x00 ACK PSH FIN URGP=0
I'm using iptables on a 2.6 Linux box.
Kevin
Re: strange packets from 192.168.1.126
Kevin VW wrote:[color=blue]
> Dear all,
>
> I've recently noticed some packets coming in on port 22 (sshd) on my
> external interface from the 192.168.1.0/24 network. I don't have any
> local machines on this network and the packets are coming in on my WAN
> interface (via my router). How is that possible? My understanding was
> that this network was not routeable from the internet. I'm guessing
> someone is try to get at my sshd server. Below are the packets. Is
> there any way to get more info on where they are coming from?
>
> Feb 20 20:02:14 tti kernel: iptables chain hostile: IN=eth1 OUT=
> MAC=00:0e:0c:dd:73:16:00:11:6e:00:f9:70:08:00 SRC=192.168.1.126
> DST=172.16.251.61 LEN=228 TOS=0x10 PREC=0x00 TTL=47 ID=19109 DF
> PROTO=TCP SPT=38196 DPT=22 WINDOW=16022 RES=0x00 ACK PSH FIN URGP=0
>
> I'm using iptables on a 2.6 Linux box.
>
> Kevin[/color]
This seems to be the result of a packet that was sent with a bad
(intentionally or not) source IP address. It could have "escaped" from
someone's LAN due to a misconfigured masquerading router. The network
typically doesn't do anything with the source address except pass it
along. Of course, the connection can't work, since you don't have the
right address to reply to.
--
Steve
Re: strange packets from 192.168.1.126
[QUOTE=Kevin VW;910345]Dear all,
I've recently noticed some packets coming in on port 22 (sshd) on my
external interface from the 192.168.1.0/24 network. I don't have any
local machines on this network and the packets are coming in on my WAN
interface (via my router). How is that possible? My understanding was
that this network was not routeable from the internet. I'm guessing
someone is try to get at my sshd server. Below are the packets. Is
there any way to get more info on where they are coming from?
Feb 20 20:02:14 tti kernel: iptables chain hostile: IN=eth1 OUT=
MAC=00:0e:0c:dd:73:16:00:11:6e:00:f9:70:08:00 SRC=192.168.1.126
DST=172.16.251.61 LEN=228 TOS=0x10 PREC=0x00 TTL=47 ID=19109 DF
PROTO=TCP SPT=38196 DPT=22 WINDOW=16022 RES=0x00 ACK PSH FIN URGP=0
I'm using iptables on a 2.6 Linux box.
Kevin[/QUOTE]
Dear kevin
While editing my blog [url]http://tache.unplug.org.ve/[/url] I just decided to inquire about my IP and get surprised finding your post comenting that you received some strange packets from 192.168.1.126 that happens to be my pc's IP. I do not understand that because I have never sent anything other than the replies to any questions posted in mi web page.
I sincerely apologize for any inconvenient caused to you but again, i would like to make clear that I do not have anything to do with it.
Regards,
Octavio Rossell Daal.
Barquisimeto, Venezuela.
Re: strange packets from 192.168.1.126
Definately leakage, or someone masquerading their ip. There is another remote possibilty, I have seen ISPs now start using private ip's inside their network due to ip constraints, could the other side of your wan port be on the 192.168.1.0/24 or 192.168.0.0/16 subnets?
Have a look at Team-cymru's map of mailiciousness and you will see the oddness of private address attacks...
[url]http://www.team-cymru.org/Monitoring/Malevolence/maps.html[/url]
