[nos-bbs] Why is NOS forwarding these packets!

Steven Stimpson steven2 at gwi.net
Sat Nov 11 20:13:42 EST 2006 

I noticed tonight my internet connection was a little
more active than usual, i checked my real-time firwall log and it was
filling with
about 100 remote dns and IP addys from all over the net each minute.
they were all trying to get into port 32931 UDP.

ALthough security is off topic here, I was curious what those packets looked
like, so i shutdown to DOS, started my ethernet card's packet driver,
and went to the trace screen in nos. What i saw made my
hair turn white. this may be normal activity but i need to know what is
going on here:


Sat Nov 11 19:59:02 2006 - sl0 recv:
Ether: len 105 00:01:5c:22:7b:42->00:a0:cc:55:35:20 type IP
IP: len 91 86.197.18.239->207.5.194.171 ihl 20 ttl 44 prot UDP
UDP: len 71 6900->32931 Data 63
0000  ...^........M20.........V.....O.5..........m<HM.%..P.>.. ..e'<.

Sat Nov 11 19:59:02 2006 - sl0 sent:
Ether: len 105 00:a0:cc:55:35:20->00:01:5c:22:7b:42 type IP
IP: len 91 86.197.18.239->207.5.194.171 ihl 20 ttl 43 prot UDP
UDP: len 71 6900->32931 Data 63
0000  ...^........M20.........V.....O.5..........m<HM.%..P.>.. ..e'<.

Sat Nov 11 19:59:03 2006 - sl0 recv:
Ether: len 104 00:01:5c:22:7b:42->00:a0:cc:55:35:20 type IP
IP: len 90 74.97.148.10->207.5.194.171 ihl 20 ttl 114 prot UDP
UDP: len 70 60622->32931 Data 62
0000  .9!].D.......!.........Ja......D........Z.m<]iV=.....5.3.O ..A

Sat Nov 11 19:59:03 2006 - sl0 sent:
Ether: len 104 00:a0:cc:55:35:20->00:01:5c:22:7b:42 type IP
IP: len 90 74.97.148.10->207.5.194.171 ihl 20 ttl 113 prot UDP
UDP: len 70 60622->32931 Data 62
0000  .9!].D.......!.........Ja......D........Z.m<]iV=.....5.3.O ..A

Packets destined for my Windows IP address were coming in, but I had not set
my windows IP in Nos.

Question is, why is JNOS retransmitting these packets? ALso, when nos
forwards these
packets to my now unused WIndows IP, it is forwarding them to a DIFFERENT
MAC address. Could this possibly mean when I am in windows someone is using
software
to change my MAC address when they break in?

I am not running any fancy or third party networking in windows.

Help greatly appreciated.

Steven N1OHX

More information about the nos-bbs mailing list