HPE Community
Operating System - HP-UX
1833772 Members
2197 Online
110063 Solutions
New Discussion

Re: Weird TCP/IP Behavior... suspicious..

 
SOLVED
Go to solution
Marie-Josee Cormier
Advisor

‎01-23-2006 02:38 AM

‎01-23-2006 02:38 AM

Weird TCP/IP Behavior... suspicious..

I have this weird thing going on with my HPUX 11i box.

All I tried to do is a traceroute from our internal box to our public DNS server, and all of a sudden, from out firewall logs, my HPUX started doing something wich looks like a port scan on the DNS server.

I tried tracerouting other IPs, and it does the same thing everytime. Here's attached a printscreen of our firewall.

Please can you help me see through this?

Thanks

0 Kudos
Reply
5 REPLIES 5
Simon Hargrave
Honored Contributor

‎01-23-2006 02:49 AM

‎01-23-2006 02:49 AM

Solution

Re: Weird TCP/IP Behavior... suspicious..

Don't worry this is perfectly normal. traceroute sends packets with increasing TTL (time to live)'s on UDP ports, starting from a base port. If you read the man page for traceroute see the -p switch.

Basically on the first itteration traceroute sends a packet to your destination with TTL 1 to udp port 33434. Next it sends with TTL 2 to 33435, then TTL3 to 33436...until it gets a port unreachable message (which means it hit the server) instead of a TTL expired message.

But don't worry it's doing exactly what it was coded to do.
Reply
Marie-Josee Cormier
Advisor

‎01-23-2006 02:58 AM

‎01-23-2006 02:58 AM

Re: Weird TCP/IP Behavior... suspicious..

Ok, always thought a trace route worked on ICMP.. Like windows clients does. So I guess I have to enable some more ports.

Thanks
0 Kudos
Reply
Simon Hargrave
Honored Contributor

‎01-23-2006 03:06 AM

‎01-23-2006 03:06 AM

Re: Weird TCP/IP Behavior... suspicious..

If you want to override the default use of UDP then you can provide the -I switch to traceroute, which will force it to use ICMP instead of UDP.
Reply
Marie-Josee Cormier
Advisor

‎01-23-2006 04:13 AM

‎01-23-2006 04:13 AM

Re: Weird TCP/IP Behavior... suspicious..

yess.. worked like a charm with the -I option!

Thanks
0 Kudos
Reply
Tor-Arne Nostdal
Trusted Contributor

‎01-23-2006 08:20 PM

‎01-23-2006 08:20 PM

Re: Weird TCP/IP Behavior... suspicious..

Hi Marie-Josee
Another useful traceroute option is the -F which will "disable fragmentation", and then specify packetsize parameter.

In case you have "suspicious" problems on WAN communication it might turn out that the problem relates to MTU Size (maximum transfer unit).

It might be that a router set "dont fragment" on communication, and thus prevent the dynamically split/repack of packages (to include headers aso.).

I've seen this when communicating over MPLS, with IPsec, SSH.

/Tor-Arne
I'm trying to become President of the state I'm in...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.