# be attacked? how to verify? what to do?

## pd1986

Here is the thing, 

Wen I connected to my box, there is more than 200K/s download flux found in the conky window. But I did nothing at that time. and I got nothing from iftop. 

Then I disconnected immediately, and connect to an open wifi spot. No such flux was found. When I reconnected to my box, such flux returned. Then I restarted the system, this flux disappeared.

This happens sometimes. 

So, was it an attack? if so, what should I do when it happens next time? if not, where is this flux from? How to find it?

Thanks.

----------

## Logicien

I would check if I have a public IP and default route addresses. Some ISP dont give some and can have something to do with that in their local network.

I would than try the tcpdump utility to find the IP and domain name addresses of the packets send and receive. So you can know what's going on in and out. Your Gentoo can try to establish connexions to the outside world.

I would check the kernel and log messages. Some kernel sysctl options activate martian packets log. If it report some martian packets, I would start to paranoid. Do you have a firewall?

----------

## pd1986

 *Logicien wrote:*   

> I would check if I have a public IP and default route addresses. Some ISP dont give some and can have something to do with that in their local network.
> 
> I would than try the tcpdump utility to find the IP and domain name addresses of the packets send and receive. So you can know what's going on in and out. Your Gentoo can try to establish connexions to the outside world.
> 
> I would check the kernel and log messages. Some kernel sysctl options activate martian packets log. If it report some martian packets, I would start to paranoid. Do you have a firewall?

 

Thanks

No, I didn't set firewall. It's just a home network. I don't think it is necessary. I guess that it would be someone who wanted to crack my wifi password.

----------

## pd1986

 *Logicien wrote:*   

> I would check if I have a public IP and default route addresses. Some ISP dont give some and can have something to do with that in their local network.
> 
> I would than try the tcpdump utility to find the IP and domain name addresses of the packets send and receive. So you can know what's going on in and out. Your Gentoo can try to establish connexions to the outside world.
> 
> I would check the kernel and log messages. Some kernel sysctl options activate martian packets log. If it report some martian packets, I would start to paranoid. Do you have a firewall?

 

tcpdump would be very useful.

----------

