For the last few days I’d been observing unusual blinkenlights on my router even when the connection was supposed to be idle. Trying to fix overheating issues and a loosely mounted graphic card that was causing havoc in my game sessions, I did not decide to investigate early.
Today, a little peek into the system logs gave me these odd looking lines:
[ 245.194635] Inbound IN=eth0 OUT= MAC=00:F8:a1:68:d7:63:00:0f:a3:52:11:33:08:00 SRC=85.190.0.3 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=56199 DF PROTO=TCP SPT=57538 DPT=17771 WINDOW=5840 RES=0x00 SYN URGP=0
[ 248.186412] Inbound IN=eth0 OUT= MAC=00:F8:a1:68:d7:63:00:0f:a3:52:11:33:08:00 SRC=85.190.0.3 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=42755 DF PROTO=TCP SPT=38368 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
[ 248.193452] Inbound IN=eth0 OUT= MAC=00:F8:a1:68:d7:63:00:0f:a3:52:11:33:08:00 SRC=85.190.0.3 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=42451 DF PROTO=TCP SPT=45035 DPT=18844 WINDOW=5840 RES=0x00 SYN URGP=0
[ 248.193505] Inbound IN=eth0 OUT= MAC=00:F8:a1:68:d7:63:00:0f:a3:52:11:33:08:00 SRC=85.190.0.3 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=42230 DF PROTO=TCP SPT=53061 DPT=28882 WINDOW=5840 RES=0x00 SYN URGP=0
[ 254.188289] Inbound IN=eth0 OUT= MAC=00:F8:a1:68:d7:63:00:0f:a3:52:11:33:08:00 SRC=85.190.0.3 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=42756 DF PROTO=TCP SPT=38368 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
[ 254.189632] Inbound IN=eth0 OUT= MAC=00:F8:a1:68:d7:63:00:0f:a3:52:11:33:08:00 SRC=85.190.0.3 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=51624 DF PROTO=TCP SPT=60700 DPT=33322 WINDOW=5840 RES=0x00 SYN URGP=0
A quick google later, I realized these were messages sent by 85.190.0.3 to me looking at random ports like 33322, 80 (HTTP), 28882, 18844, etc.. A little more research over the IP led to this page: http://proxyscan.freenode.net/.
I was confused for quite a while. I don’t run nor use a proxy or an IIS server, as their policy page states. Why would they continuously poke around when nothing’s found? I can’t give up on FreeNode, but I certainly do not like this continuous checking. Do all of FreeNode users face this? It never used to happen before.
That said, a little more info into the message follows:
[ 254.189632] Inbound IN=eth0 OUT= MAC=00:F8:a1:68:d7:63:00:0f:a3:52:11:33:08:00 SRC=85.190.0.3 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=51624 DF PROTO=TCP SPT=60700 DPT=33322 WINDOW=5840 RES=0x00 SYN URGP=0
Drilldown:
- Inbound – Incoming data
- IN=eth0 – Data incoming via eth0
- OUT= – No outgoing interface
- MAC=00:F8:a1:68:d7:63:00:0f:a3:52:11:33:08:00 – Breaks down to “00:Destination MAC”:”00:Source MAC”:”Payload-Type:00″ (IP)
- SRC=85.190.0.3 – Source address
- DST=192.168.1.2 – Destination address
- LEN=60 TOS=0×00 PREC=0×00 TTL=52 ID=51624 – Length, Type Of Service, Precedence(?), Time To Live, ID(?)
- DF PROTO=TCP SPT=60700 DPT=33322 WINDOW=5840 RES=0×00 SYN URGP=0 – Don’t Fragment, Protocol, Source Port, Destination Port, Recieving Window Size, Reset(?), Sync packet (trying to connect), Non-Urgent Data.
The doubtful ones are indicated with a (?). It was fun analysing this, and I think the solution is to block all incoming ports? Or perhaps, blocking the IP?
lol…you are becoming geekier day by day.
on Topic, I think its their anti-DDOS system.
the solution to this for common user is to ignore.
But you are not common user, find you own way
Reach Heights of Geekiness
Gaurish aka gary4gar
10 Mar 09 at 2:36 am
I never used to receive such messages before. Something has changed in my router settings perhaps.
Harsh
10 Mar 09 at 9:19 am
This is quite normal. Most IRC servers poke around for use of proxies.
On a side note, i think its better if you snip out your MAC address
Kalpik
10 Mar 09 at 9:56 am