[WEB4LIB] Re: Mystery packets from ISP

Dobbs, Aaron DobbsA at apsu.edu
Fri Mar 22 14:45:20 EST 2002


Judging by the names...
142.59.254.41   :: s142-59-254-41.ab.hsia.telus.net
205.233.111.218 :: clgrab21br01.bb.telus.net
...these are probably both routers at telus.net 
(I assume Michelle's ISP?)
Interesting that gppl.ab.ca (from Michelle's email addess) is the same IP
(161.184.245.20) as web-ux.telus.net
How many other domain names is that IP hosting?
and which of those domains is making requests off port 3?
Possibly your logs are recording spillover from a different entity that
shares hosting services on the same machine at your ISP.
-Aaron
:-)'
PS If, when you tracert your way off campus, you go through 142.59.254.41
consistently (i.e. it's your gateway router) then the request is originating
within your network.  If you don't usually see 142.59.254.41 when you
tracert out, odds are it isn't you.

Here's my Tracert to gppl.ab.ca:

 Tracing route to gppl.ab.ca [161.184.245.20] 
over a maximum of 30 hops:    

1   <10 ms   <10 ms   <10 ms  10.16.1.3    
2   <10 ms   <10 ms   <10 ms  10.200.200.22    
3   <10 ms   <10 ms   <10 ms  206.23.60.1    
4    40 ms    50 ms    10 ms  10.218.96.1    
5    80 ms    80 ms    90 ms  192.168.103.3    
6   100 ms    60 ms    80 ms  192.168.103.1    
7    30 ms    50 ms    30 ms  208.63.128.1    
8    20 ms    20 ms    20 ms  chi-edge-01.inet.qwest.net [208.46.63.201]    
9    60 ms    60 ms    30 ms  chi-core-02.inet.qwest.net [205.171.20.9]   
10    20 ms    20 ms    21 ms  chi-brdr-03.inet.qwest.net [205.171.20.138]

11    60 ms    20 ms    40 ms  154.13.70.9   
12    30 ms    60 ms    30 ms  154.13.70.26   
13    40 ms    50 ms    40 ms  toroonxnbr00.bb.telus.com [209.115.138.53]   
14    60 ms    60 ms    80 ms  toroonnlbr00.bb.telus.com [154.11.6.2]   
15    70 ms    91 ms    70 ms  edtnabkdbr01.bb.telus.com [209.115.137.237]

16    80 ms    90 ms    80 ms  edtnabxmdr01.bb.telus.com [205.233.111.131]

17    80 ms    70 ms    80 ms  EDTN-PLAN01.tac.net [209.115.218.226]   
18    80 ms    81 ms    80 ms  edtnpr02-f0-1-0.agt.net [161.184.255.228]   
19    90 ms    80 ms   120 ms  web-ux.telus.net [161.184.245.20]   

Trace complete.

(Don't mind the 10.x.x.x's & 192.168.x.x's no one bothered to tell our ISP
this shouldn't be done)

-----Original Message-----
From: Eric Holt [mailto:eholt at cals.lib.ar.us]
Sent: Friday, March 22, 2002 12:45 PM
To: Multiple recipients of list
Subject: [WEB4LIB] Re: Mystery packets from ISP



I'd try unplugging the Ethernet cable from 142.59.254.41 for ten minutes 
and see if you stop getting the packets from 205.233.111.218.  If so, try 
looking through the services that are running on 142.59.254.41.  In any 
case, it looks like the ISP's router is sending error packets back to 
142.59.254.41 telling it that it can't route the packets that 142.59.254.41 
is sending out.

Eric Holt
Manager, Computer and Network Services
Central Arkansas Library System

At 10:08 AM 3/22/2002 -0800, you wrote:
>I'm hoping that someone will have the answer to this question as this list
>seemed the best place to post since it is Web related.  Is there another
>list that is for network security in libraries?
>
>A little over a year ago we broke off from a larger network and got our own
>firewall and Internet connection.  Right from the beginning, I noticed that
>the firewall logs showed many packets from the same few IP addresses.  The
>requests are anywhere from a minute to 5 minutes apart and according to the
>logs are coming in all times of the day and night.  Here are some examples:
>
>03/08/2002 01:28:13.080 - ICMP packet dropped - Source:205.233.111.218, 3,
>WAN - Destination:142.59.254.41, 3, LAN - 'Dest Unreachable' - Rule 0
>03/08/2002 01:33:46.112 - ICMP packet dropped - Source:205.233.111.218, 3,
>WAN - Destination:142.59.254.41, 3, LAN - 'Dest Unreachable' - Rule 0
>03/08/2002 01:35:52.000 - ICMP packet dropped - Source:205.233.111.221, 3,
>WAN - Destination:142.59.254.41, 3, LAN - 'Dest Unreachable' - Rule 0
>
>I did a whois search and found that the IPs were our ISP.  When I got in
>touch with them the only information that they could give me was that their
>servers were responding to a request from somewhere in our network.  The
>request is on port 3 which according to IANA is compressnet.
>
>The information I found on compressnet is : "CompressNET enables
>organizations running TCP/IP over X.25 and other wide-area networks to
>successfully address several critical business issues, including WAN
>traffic congestion and skyrocketing carriers."  The operating system
>specified is Solaris.  We are Win NT server with Win 95, 98, NT and 2000 
>boxes.
>
>I'd like to get rid of this traffic if it is unnecessary.  Either I've
>missed something locally or I need to provide some specific information to
>the ISP to fix this on their end.  Does anyone have any ideas?
>
>Thanks!
>
>Michelle Rempel
>Grande Prairie Public Library





More information about the Web4lib mailing list