Invalid Packets From the DoD

Posted 875 days ago - Security

The firewall policies on Nullamatix.com DROP invalid connection attempts. Specifically, if an attempt to start a new tcp connection is not a syn packet, the packet is rejected. This morning I noticed a few dropped connection attempts from an unusual source, The U.S. Department of Defense. Here are the logs:

Dec 27 05:00:38: SRC=140.32.107.150 PROTO=TCP SPT=53175 DPT=80
Dec 27 05:01:53: SRC=140.32.107.150 PROTO=TCP SPT=53175 DPT=80
Dec 27 05:03:08: SRC=140.32.107.150 PROTO=TCP SPT=53175 DPT=80
Dec 27 05:04:23: SRC=140.32.107.150 PROTO=TCP SPT=53175 DPT=80
Dec 27 05:05:38: SRC=140.32.107.150 PROTO=TCP SPT=53175 DPT=80
Dec 27 05:06:53: SRC=140.32.107.150 PROTO=TCP SPT=53175 DPT=80
Dec 27 05:09:23: SRC=140.32.107.150 PROTO=TCP SPT=53175 DPT=80
Dec 18 09:25:19: SRC=140.32.107.150 PROTO=TCP SPT=11601 DPT=80
Dec 18 09:26:34: SRC=140.32.107.150 PROTO=TCP SPT=11601 DPT=80
Dec 18 09:27:49: SRC=140.32.107.150 PROTO=TCP SPT=11601 DPT=80
Dec 18 09:29:04: SRC=140.32.107.150 PROTO=TCP SPT=11601 DPT=80
Dec 18 09:30:19: SRC=140.32.107.150 PROTO=TCP SPT=11601 DPT=80
Dec 18 09:31:34: SRC=140.32.107.150 PROTO=TCP SPT=11601 DPT=80
Dec 18 09:32:49: SRC=140.32.107.150 PROTO=TCP SPT=11601 DPT=80
Dec 18 09:34:04: SRC=140.32.107.150 PROTO=TCP SPT=11601 DPT=80

What's really interesting are the lack of Lighttpd logs. Based on the logs I have, that IP has never made a legitimate visit to any of the sites hosted on this server. So what's the DoD up to? I don't mind them visiting at all, but why the invalid connection attempts? If someone at the DoD wants some information about this server, all they have to do is ask.

Whois Information for 140.32.107.150

OrgName:    DoD Network Information Center
OrgID:      DNIC
Address:    3990 E. Broad Street
City:       Columbus
StateProv:  OH
PostalCode: 43218
Country:    US

NetRange:   140.32.0.0 - 140.32.255.255
CIDR:       140.32.0.0/16
NetName:    SUM-DET-5
NetHandle:  NET-140-32-0-0-1
Parent:     NET-140-0-0-0-0
NetType:    Direct Assignment
NameServer: NS1.ARL.ARMY.MIL
NameServer: NS1.NOSC.MIL
NameServer: NS1.HPCMO.HPC.MIL
Comment:
RegDate:    1990-04-08
Updated:    2007-08-23

OrgTechHandle: MIL-HSTMST-ARIN
OrgTechName:   Network DoD
OrgTechPhone:  +1-800-365-3642
OrgTechEmail:  HOSTMASTER@nic.mil

OrgTechHandle: REGIS10-ARIN
OrgTechName:   Registration
OrgTechPhone:  +1-800-365-3642
OrgTechEmail:  REGISTRA@nic.mil

Word Count: 320

Tags: , , ,

Click Here to Submit a Comment

Permalink / Last Modified:

Support Nullamatix.com:

E-mail Comment Facebook Del.icio.us Digg Reddit Technorati Furl

See Also:

  • 05/13/2009 -- IPTables Drop Log For 05.12.09
    Excerpt: "The Internet; so magical and dangerous, getting connected is a risk we're all willing to take. Whether you're infiltrating some moron's botnet, or just surfing the web, the possibility of becoming a victim in a cyber attack is real. Everyday, without fail, ..."
  • 01/17/2010 -- New Tool: IP Range to CIDR
    Excerpt: "At least twice a week I find myself visiting ip2cidr.com, the IP to CIDR converter. Since the owner/author of the site hasn't release the source code, and I love a challenge, I developed my own version. The guys at the job find the tool useful, and after a ..."
  • 03/05/2008 -- What’s Your Computer Connecting To?
    Excerpt: "A security conscious buddy of mine is an advocate of the Sysinternals freeware utilities. For those of you who don't know, Mark Russinovich, one of the Sysinternals co founders, was the guy that discovered and exposed the Sony BMG root kit back in 2005. In ..."
  • 02/15/2008 -- Picture: The Importance of a Good Firewall
    Excerpt: "This is what happened when I took down my network's defenses the other day. Fortunately my Windows machines were patched, or I might have been hit with a nasty remote exploit, or eighty. Click the thumbnail for the larger version. Those are all incoming ..."

Leave a Reply