For the last few days I’d been observing unusual blinkenlights on my router even when the connection was supposed to be idle. Trying to fix overheating issues and a loosely mounted graphic card that was causing havoc in my game sessions, I did not decide to investigate early.
Today, a little peek into the system logs gave me these odd looking lines:
[ 245.194635] Inbound IN=eth0 OUT= MAC=00:F8:a1:68:d7:63:00:0f:a3:52:11:33:08:00 SRC=85.190.0.3 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=56199 DF PROTO=TCP SPT=57538 DPT=17771 WINDOW=5840 RES=0x00 SYN URGP=0
[ 248.186412] Inbound IN=eth0 OUT= MAC=00:F8:a1:68:d7:63:00:0f:a3:52:11:33:08:00 SRC=85.190.0.3 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=42755 DF PROTO=TCP SPT=38368 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
[ 248.193452] Inbound IN=eth0 OUT= MAC=00:F8:a1:68:d7:63:00:0f:a3:52:11:33:08:00 SRC=85.190.0.3 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=42451 DF PROTO=TCP SPT=45035 DPT=18844 WINDOW=5840 RES=0x00 SYN URGP=0
[ 248.193505] Inbound IN=eth0 OUT= MAC=00:F8:a1:68:d7:63:00:0f:a3:52:11:33:08:00 SRC=85.190.0.3 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=42230 DF PROTO=TCP SPT=53061 DPT=28882 WINDOW=5840 RES=0x00 SYN URGP=0
[ 254.188289] Inbound IN=eth0 OUT= MAC=00:F8:a1:68:d7:63:00:0f:a3:52:11:33:08:00 SRC=85.190.0.3 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=42756 DF PROTO=TCP SPT=38368 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
[ 254.189632] Inbound IN=eth0 OUT= MAC=00:F8:a1:68:d7:63:00:0f:a3:52:11:33:08:00 SRC=85.190.0.3 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=51624 DF PROTO=TCP SPT=60700 DPT=33322 WINDOW=5840 RES=0x00 SYN URGP=0
A quick google later, I realized these were messages sent by 85.190.0.3 to me looking at random ports like 33322, 80 (HTTP), 28882, 18844, etc.. A little more research over the IP led to this page: http://proxyscan.freenode.net/.
I was confused for quite a while. I don’t run nor use a proxy or an IIS server, as their policy page states. Why would they continuously poke around when nothing’s found? I can’t give up on FreeNode, but I certainly do not like this continuous checking. Do all of FreeNode users face this? It never used to happen before.
That said, a little more info into the message follows:
[ 254.189632] Inbound IN=eth0 OUT= MAC=00:F8:a1:68:d7:63:00:0f:a3:52:11:33:08:00 SRC=85.190.0.3 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=51624 DF PROTO=TCP SPT=60700 DPT=33322 WINDOW=5840 RES=0x00 SYN URGP=0
Drilldown:
- Inbound – Incoming data
- IN=eth0 – Data incoming via eth0
- OUT= – No outgoing interface
- MAC=00:F8:a1:68:d7:63:00:0f:a3:52:11:33:08:00 – Breaks down to “00:Destination MAC”:”00:Source MAC”:”Payload-Type:00″ (IP)
- SRC=85.190.0.3 – Source address
- DST=192.168.1.2 – Destination address
- LEN=60 TOS=0×00 PREC=0×00 TTL=52 ID=51624 – Length, Type Of Service, Precedence(?), Time To Live, ID(?)
- DF PROTO=TCP SPT=60700 DPT=33322 WINDOW=5840 RES=0×00 SYN URGP=0 – Don’t Fragment, Protocol, Source Port, Destination Port, Recieving Window Size, Reset(?), Sync packet (trying to connect), Non-Urgent Data.
The doubtful ones are indicated with a (?). It was fun analysing this, and I think the solution is to block all incoming ports? Or perhaps, blocking the IP?
