Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 2 subscribers
  • Views 671 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

I need some help identifying an IP address

RFCat_vk_01
Hi,
Over the last couple of weeks I have been seeing a lot of dropped sync packets in my log. I have been able to identify the country of origin as being HK. I have been able to block it with the new feature in v8b, but I still see a lot of packets eg about every 2 secs.

The source is always my ASG external interface with varying ports and always to port 80 on 116.92.1.80.

Does Astaro have a server at this location and at 116.92.1.81

I have looked up whois and the result shows it being allocated to HK and that is it.

Ian  M


This thread was automatically locked due to age.
  • 0 in reply to Kingbuzzo
    Hi,
    I did that before posting here.
    The result said HK and nothing more.

    Ian M

    inetnum:      116.92.0.0 - 116.92.255.255
    netname:      PACNET
    remarks:      Spam and Security: abuse (at) pacnet.com
    remarks:      Network Issues : rnoc (at) pacnet.com
    country:      HK
    admin-c:      PNH4-AP
    tech-c:       PNH4-AP
    mnt-by:       APNIC-HM
    mnt-lower:    MAINT-AP-PACNET
    mnt-lower:    MAINT-AP-PACNET-NOC
    changed:      rnoc (at) pacnet.com
    status:       ALLOCATED PORTABLE
    changed:      hm-changed (at) apnic.net 20080604
    source:       APNIC

    role:         PACNET NIC Handler
    address:      PACNET
    country:      HK
    phone:        +65-6872-1010
    e-mail:       rnoc (at) pacnet.com
    trouble:      -------------------------------------
    trouble:      Spam and Security: abuse (at) pacnet.com
    trouble:      Network Issues   : rnoc (at) pacnet.com
    trouble:      -------------------------------------
    admin-c:      PR132-AP
    admin-c:      AN155-AP
    tech-c:       PR132-AP
    tech-c:       AN155-AP
    nic-hdl:      PNH4-AP
    remarks:      Pacnet
    notify:       rnoc (at) pacnet.com
    mnt-by:       MAINT-AP-PACNET
    changed:      rnoc (at) pacnet.com 20090911
    source:       APNIC
  • 0 in reply to RFCat_vk_01
    Hi,
    no one has any ideas about why I continually see the following in the PF log

    2010:06:02-00:13:51 fw1-on-house ulogd[4268]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="116.92.1.80" dstip="124.168.120.251" proto="6" length="40" tos="0x08" prec="0x20" ttl="50" srcport="80" dstport="39145" tcpflags="RST" 
    2010:06:02-00:14:38 fw1-on-house ulogd[4268]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="ppp0" srcip="116.92.1.80" dstip="124.168.120.251" proto="6" length="40" tos="0x08" prec="0x20" ttl="50" srcport="80" dstport="39145" tcpflags="RST"

    I have changed the IP address of the external interface and that didn't help.

    I see over 1000-2000 a day everyday.

    They come even when there aren't any users other than the VoIP phones etc. I have disconnected all users, except my PC, made no difference. I login remotely and stil see the packets being dropped.

    Ian M
  • 0
    Ian, I saw something wierd like that 18 months ago.  The solution for us was to restore a config backup.

    Cheers - Bob
  • 0 in reply to BAlfson
    Hi Bob,
    I just a restore to overcome the v8b problem. I also found the same IP address on the v7.504/5 backup ASG while the beta box was offline.

    I think I might have found a reason, I had a snat in place for a torrent I run occassionally, but haven't for a number of weeks. I have disabled the snat rule and will wait the results.

    Ian M