[clug] what do I do if I'm being hit by a foreign server?
Daniel Rose
drose at dtlm.homelinux.net
Sun Oct 17 15:08:32 MDT 2010
On 17/10/10 18:10, Paul wrote:
> I found my Billion router was continually rebooting this morning and
> after a while I decided to switch my connection over to my Fedora
> router ie use my Fedora box to act as a internet gateway.
> I noticed a large number of packets from 208.115.222.75 hitting port
> 5060 eg 40,000 in about 30 mins, so I manually added a rule to just
> drop the packet without loggging
> eg
> iptables -I INPUT 1 -i ppp0 -s 208.115.222.75 -j DROP
>
> Log output
> Oct 17 17:12:01 mythbox kernel: DROPI IN=ppp0 OUT= MAC=
> SRC=208.115.222.75 DST=myinternet LEN=408 TOS=0x00 PREC=0x00 TTL=47
> ID=0 DF PROTO=UDP SPT=5085 DPT=5060 LEN=388
>
>
> So is this all I can do, or should I use whois to send an "abuse"
> email to the ISP etc.. or do I let my ISP do that?
>
> PS now I know Linux is a better router!
>
> thanks
> Paul
In my limited experience, the chances are that they've been hijacked by
someone else and the legitimate owner is unaware.
Since the website seems fairly neglected, you could email the hosting
company, but personally I'd move on; if your router is working, be
happy. 'Backscatter' like this is so common you could have a full-time
job just filing abuse reports for errant packets. Also consider whether
it's useful (to you) to log them or not, often it's just a waste of
resources.
I don't think that you've been targeted specifically, it's more likely
that someone's trying to find a peer-to-peer client that used to have
your (non-static?) address recently, or something boring like that.
More information about the linux
mailing list