Results 1 to 6 of 6
boy I sure you guys are able to help me figure this out. I've been having some attacks lately and the originating source is my own IP:
Code:
#61-(6-73) [nessus] ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 12-10-2008 #1Just Joined!
- Join Date
- Dec 2008
- Posts
- 2
Network Attack Coming from own IP
boy I sure you guys are able to help me figure this out. I've been having some attacks lately and the originating source is my own IP:
Where 97.xxx.yyy.255 is my ip. The odd part about it is the last three numbers. I connect with a cable modem and have never seen it before. The 255 is reserved, I thought, and has a unique purpose - like a local network? Can anyone help me on this?Code:#61-(6-73) [nessus] [cve] [icat] [bugtraq] [arachNIDS] [local] [snort] WEB-CGI wrap access 2008-12-10 16:06:29 97.xxx.yyy.255:53629 67.135.105.139:80 TCP #62-(6-74) [snort] (http_inspect) DOUBLE DECODING ATTACK 2008-12-10 16:06:29 97.xxx.yyy.255:54827 64.236.115.51:80 TCP #63-(6-75) [snort] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY 2008-12-10 16:07:15 97.xxx.yyy.255:50217 74.125.103.39:80 TCP
- 12-10-2008 #2Just Joined!
- Join Date
- Oct 2008
- Location
- IceWM
- Posts
- 23
The attacker/attackers are possibly using IP address spoofing to fool you. As long as you've got good defense, you'll be right.
- 12-11-2008 #3Linux User
- Join Date
- Sep 2006
- Location
- Canada
- Posts
- 259
97.xxx.yyy.255 is the broadcast address for your network.
Someone is attempting to make your router/PC drop this broadcast onto you network.
Since the source IP address is your internal network ... they hope that your router/PC will be fooled into thinking it is a reply to a packet that originated from your private network, and therefore will let it in.
Since it is the broadcast address of the network, all IP devices on that network may accept it.
Men occasionally stumble over the truth,
but most of them pick themselves up
and hurry off as if nothing had happened.
Winston Churchill
... then the Unix-Gods created "man" ...
- 12-11-2008 #4Linux Guru
- Join Date
- Nov 2007
- Location
- NH, USA
- Posts
- 3,149
that isn't necessarily the broadcast address, it depends what the network mask is, I have an IP as such
nothing is stopping me from using 10.101.136.255Code:inet addr:10.101.136.206 Bcast:10.101.137.255 Mask:255.255.254.0
- 12-11-2008 #5Linux User
- Join Date
- Sep 2006
- Location
- Canada
- Posts
- 259
Ah, I stand corrected.
I assumed a class C subnet mask.
In actual fact the default mask for a 97 network is a class A.
What the OP's network is using ... is unknown at this moment.
Men occasionally stumble over the truth,
but most of them pick themselves up
and hurry off as if nothing had happened.
Winston Churchill
... then the Unix-Gods created "man" ...
- 12-13-2008 #6Just Joined!
- Join Date
- Dec 2008
- Posts
- 2
OP=other person?
I'll be getting back on this in a second. I've decided my network has been comprimised and am doing a clean install.
I think you are right that someone is trying gain trusted access. I'm installing a pretty hard /etc/sysctl.conf (added sourcerouting [already had rp_filteron though]) also I think iptables might be able to help. Will:
help stop attacks, or would that cause another problem? The source ip may be part of the internal network, early attacks seemed to orginate from the isp.Code:iptables -A INPUT -i eth0 -s <-97.xxx.yyy.255> -j DROP
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
