[WEB4LIB] Mystery packets from ISP

Eric Holt eholt at cals.lib.ar.us
Fri Mar 22 13:44:01 EST 2002


I'd try unplugging the Ethernet cable from 142.59.254.41 for ten minutes 
and see if you stop getting the packets from 205.233.111.218.  If so, try 
looking through the services that are running on 142.59.254.41.  In any 
case, it looks like the ISP's router is sending error packets back to 
142.59.254.41 telling it that it can't route the packets that 142.59.254.41 
is sending out.

Eric Holt
Manager, Computer and Network Services
Central Arkansas Library System

At 10:08 AM 3/22/2002 -0800, you wrote:
>I'm hoping that someone will have the answer to this question as this list
>seemed the best place to post since it is Web related.  Is there another
>list that is for network security in libraries?
>
>A little over a year ago we broke off from a larger network and got our own
>firewall and Internet connection.  Right from the beginning, I noticed that
>the firewall logs showed many packets from the same few IP addresses.  The
>requests are anywhere from a minute to 5 minutes apart and according to the
>logs are coming in all times of the day and night.  Here are some examples:
>
>03/08/2002 01:28:13.080 - ICMP packet dropped - Source:205.233.111.218, 3,
>WAN - Destination:142.59.254.41, 3, LAN - 'Dest Unreachable' - Rule 0
>03/08/2002 01:33:46.112 - ICMP packet dropped - Source:205.233.111.218, 3,
>WAN - Destination:142.59.254.41, 3, LAN - 'Dest Unreachable' - Rule 0
>03/08/2002 01:35:52.000 - ICMP packet dropped - Source:205.233.111.221, 3,
>WAN - Destination:142.59.254.41, 3, LAN - 'Dest Unreachable' - Rule 0
>
>I did a whois search and found that the IPs were our ISP.  When I got in
>touch with them the only information that they could give me was that their
>servers were responding to a request from somewhere in our network.  The
>request is on port 3 which according to IANA is compressnet.
>
>The information I found on compressnet is : "CompressNET enables
>organizations running TCP/IP over X.25 and other wide-area networks to
>successfully address several critical business issues, including WAN
>traffic congestion and skyrocketing carriers."  The operating system
>specified is Solaris.  We are Win NT server with Win 95, 98, NT and 2000 
>boxes.
>
>I'd like to get rid of this traffic if it is unnecessary.  Either I've
>missed something locally or I need to provide some specific information to
>the ISP to fix this on their end.  Does anyone have any ideas?
>
>Thanks!
>
>Michelle Rempel
>Grande Prairie Public Library





More information about the Web4lib mailing list