Very Weird TCP traffic coming from my Box

[Steve Scrimpshire]

I was surfing along minding my own bussiness when I saw my modem_lights applet turn almost pure green. It stayed that way even when I closed all browser windows. I fired up iptraf to show you what I mean:

 

             Total      Total    Incoming   Incoming    Outgoing   Outgoing

          Packets      Bytes     Packets      Bytes     Packets      Bytes    

Total:        3225    1627855        1682     249325        1543    1378530

IP:          3225    1627855        1682     249325        1543    1378530    

TCP:          3205    1625850        1667     247664        1538    1378186    

UDP:            18       1837          14       1577           4        260    

ICMP:            2        168           1         84           1         84    

Other IP:        0          0           0          0           0          0    

Non-IP:          0          0           0          0           0          0                                                                                           Elapsed time:   0:05                                                                                        

 

After disconnecting and reconnecting, it stopped. Here is my /etc/Bastille/bastille-firewall.cfg (with comments removed:

DNS_SERVERS="192.168.0.1/255.255.255.255"

TRUSTED_IFACES="lo eth"

PUBLIC_IFACES="ppp+ slip+"

INTERNAL_IFACES=""

TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"UDP_AUDIT_SERVICES="31337"

ICMP_AUDIT_TYPES=""

TCP_PUBLIC_SERVICES=""

UDP_PUBLIC_SERVICES=""

TCP_INTERNAL_SERVICES="80 samba"

UDP_INTERNAL_SERVICES=""

FORCE_PASV_FTP="Y"

TCP_BLOCKED_SERVICES="2049 2065:2090 6000:6020 7100"

UDP_BLOCKED_SERVICES="2049 6770"

ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded"

ENABLE_SRC_ADDR_VERIFY="Y"

IP_MASQ_NETWORK="192.168.0.0/255.255.255.0"

IP_MASQ_MODULES="ftp irc"

REJECT_METHOD="DENY"

DHCP_IFACES=""

NTP_SERVERS=""

ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded"

LOG_FAILURES="N"    # do not log blocked packets

IPTABLES_LOG_LEVEL="1"    # define the log level for audited

ALLOW_FRAGMENTS="Y"    # old behavior

DROP_SMB_NAT_BCAST="Y"  # drop those packets

 

Note, I even killed dhcpd in case it was my Windows box sending stuff out and it still kept going. Any ideas (or do I need to post some more info? I have no idea where to look....netstat didn't show anything suspicious)?

[johnnyv]

do you get assigned a dynamic ip or a static one by you isp?

 

I have sometimes connected and the recieve has been flooded, disconnected reconnected which gets me a new ip and no problem.

 

I guess to know more you would have to disect the packets and find out what they contain, which is beyond me. Though it is an interesting topic.

[Steve Scrimpshire]

A dynamic IP, but green is 'outgoing' in modem_lights, is it not? There coulda been red hidden behind there, but iptraf didn't show near as much incoming as outgoing and what is my computer doing responding to anything like that? And also note that it didn;t start near the beginning of my connection. I know dissecting the packets would be the key, but I don't know how to do that either. I think I have pppd running in debug mode, which should give me detailed info like that, but I don't know how to read it.

[johnnyv]

A dynamic IP, but green is 'outgoing' in modem_lights, is it not? There coulda been red hidden behind there, but iptraf didn't show near as much incoming as outgoing and what is my computer doing responding to anything like that? And also note that it didn;t start near the beginning of my connection. I know dissecting the packets would be the key, but I don't know how to do that either. I think I have pppd running in debug mode, which should give me detailed info like that, but I don't know how to read it.

 

Whoops wasn't thinking , btw my routers traffic lights are all green.