Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] Post scanning inside NAT


Zhasper wrote:

Visiting http://62.67.50.112/ <http://62.67.50.112/> gives me a Rapidshare.com page.

Does your modem, or the machine in question, let you run tcpdump/ngrep/some other packet inspection thingy to have a look in more detail inside the packets?

Also, there's nothing in what you posted to suggest that the internal machine was responding to the external machine - the port numbers suggest that it was the internal machine that initiated the connection.

If you could catch the three-way handshake at the start of the connection (syn/syn-ack/ack), we could tell for sure which was opening the connection.

Further investigation proves you are correct. For some reason, this
machine was initiating a connection to 62.67.50.112 on port 80 every
couple of seconds.

I played with tcpdump some more and found that even something as
innocuous as grabbing Java docs from Sun resulted in an annoying
flurry of repeated ("reload page?") activity from ad servers and the
like.

NAT is vindicated and I was at fault, interpreting the tcpdump as
an incoming scan.

I've rebooted to see what the traffic is like (the machine had been
up for weeks). And now there is only local traffic for WiFi discovery
and a bit of SMB crap.

I think I'll leave tcpdump alone otherwise I'll go mad. It goes to show
that there is a lot of traffic occurring that one is not even aware of.


thanks,
rickw




--
_________________________________
Rick Welykochy || Praxis Services

Beware of he who would deny you information,
for in his mind he dreams of being your master.
     -- message on a computer game