This message is flooding my syslog, how to find where it comes from?

networking

When I run dmesg this comes up every second or so:

[22661.447946] [UFW BLOCK] IN=eth0 OUT= MAC=ee:54:32:37:94:5f:f0:4b:3a:4f:80:30:08:00 SRC=35.162.106.154 DST=104.248.41.4 LEN=40 TOS=0x00 PREC=0x00 TTL=37 ID=52549 DF PROTO=TCP SPT=25 DPT=50616 WINDOW=0 RES=0x00 RST URGP=0

How can I trace what is causing this message?


Solution 1:

The existing answer is correct in its technical analysis of the firewall log entry, but it's missing one point that makes the conclusion incorrect. The packet

  • Is a RST (reset) packet
  • from SRC=35.162.106.154
  • to your host at DST=104.248.41.4
  • via TCP
  • from his port SPT=25
  • to your port DPT=50616
  • and has been BLOCKed by UFW.

Port 25 (the source port) is commonly used for email. Port 50616 is in the ephemeral port range, meaning there's no consistent user for this port. A TCP "reset" packet can be sent in response to a number of unexpected situations, such as data arriving after a connection has been closed, or data being sent without first establishing a connection.

35.162.106.154 reverse-resolves to cxr.mx.a.cloudfilter.net, a domain used by the CloudMark email filtering service.

Your computer, or someone pretending to be your computer, is sending data to one of CloudMark's servers. The data is arriving unexpectedly, and the server is responding with a RST to ask the sending computer to stop. Given that the firewall is dropping the RST rather than passing it through to some application, the data that's causing the RST to be sent isn't coming from your computer. Instead, you're probably seeing backscatter from a denial-of-service attack, where the attacker is sending out floods of packets with forged "from" addresses in an attempt to knock CloudMark's mail servers offline (perhaps to make spamming more effective).

Solution 2:

The messages stems from UFW, the "uncomplicated firewall" and it tells you that someone

  • from SRC=35.162.106.154
  • tried to connect to your host at DST=104.248.41.4
  • via TCP
  • from their port SPT=25
  • to your port DPT=50616
  • and that UFW has successfully BLOCKed that attempt.

According to this site the source address 35.162.106.154 is some Amazon machine (probably an AWS). According to this site the port 50616 may be used for Xsan Filesystem Access.

So it's an attempt from IP=35.162.106.154 to access your files. Quite normal and nothing to be really worried about because that's what firewalls are for: rejecting such attempts.

Related

How do I find out if a PNG is PNG-8 or PNG-24?
How do I use $* while omitting certain input variables like $1 and $2 in bash script?
How can I run two Skype accounts on the same Ubuntu?
Google Chrome cursor and text selection issues after upgrading to google-chrome-stable_41.0.2272.76-1_amd64
How can I use pulseaudio over ssh? [duplicate]
Why do I need ./ to run an application? [duplicate]
How do I set a path permanently? [duplicate]
How do I require Two Factor Authentication to log in?
Xrandr equivalent in Wayland? [duplicate]
"<program> is not responding" while debugging in gnome 3 (ubuntu 17.10)
Automatic Mute Speakers When Headphones are Unplugged
Wacom Bamboo Pen & Touch CTH-470 3+ finger gestures