[CLUE-Tech] MASSIVE UDP packets?
Jeffery Cann
jccann at home.com
Wed Sep 19 22:21:14 MDT 2001
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greetings.
My Slack box has been a bit sluggish, so I examined my
/var/log/messages and was a bit surprized to see it over 100 MB.
I had recently changed my ipchains rules to deny most of the @home
network (24.0.0.0). Previously, the following rule was not in my
firewall set up script:
ipchains -A input -l -s 24.0.0.0/8
-d 24.6.xxx.xxx/255.0.0.0 -j DENY
I added another input rule to accept my particular box (24.6.xxx.xxx):
ipchains -A input -l -s 24.6.231.152/8
-d 24.6.xxx.xxx/255.0.0.0 -j ACCEPT
This second rule has (had) the -l flag to log packets. Without the
second rule (and first rule to DENY all 24.0.0.0 network), my server is
cut off from the net. This makes sense because it would cut off access
to DNS.
The results after one month are that about 85% of the logged packets
are UDP (PROTO=17).
745756 packet logs
647544 were requests for UDP (PROTO=17)
93127 were requests for TCP/IP (PROTO=6)
745329 received the ACCEPT rule
Here is a sample log entry:
Sep 19 21:13:51 jumanji kernel: Packet log: input ACCEPT eth0 PROTO=17
24.1.8.14:121 24.1.15.255:121 L=50 S=0x00 I=61766 F=0x0000 T=30 (#12)
My questions are many:
1. What is happening to the accepted packets?
2. Should I worry about this or is it a matter of turning off logging
for the new input rule? (I did turn off logging for now to keep my
syslog from using all file space)
3. While I was writing this email, it occurred to me that this may be
a simple matter or 'normal' network traffic because I know that UDP
packets are broadcast. Is this the case?
4. Are there other anomalies could explain the observations?
Thanks
Jeff
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjupbr0ACgkQw3/GBQk72kAewwCePJVFHMqctXfYksOR2NjK2ZlF
6BEAn1h9PkTT0jw+/JIvk3uxdPN1/iv3
=I4X7
-----END PGP SIGNATURE-----
More information about the clue-tech
mailing list