Dialup cruft..

For those of us still back in the dark ages, using modems, one firewall issue is what I call "Dialup cruft" -- you've just redialed, you've got a new dynamic IP address, and you've got *all* the leftover cruft from the person who just disconnected.

Here's a really good example:

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Feb 25 11:34:16 greatwall pppd[8480]: pppd 2.4.0 started by root, uid 0
Feb 25 11:34:32 greatwall pppd[8480]: Serial connection established.
Feb 25 11:34:32 greatwall pppd[8480]: Using interface ppp0
Feb 25 11:34:32 greatwall pppd[8480]: Connect: ppp0 <--> /dev/modem
Feb 25 11:34:34 greatwall pppd[8480]: local  IP address 12.82.137.117
Feb 25 11:34:34 greatwall pppd[8480]: remote IP address 165.238.131.88
Feb 25 11:34:34 greatwall pppd[8480]: Script /etc/ppp/ip-up started (pid 8484)
Feb 25 11:34:35 greatwall kernel: device ppp0 entered promiscuous mode 
Feb 25 11:34:52 greatwall pppd[8480]: Script /etc/ppp/ip-up finished (pid 8484), status = 0x0
Feb 25 11:35:18 greatwall kernel: device ppp0 left promiscuous mode

So I've dialed up...

...and here we go!

Feb 25 11:35:43 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 63.215.124.47:80 -> 12.82.137.117:1521
Feb 25 11:35:43 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 63.215.124.47:80 12.82.137.117:1521 L=40 S=0x00 I=28663 F=0x4000 T=56 (#77) 

host: 63.215.124.47 - unknown.Level3.net

Feb 25 11:35:43 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 63.215.124.47:80 -> 12.82.137.117:1505
Feb 25 11:35:43 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 63.215.124.47:80 12.82.137.117:1505 L=40 S=0x00 I=28666 F=0x4000 T=56 (#77) 

Feb 25 11:35:48 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 63.215.124.47:80 -> 12.82.137.117:1505
Feb 25 11:35:48 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 63.215.124.47:80 12.82.137.117:1505 L=40 S=0x00 I=32358 F=0x4000 T=56 (#77) 

Feb 25 11:35:50 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 63.215.124.47:80 -> 12.82.137.117:1521
Feb 25 11:35:50 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 63.215.124.47:80 12.82.137.117:1521 L=40 S=0x00 I=34292 F=0x4000 T=56 (#77) 

Feb 25 11:35:58 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 63.215.124.47:80 -> 12.82.137.117:1505
Feb 25 11:35:58 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 63.215.124.47:80 12.82.137.117:1505 L=40 S=0x00 I=40788 F=0x4000 T=56 (#77) 


Feb 25 11:36:00 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 12.254.23.104:1314 -> 12.82.137.117:6346
Feb 25 11:36:00 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.254.23.104:1314 12.82.137.117:6346 L=48 S=0x00 I=4742 F=0x4000 T=118 SYN (#64)

Feb 25 11:36:03 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 12.254.23.104:1314 -> 12.82.137.117:6346
Feb 25 11:36:03 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.254.23.104:1314 12.82.137.117:6346 L=48 S=0x00 I=4754 F=0x4000 T=118 SYN (#64) 

host: 12.254.23.104 - 12-254-23-104.client.attbi.com

Feb 25 11:36:06 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 63.215.124.47:80 -> 12.82.137.117:1521
Feb 25 11:36:06 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 63.215.124.47:80 12.82.137.117:1521 L=40 S=0x00 I=47317 F=0x4000 T=56 (#77) 


Feb 25 11:36:09 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 12.254.23.104:1314 -> 12.82.137.117:6346
Feb 25 11:36:09 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.254.23.104:1314 12.82.137.117:6346 L=48 S=0x00 I=4762 F=0x4000 T=118 SYN (#64)

Speaking of Gnutella:

===============================================================================
Snort processed 1435 packets.
Breakdown by protocol:               Action Stats:

    TCP: 1435       (100.000%)        ALERTS: 0        
    UDP: 0          (0.000%)          LOGGED: 0        
   ICMP: 0          (0.000%)          PASSED: 0        
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
===============================================================================

1435 packets received in total, in about 4 hours...

And of course, the real problem with a flood of dialup cruft is you can get a real probe hiding in the middle of it...


Feb 25 11:36:13 greatwall snort: [1:0:0] TCP to 111 sunrpc {TCP}
 212.210.177.7:4393 -> 12.82.137.117:111
Feb 25 11:36:13 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 212.210.177.7:4393 12.82.137.117:111 L=60 S=0x00 I=29825 F=0x4000 T=47 SYN (#64) 

BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman 

% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html 

inetnum:      212.210.177.0 - 212.210.177.255
netname:      ITCONSULTING
descr:        Fabbrica Digitale Srl
descr:        Internet Service Provider
country:      IT
source:       RIPE 

route:        212.210.0.0/16
descr:        INTERBUSINESS
origin:       AS3269
remarks:      Send report of network abuse/spam
remarks:      only to: abuse@interbusiness.it .
remarks:      If you report abuse to any other address
remarks:      you will get no response.
notify:       network@cgi.interbusiness.it
source:       RIPE



Feb 25 11:36:18 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 63.215.124.47:80 -> 12.82.137.117:1505
Feb 25 11:36:18 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 63.215.124.47:80 12.82.137.117:1505 L=40 S=0x00 I=56718 F=0x4000 T=56 (#77) 

Feb 25 11:36:37 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 63.215.124.47:80 -> 12.82.137.117:1521
Feb 25 11:36:37 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 63.215.124.47:80 12.82.137.117:1521 L=40 S=0x00 I=6606 F=0x4000 T=56 (#77) 

Feb 25 11:36:58 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 63.215.124.47:80 -> 12.82.137.117:1505
Feb 25 11:36:58 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 63.215.124.47:80 12.82.137.117:1505 L=40 S=0x00 I=23396 F=0x4000 T=56 (#77) 

host: 63.215.124.47 - unknown.Level3.net

Feb 25 11:37:18 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 216.136.224.213:5050 -> 12.82.137.117:1442
Feb 25 11:37:18 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 216.136.224.213:5050 12.82.137.117:1442 L=40 S=0x00 I=10709 F=0x0000 T=50 (#77) 

host: 216.136.224.213 - cs21.msg.sc5.yahoo.com

Feb 25 11:37:25 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 64.4.12.121:1863 -> 12.82.137.117:1440
Feb 25 11:37:37 greatwall last message repeated 2 times
Feb 25 11:37:25 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 64.4.12.121:1863 12.82.137.117:1440 L=41 S=0x00 I=20417 F=0x0000 T=242 (#77) 
Feb 25 11:37:29 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 64.4.12.121:1863 12.82.137.117:1440 L=41 S=0x00 I=20418 F=0x0000 T=242 (#77) 
Feb 25 11:37:37 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 64.4.12.121:1863 12.82.137.117:1440 L=41 S=0x00 I=20419 F=0x0000 T=242 (#77) 

host: 64.4.12.121 - msgr-ns67.msgr.hotmail.com

Feb 25 11:37:38 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 63.215.124.47:80 -> 12.82.137.117:1521
Feb 25 11:37:38 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 63.215.124.47:80 12.82.137.117:1521 L=40 S=0x00 I=52573 F=0x4000 T=56 (#77) 


Feb 25 11:37:50 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 65.162.180.161:2638 -> 12.82.137.117:6346
Feb 25 11:37:50 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 65.162.180.161:2638 12.82.137.117:6346 L=48 S=0x00 I=43224 F=0x4000 T=115 SYN (#64) 

Sprint (NETBLK-SPRINTLINK-2-BLKS)
 SPRINTLINK-2-BLKS65.160.0.0 - 65.174.255.255
SMARTCOM TELEPHONE, LLC
 (NETBLK-FON-110118195273245) FON-110118195273245
 65.162.180.0 - 65.162.181.255

Feb 25 11:37:52 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 64.4.12.121:1863 -> 12.82.137.117:1440
Feb 25 11:37:52 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 64.4.12.121:1863 12.82.137.117:1440 L=41 S=0x00 I=20420 F=0x0000 T=242 (#77) 

host: 64.4.12.121 - msgr-ns67.msgr.hotmail.com

Feb 25 11:37:53 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 65.162.180.161:2638 -> 12.82.137.117:634
Feb 25 11:37:53 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 65.162.180.161:2638 12.82.137.117:6346 L=48 S=0x00 I=44248 F=0x4000 T=115 SYN (#64) 


Feb 25 11:37:56 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 12.253.89.52:3155 -> 12.82.137.117:6346
Feb 25 11:38:05 greatwall last message repeated 2 times
Feb 25 11:37:56 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.253.89.52:3155 12.82.137.117:6346 L=52 S=0x00 I=52806 F=0x4000 T=53 SYN (#64) 
Feb 25 11:37:59 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.253.89.52:3155 12.82.137.117:6346 L=52 S=0x00 I=52968 F=0x4000 T=53 SYN (#64) 
Feb 25 11:38:05 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.253.89.52:3155 12.82.137.117:6346 L=52 S=0x00 I=53342 F=0x4000 T=53 SYN (#64) 

host: 12.253.89.52 - 12-253-89-52.client.attbi.com

Feb 25 11:38:11 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 65.162.180.161:2638 -> 12.82.137.117:6346
Feb 25 11:38:11 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 65.162.180.161:2638 12.82.137.117:6346 L=48 S=0x00 I=2265 F=0x4000 T=115 SYN (#64) 


Feb 25 11:38:19 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 63.215.124.47:80 -> 12.82.137.117:1505
Feb 25 11:38:19 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 63.215.124.47:80 12.82.137.117:1505 L=40 S=0x00 I=19400 F=0x4000 T=56 (#77) 

host: 63.215.124.47 - unknown.Level3.net

Feb 25 11:38:24 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 64.4.12.121:1863 -> 12.82.137.117:1440
Feb 25 11:38:24 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 64.4.12.121:1863 12.82.137.117:1440 L=41 S=0x00 I=20421 F=0x0000 T=242 (#77) 

host: 64.4.12.121 - msgr-ns67.msgr.hotmail.com

Feb 25 11:38:33 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 216.136.224.213:5050 -> 12.82.137.117:1442
Feb 25 11:38:33 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 216.136.224.213:5050 12.82.137.117:1442 L=40 S=0x00 I=64659 F=0x0000 T=50 (#77) 

host: 216.136.224.213 - cs21.msg.sc5.yahoo.com

Feb 25 11:38:42 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 172.183.2.219:1819 -> 12.82.137.117:6346
Feb 25 11:38:51 greatwall last message repeated 2 times
Feb 25 11:38:42 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 172.183.2.219:1819 12.82.137.117:6346 L=48 S=0x00 I=20798 F=0x4000 T=113 SYN (#64) 
Feb 25 11:38:45 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 172.183.2.219:1819 12.82.137.117:6346 L=48 S=0x00 I=25918 F=0x4000 T=113 SYN (#64) 
Feb 25 11:38:51 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 172.183.2.219:1819 12.82.137.117:6346 L=48 S=0x00 I=37438 F=0x4000 T=113 SYN (#64) 

host: 172.183.2.219 - ACB702DB.ipt.aol.com

Feb 25 11:39:03 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 172.183.2.219:1819 -> 12.82.137.117:6346
Feb 25 11:39:03 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 172.183.2.219:1819 12.82.137.117:6346 L=48 S=0x00 I=62782 F=0x4000 T=113 SYN (#64) 


Feb 25 11:39:24 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 64.4.12.121:1863 -> 12.82.137.117:1440
Feb 25 11:39:24 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 64.4.12.121:1863 12.82.137.117:1440 L=41 S=0x00 I=8025 F=0x0000 T=242 (#77) 

host: 64.4.12.121 - msgr-ns67.msgr.hotmail.com

Feb 25 11:39:33 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 199.250.19.179:3192 -> 12.82.137.117:6346
Feb 25 11:39:36 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 199.250.19.179:3192 -> 12.82.137.117:6346
Feb 25 11:39:33 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 199.250.19.179:3192 12.82.137.117:6346 L=48 S=0x00 I=26557 F=0x4000 T=110 SYN (#64) 
Feb 25 11:39:36 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 199.250.19.179:3192 12.82.137.117:6346 L=48 S=0x00 I=26593 F=0x4000 T=110 SYN (#64) 

State of Florida/Dept. of Management Services
 (NETBLK-FLADMS-CBLK)
   bldg 4050 esplanade way suite 115d
   Tallahassee, FL 32399-0950
   US    
Netname: FLADMS-CBLK
   Netblock: 199.250.16.0 - 199.250.31.255

Feb 25 11:39:38 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 63.215.124.47:80 -> 12.82.137.117:1521
Feb 25 11:39:38 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 63.215.124.47:80 12.82.137.117:1521 L=40 S=0x00 I=15871 F=0x4000 T=56 (#77) 


Feb 25 11:39:42 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 199.250.19.179:3192 -> 12.82.137.117:6346
Feb 25 11:39:42 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 199.250.19.179:3192 12.82.137.117:6346 L=48 S=0x00 I=26651 F=0x4000 T=110 SYN (#64) 


Feb 25 11:39:48 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 216.136.224.213:5050 -> 12.82.137.117:1442
Feb 25 11:39:48 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 216.136.224.213:5050 12.82.137.117:1442 L=40 S=0x00 I=53043 F=0x0000 T=50 (#77)

`<snip>`

Had enough, yet?

Notice it's now an hour and twenty minutes later...

`<snip>`


Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Feb 25 12:59:15 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 172.160.219.251:2160 -> 12.82.137.117:6346
Feb 25 12:59:18 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 172.160.219.251:2160 -> 12.82.137.117:6346
Feb 25 12:59:15 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 172.160.219.251:2160 12.82.137.117:6346 L=48 S=0x00 I=9564 F=0x4000 T=111 SYN (#64) 
Feb 25 12:59:18 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 172.160.219.251:2160 12.82.137.117:6346 L=48 S=0x00 I=9569 F=0x4000 T=111 SYN (#64) 

host: 172.160.219.251 - ACA0DBFB.ipt.aol.com

Feb 25 12:59:23 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 24.44.239.248:1595 -> 12.82.137.117:6346
Feb 25 12:59:23 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 24.44.239.248:1595 12.82.137.117:6346 L=48 S=0x00 I=7293 F=0x4000 T=112 SYN (#64) 

host: 24.44.239.248 - ool-182ceff8.dyn.optonline.net

Feb 25 12:59:24 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 172.160.219.251:2160 -> 12.82.137.117:6346
Feb 25 12:59:24 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 172.160.219.251:2160 12.82.137.117:6346 L=48 S=0x00 I=9585 F=0x4000 T=111 SYN (#64) 


Feb 25 12:59:26 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 24.44.239.248:1595 -> 12.82.137.117:6346
Feb 25 12:59:32 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 24.44.239.248:1595 -> 12.82.137.117:6346
Feb 25 12:59:26 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 24.44.239.248:1595 12.82.137.117:6346 L=48 S=0x00 I=7350 F=0x4000 T=112 SYN (#64) 
Feb 25 12:59:32 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 24.44.239.248:1595 12.82.137.117:6346 L=48 S=0x00 I=7483 F=0x4000 T=112 SYN (#64) 


Feb 25 13:00:55 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 172.129.114.158:2070 -> 12.82.137.117:6346
Feb 25 13:01:04 greatwall last message repeated 2 times
Feb 25 13:00:55 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 172.129.114.158:2070 12.82.137.117:6346 L=48 S=0x00 I=17943 F=0x4000 T=112 SYN (#64) 
Feb 25 13:00:58 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 172.129.114.158:2070 12.82.137.117:6346 L=48 S=0x00 I=17964 F=0x4000 T=112 SYN (#64) 
Feb 25 13:01:04 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 172.129.114.158:2070 12.82.137.117:6346 L=48 S=0x00 I=17997 F=0x4000 T=112 SYN (#64) 


Feb 25 13:01:13 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 207.171.146.82:25150 -> 12.82.137.117:6346
Feb 25 13:01:43 greatwall last message repeated 4 times
Feb 25 13:01:13 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 207.171.146.82:25150 12.82.137.117:6346 L=48 S=0x00 I=27918 F=0x4000 T=111 SYN (#64) 
Feb 25 13:01:16 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 207.171.146.82:25150 12.82.137.117:6346 L=48 S=0x00 I=29454 F=0x4000 T=111 SYN (#64) 
Feb 25 13:01:23 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 207.171.146.82:25150 12.82.137.117:6346 L=48 S=0x00 I=34318 F=0x4000 T=111 SYN (#64) 
Feb 25 13:01:35 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 207.171.146.82:25150 12.82.137.117:6346 L=48 S=0x00 I=51982 F=0x4000 T=111 SYN (#64) 
Feb 25 13:01:43 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 207.171.146.82:25150 12.82.137.117:6346 L=40 S=0x00 I=16752 F=0x0000 T=240 (#77) 

Iconn LLC (NETBLK-ICONN-BLK-1)
   129 Church Street, Suite 508,
   New Haven, CT 06510
   US    
Netname: ICONN-BLK-1
   Netblock: 207.171.128.0 - 207.171.159.255
   Maintainer: ICNN

Feb 25 13:02:54 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 172.166.9.201:1672 -> 12.82.137.117:6346
Feb 25 13:03:03 greatwall last message repeated 2 times
Feb 25 13:02:54 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 172.166.9.201:1672 12.82.137.117:6346 L=48 S=0x00 I=7003 F=0x4000 T=111 SYN (#64) 
Feb 25 13:02:57 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 172.166.9.201:1672 12.82.137.117:6346 L=48 S=0x00 I=7032 F=0x4000 T=111 SYN (#64) 
Feb 25 13:03:03 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 172.166.9.201:1672 12.82.137.117:6346 L=48 S=0x00 I=7079 F=0x4000 T=111 SYN (#64) 


Feb 25 13:03:54 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 213.65.209.144:3100 -> 12.82.137.117:6346
Feb 25 13:04:03 greatwall last message repeated 2 times
Feb 25 13:03:54 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 213.65.209.144:3100 12.82.137.117:6346 L=48 S=0x00 I=16287 F=0x4000 T=112 SYN (#64) 
Feb 25 13:03:57 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 213.65.209.144:3100 12.82.137.117:6346 L=48 S=0x00 I=20895 F=0x4000 T=112 SYN (#64) 
Feb 25 13:04:03 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 213.65.209.144:3100 12.82.137.117:6346 L=48 S=0x00 I=29087 F=0x4000 T=112 SYN (#64) 

host: 213.65.209.144 - h144n2fls20o980.telia.com

Feb 25 13:04:04 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 65.102.101.61:63942 -> 12.82.137.117:6346
Feb 25 13:04:13 greatwall last message repeated 2 times
Feb 25 13:04:04 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 65.102.101.61:63942 12.82.137.117:6346 L=48 S=0x00 I=4886 F=0x4000 T=114 SYN (#64) 
Feb 25 13:04:07 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 65.102.101.61:63942 12.82.137.117:6346 L=48 S=0x00 I=17430 F=0x4000 T=114 SYN (#64) 
Feb 25 13:04:13 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 65.102.101.61:63942 12.82.137.117:6346 L=48 S=0x00 I=46358 F=0x4000 T=114 SYN (#64) 

host: 65.102.101.61 - albq-dsl-gw06poolb61.albq.uswest.net

Feb 25 13:04:15 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 213.65.209.144:3100 -> 12.82.137.117:6346
Feb 25 13:04:15 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 213.65.209.144:3100 12.82.137.117:6346 L=48 S=0x00 I=34975 F=0x4000 T=112 SYN (#64) 


Feb 25 13:04:25 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 65.102.101.61:63942 -> 12.82.137.117:6346
Feb 25 13:04:25 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 65.102.101.61:63942 12.82.137.117:6346 L=48 S=0x00 I=36631 F=0x4000 T=114 SYN (#64) 


Feb 25 13:06:20 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 166.102.202.21:1606 -> 12.82.137.117:6346
Feb 25 13:06:23 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 166.102.202.21:1606 -> 12.82.137.117:6346
Feb 25 13:06:20 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 166.102.202.21:1606 12.82.137.117:6346 L=48 S=0x00 I=13842 F=0x4000 T=111 SYN (#64) 
Feb 25 13:06:23 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 166.102.202.21:1606 12.82.137.117:6346 L=48 S=0x00 I=13854 F=0x4000 T=111 SYN (#64) 

host: 166.102.202.21 - r-202.21.alltel.net

Feb 25 13:06:29 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 65.69.71.37:3215 -> 12.82.137.117:6346
Feb 25 13:06:29 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 65.69.71.37:3215 12.82.137.117:6346 L=48 S=0x00 I=2312 F=0x4000 T=113 SYN (#64) 

host: 65.69.71.37 - adsl-65-69-71-37.dsl.kscymo.swbell.net

Feb 25 13:06:29 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 166.102.202.21:1606 -> 12.82.137.117:6346
Feb 25 13:06:29 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 166.102.202.21:1606 12.82.137.117:6346 L=48 S=0x00 I=13893 F=0x4000 T=111 SYN (#64) 


Feb 25 13:06:32 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 65.69.71.37:3215 -> 12.82.137.117:6346
Feb 25 13:06:38 greatwall snort: [1:0:0] TCP to 6346 gnutella {TCP}
 65.69.71.37:3215 -> 12.82.137.117:6346
Feb 25 13:06:32 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 65.69.71.37:3215 12.82.137.117:6346 L=48 S=0x00 I=2356 F=0x4000 T=113 SYN (#64) 
Feb 25 13:06:38 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 65.69.71.37:3215 12.82.137.117:6346 L=48 S=0x00 I=2455 F=0x4000 T=113 SYN (#64)

`<snip>`

Anyway, I think you get the point...

jsage@finchhaven.com

Last modified: Wed Feb 27 06:28:21 2002

Dialup cruft..

Here's a really good example:

And of course, the real problem with a flood of dialup cruft is you can get a *real* probe hiding in the middle of it...

<snip>

Had enough, yet?

<snip>

<snip>

Anyway, I think you get the point...

And of course, the real problem with a flood of dialup cruft is you can get a real probe hiding in the middle of it...

`<snip>`

`<snip>`

`<snip>`