Am I paranoid or are people trying to get me?

Ken D'Ambrosio ken at jots.org
Tue Jul 6 23:53:23 EDT 2010 

First, a confession: I don't know much about firewall logs.  I usually
just glance at 'em and see if anything fun's going on.  But... that being
said, something smells fishy about your report.  I don't see how you could
know the MAC of an attacker, unless they were on a local subnet.  MAC
addresses are layer two, and don't route.  That's why (for example), if
you do an "nmap -sP x.x.x.x/24" as root, you'll see MAC addresses for
local IPs, but not foreign ones.

So, I'm wondering if the MAC is thrown in to show *the first hop* on the
way to your culprit?  Or something along those lines, maybe?

No doubt, Ben will correct me.  But methinks the data may point somewhere
other than where you're thinking.

$.02,

-Ken


On Tue, July 6, 2010 11:06 pm, Steven W. Orr wrote:
> I just had a minor outage over here with RCN at home on my server. After
> a mere bag O shells that cost me an hour, they actually got me back up and
>  running. During the bring up, I noticed that my firewall in linux was
> registering that it was dropping ping packets. (I have my firewall set to
> drop any more than three ICMP packets per minute.)  But then I got curious
> to see what was happening and found that I had (as of from april 28 to
> now) 47185 firewall events but they all came from one macaddr. Also, this
> one macaddr seems to be attributed to (so far) 2518 ip addresses.
>
> I checked with RCN and they say it's not one of theirs. Every single
> event in my firewall refers to this guy:
>
> 00:12:44:91:f0:01
>
>
> Here's a sample:
>
>
> Jul  6 22:34:08 saturn kernel: [FIAIF_DROP]:IN=eth0 OUT=
> MAC=00:13:d4:d1:b7:7c:00:12:44:91:f0:01:08:00 SRC=221.192.199.46
> DST=207.172.210.41 LEN=40 TOS=0x00 PREC=0x00 TTL=105 ID=256 DF PROTO=TCP
> SPT=12200 DPT=8085 WINDOW=8192 RES=0x00 SYN URGP=0
>
>
> The first 6bytes in the macaddr are me, the second 6 are from Boris
> Badinoff.
>
>
> I can block that macaddr from my firewall, but I can't believe this is as
>  nefarious as it looks.
>
>
> I have one other piece of information: I ran traceroutes on some of the
> src ip addresses and some go back to avg.com here in good old Chelmsford
> MA. Not all,
> but a lot of them. (I have been installing avg on some people's machines,
> but that's no reason to ping me, is it?) I can call them in the morning...
>
>
>
> If anyone has any ideas, I'd be curious. I'm hoping I'm just
> misinterpreting something.
>
> --
> Time flies like the wind. Fruit flies like a banana. Stranger things have
> .0.
> happened but none stranger than this. Does your driver's license say Organ
> ..0
> Donor?Black holes are where God divided by zero. Listen to me! We are all-
> 000
> individuals! What if this weren't a hypothetical question? steveo at
> syslang.net
>
> _______________________________________________
> gnhlug-discuss mailing list gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
>



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the gnhlug-discuss mailing list