[ previous ] [ next ] [ threads ]
 
 From:  sai <sonicsai at gmail dot com>
 To:  "Baity Fish" <holycarp00 at hotmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Beta 1.3b1 Unusual Firewall Log Entries Since Upgrade
 Date:  Tue, 19 Dec 2006 10:51:56 +0500
On 12/19/06, Baity Fish <holycarp00 at hotmail dot com> wrote:
> >your ISP should not be sending packets like that to you. very strange.
>
> It continues today as well, consuming most of the log.  I thought to do a
> tracert and found it to be like you said, from my ISP, Time Warner Cable:
>
> Tracing route to 172.21.110.70 over a maximum of 30 hops
>
>   1    <1 ms    <1 ms    <1 ms  MY-GATEWAY-IP [192.168.X.X]
>   2     6 ms     6 ms    11 ms  10.245.112.1
>   3     6 ms     *        6 ms  gig2-2.lkwdca1-rtr1.socal.rr.com
> [76.166.2.96]
>   4     7 ms     *        *     tge7-1.cyprca1-rtr1.socal.rr.com
> [76.166.1.37]
>   5     8 ms     *        6 ms  tge8-1.cyprca1-rtr3.socal.rr.com
> [76.166.1.39]
>   6     8 ms     *        5 ms  tge1-1.cyprca1-rtr4.socal.rr.com
> [76.166.2.178]
>   7    26 ms    12 ms    16 ms  tge2-3-0.TUSTCA1-RTR1.socal.rr.com
> [66.75.161.205]
>   8    13 ms    13 ms    13 ms  POS4-0.ORNGCA4-GSR1.socal.rr.com
> [66.75.161.193]
>   9    17 ms    17 ms    17 ms  POS14-0.ORNGCA4-GSR2.socal.rr.com
> [66.75.161.162]
> 10    12 ms    13 ms    14 ms  POS14-0.ORNGCA4-GSR1.socal.rr.com
> [66.75.161.161]
> 11    18 ms    17 ms    17 ms  POS14-0.ORNGCA4-GSR2.socal.rr.com
> [66.75.161.162]
> 12    20 ms    13 ms    13 ms  POS14-0.ORNGCA4-GSR1.socal.rr.com
> [66.75.161.161]
> 13    16 ms    18 ms    17 ms  POS14-0.ORNGCA4-GSR2.socal.rr.com
> [66.75.161.162]
> 14    13 ms    13 ms    13 ms  POS14-0.ORNGCA4-GSR1.socal.rr.com
> [66.75.161.161]
> 15    17 ms    17 ms    18 ms  POS14-0.ORNGCA4-GSR2.socal.rr.com
> [66.75.161.162]
> 16    13 ms    14 ms    15 ms  POS14-0.ORNGCA4-GSR1.socal.rr.com
> [66.75.161.161]
> 17    18 ms    18 ms    17 ms  POS14-0.ORNGCA4-GSR2.socal.rr.com
> [66.75.161.162]
> 18    16 ms    13 ms    13 ms  POS14-0.ORNGCA4-GSR1.socal.rr.com
> [66.75.161.161]
> 19    18 ms    19 ms    18 ms  POS14-0.ORNGCA4-GSR2.socal.rr.com
> [66.75.161.162]
> 20    13 ms    13 ms    13 ms  POS14-0.ORNGCA4-GSR1.socal.rr.com
> [66.75.161.161]
> 21    18 ms    17 ms    18 ms  POS14-0.ORNGCA4-GSR2.socal.rr.com
> [66.75.161.162]
> 22    14 ms    14 ms    14 ms  POS14-0.ORNGCA4-GSR1.socal.rr.com
> [66.75.161.161]
> 23    17 ms    18 ms    17 ms  POS14-0.ORNGCA4-GSR2.socal.rr.com
> [66.75.161.162]
> 24    13 ms    13 ms    14 ms  POS14-0.ORNGCA4-GSR1.socal.rr.com
> [66.75.161.161]
> 25    18 ms    17 ms    18 ms  POS14-0.ORNGCA4-GSR2.socal.rr.com
> [66.75.161.162]
> 26    16 ms    13 ms    13 ms  POS14-0.ORNGCA4-GSR1.socal.rr.com
> [66.75.161.161]
> 27    16 ms    17 ms    20 ms  POS14-0.ORNGCA4-GSR2.socal.rr.com
> [66.75.161.162]
> 28    13 ms    15 ms    13 ms  POS14-0.ORNGCA4-GSR1.socal.rr.com
> [66.75.161.161]
> 29    17 ms    17 ms    17 ms  POS14-0.ORNGCA4-GSR2.socal.rr.com
> [66.75.161.162]
> 30    14 ms    14 ms    15 ms  POS14-0.ORNGCA4-GSR1.socal.rr.com
> [66.75.161.161]
>
> Trace complete.
>
> >I would suspect that you are only taking a close look at the logs
> >because of the updates and would have missed these  entries otherwise.
>
> True, but the timing was just good enough to fool me.  It's possible that
> there were some of these previously, few enough that I missed them on a
> random look-see, but now they're hard to miss, taking up 87% of the last
> nine hours/1000 firewall log entries.
>
> Maybe Time Warner is probing for something?  I need to get my syslog server
> back up.  Thanks for the help.
>
>
>

That looks like a loop. Maybe your ISP has a misconfig there.

sai