That is what I am guessing, have located some form of QoS running as
"Moe Trin" <(E-Mail Removed)> wrote in message
> On Mon, 28 Nov 2005, in the Usenet newsgroup alt.computer.security, in
> <36Gif.144735$(E-Mail Removed)>, ed wrote:
>>Here is what my firewall log is giving me (my address is xx.xxx.xx.151):
> So what that may be trying to say is that you received a UDP packet from
> xx.xxx.xx.85 to your port 1026 (undoubtedly, windoze messenger spam), and
> your system rejected it with an ICMP "FOAD" packet. But the stuff below
> says otherwise.
>>Not sure now about the UDP, here is the .enc file decode for one of the
> Boy, they love to baffle 'em with bullshit, don't they. Well, lets cut
> through all the useless crap...
>>Time to live: 140
> Strange value - these normally start with a nice round figure, like 32,
> 128, and occasionally 255, and gets decremented by every router between
> source and destination. In most cases, nothing is more than 30 or 40 hops,
> yet if this started with 255, it's 115 hops away - highly unlikely.
>>Protocol: ICMP (0x01)
>>Source: xx.xxx.xx.85 (xx.xxx.xx.85)
>>Destination: xx.xxx.xx.151 (xx.xxx.xx.151)
>>Internet Control Message Protocol
>>Type: 3 (Destination unreachable)
>>Code: 3 (Port unreachable)
> OK - xx.xxx.xx.85 is sending an error message to xx.xxx.xx.151 that
> says "the number you have dialed is unreachable" The contents of the
> packet that caused this is:
>>Internet Protocol, Src Addr: xx.xxx.xx.151 (xx.xxx.xx.151), Dst Addr:
>>Total Length: 773
>>Time to live: 116
> (That's more reasonable - 12 hops away)
>>Protocol: UDP (0x11)
>>Source: xx.xxx.xx.151 (xx.xxx.xx.151)
>>Destination: xx.xxx.xx.85 (xx.xxx.xx.85)
>>User Datagram Protocol, Src Port: 26698 (2669, Dst Port: 1026 (1026)
> xx.xxx.xx.151 appears to be trying to send messenger spam to xx.xxx.xx.85
> Now above, you said "my address is xx.xxx.xx.151" - and if that's the
> case, your box got 0wn3d and was sending spam. I'd be looking at WTF is
> going on with this box. Yes, that looks like you are the one with the
> problem, not the remote.
> Old guy
Moe Trin wrote:
>>>Internet Protocol, Src Addr: xx.xxx.xx.151 (xx.xxx.xx.151), Dst Addr:
>>>Total Length: 773
>>>Time to live: 116
>> (That's more reasonable - 12 hops away)
> If you can ping or traceroute to xx.xxx.xx.85, it might be nice comparing
> the number of hops you get to this figure of 12 hops
>>Now above, you said "my address is xx.xxx.xx.151" - and if that's the
>>case, your box got 0wn3d and was sending spam.
> I should not have said this, as this could be the result of a spammer
> choosing your address at random to use as the source IP for his trash.
> That way, if someone complains, it's not the spammer who gets blamed.
Agreed, it looks like backscatter to me.
Nothing to worry about, and frankly, nothing you can do about it.
Unless you actually see your machine making connetion attempts to UDP
102X in the output of a netstat, I wouldn't worry about it.
Moe's suggestion of tracerouting to the .85 address is a good one.
Might give some more clues if you're still interested.