Find the answer to your Linux question:
Results 1 to 6 of 6
boy I sure you guys are able to help me figure this out. I've been having some attacks lately and the originating source is my own IP: Code: #61-(6-73) [nessus] ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2008
    Posts
    2

    Network Attack Coming from own IP


    boy I sure you guys are able to help me figure this out. I've been having some attacks lately and the originating source is my own IP:

    Code:
     	 #61-(6-73) 	 [nessus] [cve] [icat] [bugtraq] [arachNIDS] [local] [snort] WEB-CGI wrap access 	 2008-12-10 16:06:29 	 97.xxx.yyy.255:53629 	 67.135.105.139:80 	 TCP
    	#62-(6-74) 	[snort] (http_inspect) DOUBLE DECODING ATTACK 	2008-12-10 16:06:29 	97.xxx.yyy.255:54827 	64.236.115.51:80 	TCP
    	#63-(6-75) 	[snort] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY 	2008-12-10 16:07:15 	97.xxx.yyy.255:50217 	74.125.103.39:80 	TCP
    Where 97.xxx.yyy.255 is my ip. The odd part about it is the last three numbers. I connect with a cable modem and have never seen it before. The 255 is reserved, I thought, and has a unique purpose - like a local network? Can anyone help me on this?

  2. #2
    Just Joined!
    Join Date
    Oct 2008
    Location
    IceWM
    Posts
    23
    The attacker/attackers are possibly using IP address spoofing to fool you. As long as you've got good defense, you'll be right.

  3. #3
    Linux User dxqcanada's Avatar
    Join Date
    Sep 2006
    Location
    Canada
    Posts
    259
    97.xxx.yyy.255 is the broadcast address for your network.

    Someone is attempting to make your router/PC drop this broadcast onto you network.
    Since the source IP address is your internal network ... they hope that your router/PC will be fooled into thinking it is a reply to a packet that originated from your private network, and therefore will let it in.

    Since it is the broadcast address of the network, all IP devices on that network may accept it.



    Men occasionally stumble over the truth,
    but most of them pick themselves up
    and hurry off as if nothing had happened.

    Winston Churchill


    ... then the Unix-Gods created "man" ...

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru coopstah13's Avatar
    Join Date
    Nov 2007
    Location
    NH, USA
    Posts
    3,149
    that isn't necessarily the broadcast address, it depends what the network mask is, I have an IP as such
    Code:
    inet addr:10.101.136.206  Bcast:10.101.137.255  Mask:255.255.254.0
    nothing is stopping me from using 10.101.136.255

  6. #5
    Linux User dxqcanada's Avatar
    Join Date
    Sep 2006
    Location
    Canada
    Posts
    259
    Ah, I stand corrected.

    I assumed a class C subnet mask.
    In actual fact the default mask for a 97 network is a class A.

    What the OP's network is using ... is unknown at this moment.



    Men occasionally stumble over the truth,
    but most of them pick themselves up
    and hurry off as if nothing had happened.

    Winston Churchill


    ... then the Unix-Gods created "man" ...

  7. #6
    Just Joined!
    Join Date
    Dec 2008
    Posts
    2
    OP=other person?

    I'll be getting back on this in a second. I've decided my network has been comprimised and am doing a clean install.

    I think you are right that someone is trying gain trusted access. I'm installing a pretty hard /etc/sysctl.conf (added sourcerouting [already had rp_filteron though]) also I think iptables might be able to help. Will:

    Code:
    iptables -A INPUT -i eth0 -s <-97.xxx.yyy.255> -j DROP
    help stop attacks, or would that cause another problem? The source ip may be part of the internal network, early attacks seemed to orginate from the isp.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •