Zamieszanie w sieci

Jacek Tomczak jaqjacek w gmail.com
Czw, 16 Lut 2012, 15:35:36 CET 

Od tygodnia mam w sieci mam dużo śmieciowego ruchu.
Tcpdump raz na jakiś czas wyrzuca mnie mnóstwo takich rzeczy

tcpdump -i eth1 -n "icmp"

...
15:14:58.563353 IP 94.72.166.186 > 78.159.72.108: ICMP 94.72.166.186
udp port 1024 unreachable, length 137
15:14:58.569244 IP 118.70.154.90 > 78.159.73.49: ICMP 118.70.154.90
unreachable - need to frag (mtu 1404), length 36
15:14:58.569504 IP 118.70.154.90 > 78.159.73.49: ICMP 118.70.154.90
unreachable - need to frag (mtu 1404), length 36
15:14:58.569680 IP 118.70.154.90 > 78.159.73.49: ICMP 118.70.154.90
unreachable - need to frag (mtu 1404), length 36
15:14:58.600192 IP 189.222.49.191 > 92.55.248.170: ICMP 189.222.49.191
tcp port 52792 unreachable, length 56
15:14:58.621564 IP 78.159.72.86 > 79.102.157.200: ICMP redirect
78.159.72.205 to host 78.159.72.205, length 36
15:14:58.622197 IP 92.55.248.219 > 79.102.157.200: ICMP redirect
78.159.72.205 to host 92.55.248.1, length 36
15:14:58.626805 IP 92.55.248.219 > 79.102.157.200: ICMP redirect
78.159.72.205 to host 92.55.248.1, length 36
15:14:58.661793 IP 78.159.72.86 > 79.102.157.200: ICMP redirect
78.159.72.205 to host 78.159.72.205, length 36
15:14:58.680182 IP 78.159.72.65 > 95.133.35.133: ICMP 78.159.72.65 udp
port 22667 unreachable, length 66
15:14:58.690828 IP 205.214.210.67 > 92.55.248.170: ICMP 205.214.210.67
udp port 64896 unreachable, length 66
15:14:58.734742 IP 92.55.248.127 > 114.32.28.231: ICMP echo request,
id 768, seq 51160, length 8
15:14:58.744957 IP 92.55.255.61 > 92.55.248.127: ICMP time exceeded
in-transit, length 36
15:14:58.753049 IP 78.159.72.108 > 213.186.89.143: ICMP 78.159.72.108
udp port 23645 unreachable, length 103
15:14:58.861610 IP 118.70.154.90 > 78.159.73.49: ICMP 118.70.154.90
unreachable - need to frag (mtu 1404), length 36
15:14:58.861632 IP 118.70.154.90 > 78.159.73.49: ICMP 118.70.154.90
unreachable - need to frag (mtu 1404), length 36
15:14:58.884449 IP 92.55.248.170 > 109.98.195.130: ICMP host
92.55.248.170 unreachable, length 92
15:14:58.884557 IP 92.55.248.170 > 112.200.69.193: ICMP host
92.55.248.170 unreachable, length 88
15:14:58.884612 IP 92.55.248.170 > 112.200.69.193: ICMP host
92.55.248.170 unreachable, length 88
15:14:58.886611 IP 91.225.135.254 > 92.55.248.22: ICMP 91.225.135.254
udp port 64897 unreachable, length 66
15:14:58.897396 IP 69.167.127.74 > 78.159.72.40: ICMP 69.167.127.74
udp port 8102 unreachable, length 36
15:14:58.980079 IP 118.70.154.90 > 78.159.73.49: ICMP 118.70.154.90
unreachable - need to frag (mtu 1404), length 36
15:14:59.005518 IP 118.70.154.90 > 78.159.73.49: ICMP 118.70.154.90
unreachable - need to frag (mtu 1404), length 36
15:14:59.114412 IP 83.1.134.192 > 78.159.72.65: ICMP 83.1.134.192 udp
port 43657 unreachable, length 66
15:14:59.150324 IP 92.55.248.81 > 80.87.215.101: ICMP 92.55.248.81 udp
port 21438 unreachable, length 139
15:14:59.164667 IP 78.159.72.86 > 92.55.248.4: ICMP redirect
195.8.97.35 to host 78.159.72.1, length 36
15:14:59.164684 IP 78.159.72.86 > 92.55.248.4: ICMP redirect
195.8.97.35 to host 78.159.72.1, length 36
15:14:59.209292 IP 81.190.43.201 > 78.159.72.108: ICMP host
81.190.43.201 unreachable, length 56
15:14:59.235885 IP 118.70.154.90 > 78.159.73.49: ICMP 118.70.154.90
unreachable - need to frag (mtu 1404), length 36
15:14:59.250039 IP 118.70.154.90 > 78.159.73.49: ICMP 118.70.154.90
unreachable - need to frag (mtu 1404), length 36
15:14:59.294196 IP 83.1.134.192 > 78.159.72.65: ICMP 83.1.134.192 udp
port 54611 unreachable, length 88
15:14:59.309660 IP 172.16.12.13 > 78.159.72.124: ICMP time exceeded
in-transit, length 36
15:14:59.312218 IP 88.119.152.235 > 78.159.72.73: ICMP 88.119.152.235
udp port 20030 unreachable, length 137
15:14:59.323730 IP 94.40.121.74 > 92.55.248.22: ICMP 94.40.121.74 udp
port 59531 unreachable, length 88
15:14:59.349647 IP 78.159.72.108 > 46.164.195.16: ICMP 78.159.72.108
udp port 23645 unreachable, length 66
15:14:59.439227 IP 118.70.154.90 > 78.159.73.49: ICMP 118.70.154.90
unreachable - need to frag (mtu 1404), length 36
15:14:59.468329 IP 118.70.154.90 > 78.159.73.49: ICMP 118.70.154.90
unreachable - need to frag (mtu 1404), length 36
15:14:59.493022 IP 78.159.72.1 > 78.159.72.203: ICMP host 192.168.1.43
unreachable, length 88
15:14:59.529654 IP 92.55.249.200 > 92.55.248.1: ICMP echo request, id
1, seq 1469, length 40
15:14:59.529680 IP 92.55.248.1 > 92.55.249.200: ICMP echo reply, id 1,
seq 1469, length 40
15:14:59.590231 IP 92.55.248.1 > 92.55.248.202: ICMP host 66.220.9.122
unreachable, length 84
15:14:59.644660 IP 78.159.72.86 > 92.55.248.4: ICMP redirect
195.8.97.35 to host 78.159.72.1, length 36
15:14:59.644673 IP 78.159.72.86 > 92.55.248.4: ICMP redirect
195.8.97.35 to host 78.159.72.1, length 36
15:14:59.645633 IP 78.159.73.49 > 93.121.163.122: ICMP 78.159.73.49
udp port 21557 unreachable, length 36
15:14:59.653060 IP 92.55.248.1 > 92.55.248.170: ICMP host 192.168.1.64
unreachable, length 88
15:14:59.653078 IP 92.55.248.1 > 92.55.248.170: ICMP host 192.168.1.64
unreachable, length 88
15:14:59.653090 IP 92.55.248.1 > 92.55.248.170: ICMP host 192.168.1.64
unreachable, length 88
15:14:59.663887 IP 118.70.154.90 > 78.159.73.49: ICMP 118.70.154.90
unreachable - need to frag (mtu 1404), length 36
15:14:59.684685 IP 118.70.154.90 > 78.159.73.49: ICMP 118.70.154.90
unreachable - need to frag (mtu 1404), length 36
15:14:59.687413 IP 118.70.154.90 > 78.159.73.49: ICMP 118.70.154.90
unreachable - need to frag (mtu 1404), length 36
15:14:59.691289 IP 78.159.72.65 > 31.135.76.16: ICMP 78.159.72.65 udp
port 22667 unreachable, length 66
15:14:59.728566 IP 78.159.72.65 > 95.27.136.17: ICMP 78.159.72.65 udp
port 22667 unreachable, length 66
15:14:59.787278 IP 87.218.47.107 > 78.159.72.108: ICMP 87.218.47.107
udp port 47986 unreachable, length 137
15:14:59.826060 IP 37.55.171.27 > 78.159.72.92: ICMP 37.55.171.27 udp
port 34519 unreachable, length 139
...

Gdzie w sieci występują tylko ip z klasy 78.159.72.xx oraz 92.55.248.xx
w powyższych logach aż tak tego nie widać ale mam mnóstwo redirectów

Jest tego tak dużo iż sieć zwalnia i nawet ssh się muli.
Wielu rzeczy już próbowałem i powoli kończą mnie się pomysły.
Wie ktoś co to może być?
Podejrzanym jest jakiś zwalony router ale chwilowo nie mogę go namierzyć.

Od razu informuję iż sieć w takim stanie jaka jest przejąłem po kimś i
to iż obie klasy są w połączone to nie moja wina.


-- 
Pozdrawiam
Jacek Tomczak

Więcej informacji o liście pld-users-pl