SLUG Mailing List Archives
[SLUG] Post scanning inside NAT
- To: SLUG <slug@xxxxxxxxxxx>
- Subject: [SLUG] Post scanning inside NAT
- From: Rick Welykochy <rick@xxxxxxxxxxxxx>
- Date: Wed, 12 Aug 2009 17:23:23 +1000
- User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:126.96.36.199) Gecko/20090605 SeaMonkey/1.1.17
I thought I understood the mechanics of NAT. My modem blocks all incoming
requests to my 192.168.0.* internal network, save a few port forwards, i.e.
about five ports are open.
During an idle period today I noticed annoying but consistent
traffic of about 100 bytes/sec. Why?
tcpdump reveals that my local machine on 192.168.0.27 is responding to
what seems to be a port scan from Germany (188.8.131.52) ...
17:20:28.677718 IP 192.168.0.27.52262 > 184.108.40.206.80: . ack 1 win 65535 <nop,nop,timestamp 1078011251 3938531074>
17:20:28.677842 IP 192.168.0.27.52262 > 220.127.116.11.80: P 1:607(606) ack 1 win 65535 <nop,nop,timestamp 1078011251 3938531074>
17:20:29.045173 IP 18.104.22.168.80 > 192.168.0.27.52262: . ack 607 win 55 <nop,nop,timestamp 3938531166 1078011251>
17:20:29.055137 IP 22.214.171.124.80 > 192.168.0.27.52262: P 1:306(305) ack 607 win 55 <nop,nop,timestamp 3938531167 1078011251>
Their egress port is always 80 (suspicious in itself) and
my ingress port is climbing through all numbers, serially.
My possible misunderstanding of NAT is that my local machine
on .27 should not even be seeing this traffic since it *should*
be blocked at the modem/router.
Is it me or is it the modem that is wrong?
Rick Welykochy || Praxis Services
Beware of he who would deny you information,
for in his mind he dreams of being your master.
-- message on a computer game