SLUG Mailing List Archives
Re: [SLUG] Post scanning inside NAT
- To: Zhasper <zhasper@xxxxxxxxx>
- Subject: Re: [SLUG] Post scanning inside NAT
- From: Rick Welykochy <rick@xxxxxxxxxxxxx>
- Date: Wed, 12 Aug 2009 19:01:45 +1000
- Cc: SLUG <slug@xxxxxxxxxxx>
- User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:18.104.22.168) Gecko/20090605 SeaMonkey/1.1.17
Visiting http://22.214.171.124/ <http://126.96.36.199/> gives me a
Does your modem, or the machine in question, let you run
tcpdump/ngrep/some other packet inspection thingy to have a look in more
detail inside the packets?
Also, there's nothing in what you posted to suggest that the internal
machine was responding to the external machine - the port numbers
suggest that it was the internal machine that initiated the connection.
If you could catch the three-way handshake at the start of the
connection (syn/syn-ack/ack), we could tell for sure which was opening
Further investigation proves you are correct. For some reason, this
machine was initiating a connection to 188.8.131.52 on port 80 every
couple of seconds.
I played with tcpdump some more and found that even something as
innocuous as grabbing Java docs from Sun resulted in an annoying
flurry of repeated ("reload page?") activity from ad servers and the
NAT is vindicated and I was at fault, interpreting the tcpdump as
an incoming scan.
I've rebooted to see what the traffic is like (the machine had been
up for weeks). And now there is only local traffic for WiFi discovery
and a bit of SMB crap.
I think I'll leave tcpdump alone otherwise I'll go mad. It goes to show
that there is a lot of traffic occurring that one is not even aware of.
Rick Welykochy || Praxis Services
Beware of he who would deny you information,
for in his mind he dreams of being your master.
-- message on a computer game