Re: Irritating DSL annoyance

From: P Gentry (rdgentry1_at_cablelynx.com)
Date: 03/13/04 

Date: 13 Mar 2004 10:28:44 -0800

Remi Villatel <maxilys@SPAMCOP.tele2.fr> wrote in message news:<c2tf7p$ca5$1@news.tiscali.fr>...
> P Gentry wrote:
>
> >>>>*But* now, I have random I/O transfers over the line (up to 300 Bytes/sec)
> >>>>even when (AFAIK) absolutely no program uses the modem.
>
> > Until you do the usual ifconfig, route -n, and route -C commands it's
> > not clear what your net setup actually _is_ as opposed to what you
> > intended.
>
> ifconfig says eth0, lo and ppp0. Nothing else.
>

Looks "normal". Can't say more than that -- can't see the output.

> >>Firewall? I have no firewall. Every incoming access is blocked by Apache
> >
> > Good, Apache as a packet filter/firewall. Convenient.
>
> Well, Apache have seen nothing since I've installed a firewall. Any way, it
> wasn't supposed to be accessible from outside.
>

Your fw needs to _allow_ traffic in headed for its IP and port#. If
it's not intended to be accessible, then fw will _block_ traffic
headed for the port# and maybe the IP also.
 
> >>which logs them and track them (partially) back thanks to whois. I now have
>
> > Which whois? You would have to check with a number of them for this
> > to be reliable.
>
> whois --version
> 4.6.6

Should have been clearer, I guess. "Which whois _server_ are you
using?" -- no single whois server can resolve all questions. Each one
takes on responsibility for a "limited" number of domains.

>
> Compatible with the usual BSD and RIPE whois programs says rpm. That's all I
> can say. All I get is the name of the company which provides the IP of the
> "port prober".
>

And from there you can go to sites that will give you more info --
Google has "automated" access to usage stats, # and designation of
other ASes the company has, etc. It's detective work and cannot
really be scripted. It was how we traced down the problem I mentioned
in original post -- Google will accept IP addresses as a search term
(or part of a term list) and kick back list/forum postings that can
tell you if other people are seeing and wondering about the same
traffic.

> >>a nice list of "abuse@" to write to. ;-) When I will have the time, I'll
> >>extend my PHP script to automate the writing of an e-mail... or to probe
> >>back the apprentice pirates. <Devil grin>
>
> > Don't grin too quick. People (ISPs especially) don't like getting
> > these kind of notifications by an automated script -- chances are that
> > you're complaining about innocent traffic. You need to sniff the
> > wire/review logs and confirm your suspicions before crying "Wolf!"
>
> Innocent traffic? You're not innocent when you test the defence perimeter of
> a private computer that isn't officially accessible from outside.
>

Not sure what you mean by "officially" inaccessible.
Your ISP can't route "private" IPs except those on your network -- and
many _will_ do the latter despite their claims to the contrary. Your
"public" IP obviously must be accessible (and it's up to you to let in
or keep out traffic as you see fit).

How do you know anyone is _testing_ your defences? Once you have an
interface exposed to the internet there are any number of reasons that
you will get packets "directed" to your IP/ports. Your ISP will be
directing traffic to you from _their_ servers/routers just to maintain
connections/accounts. You really need to use a "sniffer" to actually
look at the "raw" packets. Ethereal is almost certainly included with
your distro and it's easy to use once you learn two or three "tricks".

> Yesterday, I saw a "port prober". I traceroute'd him. He was behind 3
> anonymous machines. I ping'ed him, just to say hello ;-) and he
> disappeared very quickly! Maybe I am a little paranoid but it doesn't look
> like an innocent behavior to me.
>

First, if you tracerouted them, they were not anonymous or hiding at
all.
Also there is nothing you say here that requires a human to be on the
other end in any sense. How did you determine that it _was_ a "port
prober"? Random packets _and_ random probes are possible --
especially if your ISP is sloppy or experiencing tech problems.
And a ping (or some other active response) from you may have been
precisely what "they" were looking for -- "they" now know you are a
"live" IP address. You have to know or at least be aware of a few
tricks when playing dirty pool.

> >>Any way, theses port probing aren't the reason of the "static on the line".
> > Until you view the packets/headers how do you know this is static? It
> > probably is, but you can't be sure.
>
> I've been online for the whole day... Downloading and filling up my hard
> disk. ;-) The firewall logs are huge! But I've already seen access
> attempts on various un-authorized ports. Maybe you're right. I need to check
> another quiet day.
>

Noisy days are a _good_ time to sniff and review logs in order to
establish a "noisy" baseline/profile -- especially if someone _is_
actively trying to get into or go through your machine. Noisy traffic
days are a great cover for an "attacker" since they already know what
traffic _they_ are interested in -- they are hoping you won't notice
it in all the "noise".

> See ya,
>

If you really feel that some is or may be trying to use your machine
in some way then you need to look into some tools like nmap, snort,
ethereal, nessus, etc. and get familiar with their documentation
enough to get a good feel for plain view "attack signatures" -- that
is, identifiably suspicious activity that you can _see_ just by using
a sniffer. Even if it's just some "kids" playing around, you never
know when such playing will get serious.

And _most__importantly_, get a good firewall in place to keep out as
much as you can. A good place to start (if you haven't been there
already) is:
http://www.linuxguruz.com/iptables/

Good luck,
prg
email above disabled