help, analyzing traffic, am I being attacked or what?

From: Tobias Skytte (tobias_at_itservices.co.mz)
Date: 10/29/04 

Date: 29 Oct 2004 09:53:29 -0700

Hi,

I need some help analyzing tcpdump traffic (see below). What's
happening is this: our server (ip 196.28.yyy.zzz), running RH 9, sends
out via that ip but receives via a receiveonly satlink with ip
(196.36.aaa.bbb). Also the server is a NAT for a lan behind it. So
normally we dont receive much on the 196.28.yyy.zzz link but mostly
transmit. In the last coupple days though I'm seing alot of traffic
(see dump below ) which I don't know what is.
If NAT'ed machines or the server itself had made connections to these
sites then it would be receiving these packets on the other
satellite-interface with the other ip. So as far as I can figure out
these packets are 'un-solicited'. They are also going to ports that
are firewalled in the server and they don't show up in netstat or
ip_conntrack. So what are these packets? Currently it's a problem
because it's consuming 50% of our available bandwidth which is only
64k for transmitting.

What can I do to find out more about this traffic? any hint's would be
much appreciated.
Like, I need to know if these packets are being dropped or if not
where are they going etc. Am I under attack?
Thanks in advance,

Tobias Skytte

-------------------------------------------------
tcpdump (our server is with sanitized ip: 196.28.yyy.zzz)
-------------------------------------------------

15:52:59.009854 81.185.195.179.3149 > 196.28.yyy.zzz.1075: P
1441:2881(1440) ack 1 win 16937 (DF)
15:52:59.630421 80.222.196.4.3786 > 196.28.yyy.zzz.1053: P
12572:14032(1460) ack 1 win 31660 (DF)
15:52:59.804400 80.222.196.4.3786 > 196.28.yyy.zzz.1053: P
14032:15360(1328) ack 1 win 31660 (DF)
15:53:00.005924 81.69.133.78.2830 > 196.28.yyy.zzz.1038: .
2920:4380(1460) ack 1 win 17179 (DF)
15:53:00.196920 81.69.133.78.2830 > 196.28.yyy.zzz.1038: .
4380:5840(1460) ack 1 win 17179 (DF)
15:53:00.287613 81.98.56.67.1214 > 196.28.yyy.zzz.1068: P
1460:2132(672) ack 1 win 63899 (DF)
15:53:00.478410 81.69.133.78.2830 > 196.28.yyy.zzz.1038: .
5840:7300(1460) ack 1 win 17179 (DF)
15:53:00.669618 80.200.111.86.1175 > 196.28.yyy.zzz.4908: P
10221:11681(1460) ack 0 win 17217 (DF)

Relevant Pages

  • Re: Diagnose co-location networking problem
    ... it was from the client. ... Actually there's significant indication of lost packets and clues that ... 540 retransmit timeouts ... are you using any packetfiltering on the server? ...
    (freebsd-net)
  • Re: Improving FreeBSD NFS performance (esp. directory updates)
    ... >> I don't think the network is at fault, nor is the server really going ... 155645171 data packets ... discarded for bad header offset fields ... 790 connections established ...
    (freebsd-questions)
  • Re: IP Spoofing
    ... That would be enough if the purpose of the request was e.g. to delete a database by SQL injection. ... You would not need to keep it in 7 packets, merely to send in a TCP window - pretty large these days, BUT you would also need to cut in on an existing ESTABLISHED session. ... it is quite possible to send packets to the server without anything. ...
    (comp.lang.php)
  • Re: Problem with writing fast UDP server
    ... UDP packets per second. ... socket and threads. ... I wrote a simple case test: client and server. ... The maximum theoretical limit is 14,880 frames per ...
    (comp.lang.python)
  • Re: WORM? ... server generating NBT-NS (port 137) traffic on WAN interface
    ... server generating NBT-NS traffic on WAN ... I did run NETMON on the SBS2003 box, it did find the extraneous packets ... connected to the Internet (If the SBS server is the 2 NICs scenario). ... I would also like to suggest that you call Microsoft ...
    (microsoft.public.windows.server.sbs)