Jump to content
Калькуляторы

Помогите закрыть паразитный трафик

Reply to this topic

Litenger   

Litenger
Posted

Здравствуйте, коллеги. Проблема заключается в непонятном трафике с адресами назначения 212.83.51.252 и 212.83.51.254. Причем ни один из них не является адресом моего сервера. Что самое странное, в iptables трафик не проходит ни через одну из цепочек. В tcpdump видно так:

 

tcpdump -i eth0 -nn dst 212.83.51.252

 

20:23:17.359029 IP 36.76.67.120.53719 > 212.83.51.252.80: Flags [.], seq 13163:14611, ack 1, win 1040, options [nop,nop,TS val 2505157318 ecr 41344164], length 1448
20:23:17.359032 IP 36.76.67.120.53719 > 212.83.51.252.80: Flags [.], seq 14611:16059, ack 1, win 1040, options [nop,nop,TS val 2505157318 ecr 41344164], length 1448
20:23:17.359035 IP 36.76.67.120.53719 > 212.83.51.252.80: Flags [.], seq 16059:16189, ack 1, win 1040, options [nop,nop,TS val 2505157318 ecr 41344164], length 130
20:23:17.401458 IP 190.216.116.206.7199 > 212.83.51.252.80: Flags [.], ack 1, win 65535, options [nop,nop,TS val 306514018 ecr 41344117,nop,nop,sack 2 {8209:13681}{1369:6841}], length 0
20:23:17.401461 IP 190.216.116.206.7199 > 212.83.51.252.80: Flags [.], ack 1, win 65535, options [nop,nop,TS val 306514018 ecr 41344117,nop,nop,sack 2 {8209:15049}{1369:6841}], length 0
20:23:17.404584 IP 82.142.168.44.55164 > 212.83.51.252.80: Flags [.], seq 2389267292:2389267293, ack 2478555437, win 16652, length 1
20:23:17.413983 IP 190.216.116.206.7199 > 212.83.51.252.80: Flags [.], ack 1, win 65535, options [nop,nop,TS val 306514028 ecr 41344117,nop,nop,sack 2 {8209:16417}{1369:6841}], length 0
20:23:17.414290 IP 190.216.116.206.7199 > 212.83.51.252.80: Flags [.], ack 1, win 65535, options [nop,nop,TS val 306514038 ecr 41344117,nop,nop,sack 2 {8209:17785}{1369:6841}], length 0
20:23:17.414608 IP 190.216.116.206.7199 > 212.83.51.252.80: Flags [.], ack 1, win 65535, options [nop,nop,TS val 306514038 ecr 41344117,nop,nop,sack 2 {8209:19153}{1369:6841}], length 0
20:23:17.426828 IP 190.216.116.206.7199 > 212.83.51.252.80: Flags [.], ack 1, win 65535, options [nop,nop,TS val 306514048 ecr 41344117,nop,nop,sack 2 {8209:20521}{1369:6841}], length 0
20:23:17.427080 IP 190.216.116.206.7199 > 212.83.51.252.80: Flags [.], ack 1, win 65535, options [nop,nop,TS val 306514048 ecr 41344117,nop,nop,sack 2 {8209:21889}{1369:6841}], length 0
20:23:17.460463 IP 190.216.116.206.7199 > 212.83.51.252.80: Flags [.], ack 1, win 65535, options [nop,nop,TS val 306514078 ecr 41344117,nop,nop,sack 2 {8209:23257}{1369:6841}], length 0
20:23:17.460514 IP 190.216.116.206.7199 > 212.83.51.252.80: Flags [.], ack 1, win 65535, options [nop,nop,TS val 306514078 ecr 41344117,nop,nop,sack 2 {8209:24625}{1369:6841}], length 0
20:23:17.461548 IP 190.216.116.206.7199 > 212.83.51.252.80: Flags [.], ack 1, win 65535, options [nop,nop,TS val 306514078 ecr 41344117,nop,nop,sack 2 {8209:25993}{1369:6841}], length 0
20:23:17.461810 IP 190.216.116.206.7199 > 212.83.51.252.80: Flags [.], ack 1, win 65535, options [nop,nop,TS val 306514078 ecr 41344117,nop,nop,sack 2 {8209:27361}{1369:6841}], length 0
20:23:17.483380 IP 190.216.116.206.7199 > 212.83.51.252.80: Flags [.], ack 1, win 65535, options [nop,nop,TS val 306514098 ecr 41344117,nop,nop,sack 2 {8209:28729}{1369:6841}], length 0
20:23:17.483382 IP 190.216.116.206.7199 > 212.83.51.252.80: Flags [.], ack 1, win 65535, options [nop,nop,TS val 306514098 ecr 41344117,nop,nop,sack 2 {8209:30097}{1369:6841}], length 0
20:23:17.483472 IP 190.216.116.206.7199 > 212.83.51.252.80: Flags [.], ack 1, win 65535, options [nop,nop,TS val 306514098 ecr 41344117,nop,nop,sack 2 {8209:31465}{1369:6841}], length 0
20:23:17.516341 IP 190.216.116.206.7199 > 212.83.51.252.80: Flags [.], ack 6841, win 59212, options [nop,nop,TS val 306514138 ecr 41344161,nop,nop,sack 1 {8209:31465}], length 0
20:23:17.516352 IP 190.216.116.206.7199 > 212.83.51.252.80: Flags [.], ack 6841, win 65535, options [nop,nop,TS val 306514138 ecr 41344161,nop,nop,sack 1 {8209:31465}], length 0
20:23:17.585187 IP 36.76.67.120.53719 > 212.83.51.252.80: Flags [.], seq 16189:17637, ack 1, win 1040, options [nop,nop,TS val 2505157548 ecr 41344187], length 1448
20:23:17.585195 IP 36.76.67.120.53719 > 212.83.51.252.80: Flags [.], seq 17637:19085, ack 1, win 1040, options [nop,nop,TS val 2505157548 ecr 41344187], length 1448
20:23:17.585200 IP 36.76.67.120.53719 > 212.83.51.252.80: Flags [.], seq 19085:19214, ack 1, win 1040, options [nop,nop,TS val 2505157548 ecr 41344187], length 129

 

Куда копнуть?

 

Вот ещё:

 

PING 212.83.51.252 (212.83.51.252) 56(84) bytes of data.

64 bytes from 212.83.51.252: icmp_seq=1 ttl=128 time=1.96 ms

64 bytes from 212.83.51.252: icmp_seq=1 ttl=128 time=1.97 ms (DUP!)

64 bytes from 212.83.51.252: icmp_seq=2 ttl=128 time=0.219 ms

64 bytes from 212.83.51.252: icmp_seq=2 ttl=128 time=0.370 ms (DUP!)

Share this post

Link to post
Share on other sites

vlad11   

vlad11
Posted

На маршрутизаторе, на выходе из свой сети, проверяйте src IP.

Все, что не из вашего диапазона белых сетей - дропайте.

По MAC адресам отслеживайте источники и разбирайтесь с владельцами этих маков.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Followers 0
Go to topic listing Программное обеспечение, биллинг и *unix системы