Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Is this normal?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Is this normal?

aatish910aatish910 Member
edited August 2012 in Help

I use Logwatch to get daily log summary via email. Within few days, I have been noticing these:

Logged 4141 packets on interface eth0 
From 0.0.0.0 - 287 packets to udp(67) 
From xx.xx.xx.xx - 646 packets to udp(17500)
From xx.xx.xx.xx  - 842 packets to udp(17500)
From xx.xx.xx.xx  - 506 packets to udp(67,17500)
From xx.xx.xx.xx  - 1 packet to udp(67)
From xx.xx.xx.xx  - 413 packets to udp(17500)
From xx.xx.xx.xx  - 1 packet to udp(67)
From xx.xx.xx.xx  - 727 packets to udp(67,17500) 
-----Similar Lines but on different ports and only one packet per IP -----

Other lines are just for 1 packets to different ports. Seems like there are massive number of packets to port 17500 and 67.
Is this normal? And, why was there a packet from 0.0.0.0?

Comments

  • PacketVMPacketVM Member, Host Rep
    edited August 2012

    Tip, use the pre tags :)

    Thanked by 1aatish910
  • rds100rds100 Member

    No, it is not normal to log all UDP packets :) You are killing your server with all this logging.
    Port 67 is normal - it is dhcp. When you are in a shared segment and there are machines setup to get their IPs via dhcp - you will see a lot of these.

  • aatish910aatish910 Member

    What about Port 17500?

  • rds100rds100 Member

    According to google it is some sort of dropbox lan client sync. Perhaps you are on a lan with windows boxes.

  • aatish910aatish910 Member

    On a KVM VPS?

  • rds100rds100 Member

    Yes, probably.

  • aatish910aatish910 Member
    edited August 2012

    IPs aren't from the same subnet but are from the same DC.

  • rds100rds100 Member

    So they are running one big flat LAN. Asking for trouble.

    Thanked by 1klikli
  • aatish910aatish910 Member

    Shouldn't Dropbox LAN sync be broadcasting only on a subnet on which it belongs?

    Thanked by 1klikli
  • gsrdgrdghdgsrdgrdghd Member

    Dude one gets 1000s of portscans every day. Just disable the annoying logwatch email and you'll be fine.

  • aatish910aatish910 Member

    Do Portscanners generate that much packets to a single port to just check whether it is open or not?
    I am disabling the whole iptables logging thing.

  • prometeusprometeus Member, Host Rep

    @rds100 said: So they are running one big flat LAN. Asking for trouble.

    Or small subnets are routed to the node every time more ip are needed ;)

  • rds100rds100 Member

    @prometeus said: Or small subnets are routed to the node every time more ip are needed ;)

    Yeah, that would be the far better approach :)

  • gsrdgrdghdgsrdgrdghd Member

    @aatish910 said: Do Portscanners generate that much packets to a single port to just check whether it is open or not?

    Sure, if you get portscanned 700 times a day and each portscanner tries the port one time.

  • aatish910aatish910 Member

    It's getting 700 packets from 1 IP.

  • AlexBarakovAlexBarakov Patron Provider, Veteran

    Now imagine your server gets targeted by UDP flood for a couple of hours. The log will be nicely filled.

    Thanked by 1klikli
Sign In or Register to comment.