On Wed, 21 Feb 2001, Mark Lo wrote:
> Hi all,
>
> From my log files, I got the following messages. I know the below IP
> address is coming from the same network as I do. and I have checked the IP
> address (203.194.161.2 and 203.194.161.3) with my ISP, they told me the IP
> of 203.194.161.2 and 203.194.161.3 are routers. And they have confirmed
> that they didn't send me such packet. As the result, It may be spoof
> packet. So, how can I stop people sending me thoes packet or how to find
> out the sources (where are the packet come from). I got tones of those
> garbages in my log files. It's filling up my disk space.
>
>
> Feb 20 07:26:08 dns1 kernel: Packet log: input DENY eth0 PROTO=17
> 203.194.161.2:1985 224.0.0.2:1985 L=48 S=0xC0 I=0 F=0x0000 T=2 (#41)
Spoofed? maybe... then again, More often than not, I find that the ISP
staff i usually either clueless (does happen sometimes) or just doesnt
want you to know that they screwed up (more often than not) or just doesnt
care and wants to get you off the phone, so they say, Hey, its not us!
According to www.arin.net/whois:
Asia Pacific Network Information Center (APNIC2)
These addresses have been further assigned to Asia-Pacific users.
Contact information can be found in the APNIC database,
at WHOIS.APNIC.NET or http://www.apnic.net/
Please do not send spam complaints to APNIC.
Netname: APNIC-CIDR-BLK
Netblock: 202.0.0.0 - 203.255.255.255
Maintainer: AP
Coordinator:
Administrator, System (SA90-ARIN) [EMAIL PROTECTED]
+61-7-3367-0490
Domain System inverse mapping provided by:
SVC00.APNIC.NET 202.12.28.131
NS.APNIC.NET 203.37.255.97
NS.TELSTRA.NET 203.50.0.137
NS.RIPE.NET 193.0.0.193
Regional Internet Registry for the Asia-Pacific Region.
*** Use whois -h whois.apnic.net ***
*** or see http://www.apnic.net/db/ for database assistance ***
Record last updated on 18-Jun-1999.
Database last updated on 21-Feb-2001 07:13:10 EDT.
Accordign to APNIC:
Search results for '203.194.161.2'
inetnum 203.194.128.0 - 203.194.191.255
netname IADVANTAGE
descr iAdvantage Limited
country HK
admin-c ATWY1-AP, inverse
tech-c BL26-AP, inverse
tech-c HM55-AP, inverse
mnt-by APNIC-HM, inverse
mnt-lower MAINT-HK-IS, inverse
changed [EMAIL PROTECTED] 20001018
source APNIC
person Alex Tam Wing Yiu, inverse
address iAdvantage Ltd.
address 36/F Standard Chartered Tower II
address Millennium City, 388 Kwun Tong Road
address Kwun Tong, Hong Kong
phone +852-22088328
fax-no +852-22672237
country HK
e-mail [EMAIL PROTECTED], inverse
nic-hdl ATWY1-AP, inverse
mnt-by MAINT-NULL, inverse
changed [EMAIL PROTECTED] 19991116
source APNIC
person Ben Li, inverse
address 36/F, Standard Chartered Tower
address Millennium City, 388 Kwun Tong Road
address Kwun Tong, Hong Kong
phone +852-22088320
fax-no +852-22672237
country HK
e-mail [EMAIL PROTECTED], inverse
nic-hdl BL26-AP, inverse
mnt-by MAINT-HK-IS, inverse
changed [EMAIL PROTECTED] 19991116
source APNIC
person iAdvantage hostmaster, inverse
address iAdvantage Limited
address 36/F, Standard Chartered Tower,
address Millennium City, 388 Kwun Tong Road
phone +852-22088338
fax-no +852-22672237
country HK
e-mail [EMAIL PROTECTED], inverse
nic-hdl HM55-AP, inverse
mnt-by MAINT-HK-IS, inverse
changed [EMAIL PROTECTED] 20000121
source APNIC
So, who knows? Can you stop them from sending packets? probably not.
Can you do anything? probably, your firewall is doing its job if those
packets are getting dumped...
Also, go to securityfocus.com and supscribe to the incidents list and see
what the people there have to say. They do a lot with odd packets,
scanning, etc, as well as forensics when tracing odd activity.
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list