Re: a lot of spoofed traffic for port 8, does anybody recon this?

[Jose Nazario <jose () biocserver BIOC cwru edu>]

On Mon, 14 May 2001, Bob Johnson wrote:

> Don't know if you ever figured this out.  The only place I've ever
> seen port 8 used is a Telocity DSL modem in a friend's office.
[snip]

> Mikael Fors wrote:

> > May  9 10:03:36 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1 a.b.c.d:8 192.168.22.2:0 L=60 S=0x00 I=29112 
> > F=0x0000 T=126 (#24)
[snip]

that logline should tell you everything you need to know. its a
deficiency, however, of the logging that is causing your confusion.

from /etc/protocols (and the IANA list)
icmp    1       ICMP    # internet control message protocol

so ... PROTO=1 means 'ICMP'.

now for the 'port 8' (from a.b.c.d:8 in the logfile), this is the
deficiency: ICMP doesn't use ports, it uses types an codes. so, you saw an
ICMP type 8 is 'echo request', aka our friend 'ping'.

as such, it looks like someone was pinging you. there are a variety of
legit reasons why someone could be pinging you, including napster (uses it
to get latencies and estimated bandwidth between the two endpoints of a
connection), and gaming. the frequency doesn't appear to be anything
special, so i wouldn't presume a DoS attempt.

figure 6.3 of stevens' 'TCP/IP Illustrated Vol 1' should be useful here.
the main culprit is the crappy mistake in the logging. whoever hacked it
together (the code) needs to be beaten with a blunt object for only
thinking about protocols 6 and 17 (UDP and TCP). other protocols usually
get barfed on as well for 'port numbers', especially when the concept of a
port is absent in the protocol definition.

hope this helps,

____________________________
jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)