[clug] what do I do if I'm being hit by a foreign server?

Daniel Rose drose at dtlm.homelinux.net
Sun Oct 17 15:08:32 MDT 2010

  On 17/10/10 18:10, Paul wrote:
> I found my Billion router was continually rebooting this morning and 
> after a while I decided to switch my connection over to my Fedora 
> router ie use my Fedora box to act as a internet gateway.
> I noticed a large number of packets from hitting port 
> 5060 eg 40,000 in about 30 mins, so I manually added a rule to just 
> drop the packet without loggging
> eg
> iptables  -I INPUT 1 -i ppp0 -s -j DROP
> Log output
> Oct 17 17:12:01 mythbox kernel: DROPI IN=ppp0 OUT= MAC= 
> SRC= DST=myinternet LEN=408 TOS=0x00 PREC=0x00 TTL=47 
> ID=0 DF PROTO=UDP SPT=5085 DPT=5060 LEN=388
> So is this all I can do, or should I use whois to send an "abuse" 
> email to the ISP etc.. or do I let my ISP do that?
> PS now I know Linux is a better router!
> thanks
> Paul
In my limited experience, the chances are that they've been hijacked by 
someone else and the legitimate owner is unaware.

Since the website seems fairly neglected, you could email the hosting 
company, but personally I'd move on; if your router is working, be 
happy.  'Backscatter' like this is so common you could have a full-time 
job just filing abuse reports for errant packets.  Also consider whether 
it's useful (to you) to log them or not, often it's just a waste of 

I don't think that you've been targeted specifically, it's more likely 
that someone's trying to find a peer-to-peer client that used to have 
your (non-static?) address recently, or something boring like that.

More information about the linux mailing list