From firewall log
4/20/06 3:14:07 PM Connection request 128.32.18.151 TCP(1091)
4/20/06 3:13:07 PM Connection request 128.32.18.151 TCP(1091)
4/20/06 3:12:07 PM Connection request 128.32.18.151 TCP(1091)

Reverse DNS for 128.32.18.151
Answer:
128.32.18.151 PTR record: kosh.SSL.Berkeley.EDU. [TTL 86400s] [A=128.32.18.151]

Why is kosh trying to initiate a connection to my system? Kosh only does transitioner and splitter jobs. My computer did not make a request for more work , did not report work, did not make any contact what so ever at that time. As you can see from the message log.

Message Log
4/20/06 2:53:31 PM|Einstein@Home|Resuming computation for result z1_1387.0__2285_S4R2a_2 using albert version 437
4/20/06 4:02:31 PM||Rescheduling CPU: application exited
4/20/06 4:02:31 PM|Einstein@Home|Computation for result z1_1387.0__2285_S4R2a_2 finished
4/20/06 4:02:32 PM|uFluids|Starting result upbend_jon_110_5_0.52_0_0_0_0_1 using evolver version 402
4/20/06 4:02:35 PM|Einstein@Home|Started upload of z1_1387.0__2285_S4R2a_2_0
4/20/06 4:02:41 PM|Einstein@Home|Finished upload of z1_1387.0__2285_S4R2a_2_0
4/20/06 4:02:41 PM|Einstein@Home|Throughput 83166 bytes/sec
4/20/06 4:02:46 PM|Einstein@Home|Sending scheduler request to http://einstein.phys.uwm.edu/EinsteinAtHome_cgi/cgi
4/20/06 4:02:46 PM|Einstein@Home|Reason: To report results
4/20/06 4:02:46 PM|Einstein@Home|Reporting 1 results
4/20/06 4:02:51 PM|Einstein@Home|Scheduler request to http://einstein.phys.uwm.edu/EinsteinAtHome_cgi/cgi succeeded
4/20/06 4:18:44 PM|uFluids|Sending scheduler request to http://www.ufluids.net/ufluids_cgi/cgi
4/20/06 4:18:44 PM|uFluids|Reason: To fetch work
4/20/06 4:18:44 PM|uFluids|Requesting 4347 seconds of new work
4/20/06 4:18:54 PM|uFluids|Scheduler request to http://www.ufluids.net/ufluids_cgi/cgi succeeded
4/20/06 4:18:57 PM|uFluids|Started download of bubble4a_15_1_82_-1.08_15000_0.0001_-0.5.fe
4/20/06 4:19:01 PM|uFluids|Finished download of bubble4a_15_1_82_-1.08_15000_0.0001_-0.5.fe
4/20/06 4:19:01 PM|uFluids|Throughput 32663 bytes/sec
4/20/06 4:19:02 PM||Rescheduling CPU: files downloaded
4/20/06 4:19:02 PM|uFluids|Pausing result upbend_jon_110_5_0.52_0_0_0_0_1 (removed from memory)
4/20/06 4:19:02 PM|Einstein@Home|Starting result z1_1387.0__2284_S4R2a_1 using albert version 437

My curiosity made me ask :)

---

98SE XP2500+ @ 2.1 GHz Boinc v5.8.8

And God said"Let there be light."But then the program crashed because he was trying to access the 'light' property of a NULL universe pointer.

I don't know what it is Steve, but you prompted me to check my logs and I find:

2006/04/18 11:35:14 140.142.20.103:80 (boinc.bakerlab.org) 192.168.2.4:3649 Port 3649 (TCP)
2006/04/18 11:33:40 140.142.20.103:80 (boinc.bakerlab.org) 192.168.2.4:3649 Port 3649 (TCP)
2006/04/12 18:08:12 140.142.20.103:80 (boinc.bakerlab.org) 192.168.2.4:2503 NMS-DPNSS
2006/04/12 18:06:38 140.142.20.103:80 (boinc.bakerlab.org) 192.168.2.4:2503 NMS-DPNSS
2006/04/10 17:27:26 128.32.18.189:80 (isaac.SSL.Berkeley.EDU) 192.168.2.4:3562 Port 3562 (TCP)
2006/04/02 08:45:33 128.32.18.152:80 (klaatu.SSL.Berkeley.EDU) 192.168.2.4:3197 Port 3197 (TCP)
2006/03/29 22:25:22 128.32.18.189:80 (isaac.SSL.Berkeley.EDU) 192.168.2.4:2756 simplement-tie
2006/03/17 19:23:57 128.32.18.152:80 (klaatu.SSL.Berkeley.EDU) 192.168.2.4:1933 Port 1933 (TCP)
2006/03/17 07:37:13 128.32.18.189:80 (isaac.SSL.Berkeley.EDU) 192.168.2.4:3848 Port 3848 (TCP)
2006/03/16 18:51:14 128.32.18.151:80 (kosh.SSL.Berkeley.EDU) 192.168.2.4:2487 Policy Notice Service

Why is kosh trying to initiate a connection to my system?

hmm, that is strange, i could understand from the scheduler or file server(s), but not a backend system (although they're on the net too)

but alas without further data/info (like a network capture) it's very hard to tell

---

Want to search the BOINC Wiki, BOINCstats, or various BOINC forums from within firefox? Try the BOINC related Firefox Search Engines

Why is kosh trying to initiate a connection to my system? Kosh only does transitioner and splitter jobs.

Kosh also shares webserver-duties with klaatu, see technical news 06.12.2005, so likely you checked the forums or your stats or something.

Kosh also shares webserver-duties with klaatu, see technical news 06.12.2005, so likely you checked the forums or your stats or something.

that'll be why then :)

---

Want to search the BOINC Wiki, BOINCstats, or various BOINC forums from within firefox? Try the BOINC related Firefox Search Engines

Interesting, but not sure that is it. My firewall logged it as an attack because I did not initiate the contact.
Using the info you provided I tried to make it happen again by checking my stats and using the forums but it did not happen again.
So it is still a mystery.
:)

---

98SE XP2500+ @ 2.1 GHz Boinc v5.8.8

And God said"Let there be light."But then the program crashed because he was trying to access the 'light' property of a NULL universe pointer.

Interesting, but not sure that is it. My firewall logged it as an attack because I did not initiate the contact.
Using the info you provided I tried to make it happen again by checking my stats and using the forums but it did not happen again.
So it is still a mystery.
:)

There could be some other process running on koth (doing web statistics, perhaps) that tries to connect back to the source for some reason.

One of my servers was doing that here -- of course we "fixed" it.

... and most small firewalls assume that connecting out is okay, and inbound connections are attacks.

You shouldn't take the "attack" too seriously, the firewall did what it was supposed to do.

---

Interesting, but not sure that is it. My firewall logged it as an attack because I did not initiate the contact.
Using the info you provided I tried to make it happen again by checking my stats and using the forums but it did not happen again.
So it is still a mystery.
:)

There could be some other process running on koth (doing web statistics, perhaps) that tries to connect back to the source for some reason.

One of my servers was doing that here -- of course we "fixed" it.

... and most small firewalls assume that connecting out is okay, and inbound connections are attacks.

You shouldn't take the "attack" too seriously, the firewall did what it was supposed to do.

Thanx Ned, that sounds more likely.
Oh my kosh(pun intended), I was never concerned about it. I brought it up more to point out that kosh is spending its time on something other than its duties. It does not need to waste time trying to contact host computers that are not going to answer back.
:)

---

98SE XP2500+ @ 2.1 GHz Boinc v5.8.8

And God said"Let there be light."But then the program crashed because he was trying to access the 'light' property of a NULL universe pointer.

Hum...

Four other "firewalls" have detected kosh making unexpected requests, starting 3/28/2006 and to a range of different ports. This link is slow to come up but is a summary log of these "reported attacks".

DShield 128.032.018.151 kosh at 202 hits.

And it is not just Kosh.

Klaatu has been doing it also! Starting the same day.

DShield 128.032.018.152 Klaatu at 259 hits.

But Galileo has been the real bad boy.

DShield 128.032.018.173 galileo at 2497 hits.

Going back through three years of my log information, I find that seven of these reported "attacks" were from my router over the past four months. From these reports, DShield shows that Galileo was first logged making this kind of "attack" on 10/27/2005.

From this, there is no way to tell what is going on. Could be some random network probes using spoofed IP address. Or more likely, there could be a problem with the Berkeley systems getting confused and making responses back to systems long after that connection has timed out. That is something the Berkeley staff should look into as it suggests a problem with their servers.

From the front page,

October 26, 2005
Version 5.2 of the BOINC client software has been released. It lets you attach to projects, and log in to their web sites, using email address and password, instead of account key. Users have not chosen a password may do so here.

this was the release date of the first major V5 version to the public. V5 uses libcurl.

Interesting, but not sure that is it. My firewall logged it as an attack because I did not initiate the contact.
Using the info you provided I tried to make it happen again by checking my stats and using the forums but it did not happen again.
So it is still a mystery.
:)

this sounds like your firewall is too aggressive in deciding when connections are closed (or if they are closed at all)

say you visit the seti site for something, and some content is slow to be generated/sent
your firewall may think that the communication is done, but kosh may still think the connection is open, and try to send the "slow" data a bit later than expected, this is most likely what you're seeeing, the firewall blocking this "delayed" transmition


when you tried it again later, you may have been visiting a different page, and so the "slow" content wasn't a problem at that time, so you didn't encounter the late data the second time

---

Want to search the BOINC Wiki, BOINCstats, or various BOINC forums from within firefox? Try the BOINC related Firefox Search Engines

I'm not sure if you guys have done this to death already but I have to say I am VERY surprised that UCB should be connecting out to any of us. Cannot see why that would happening at all. What service is expected to be on the ports its trying on? Sounds completely dodgy to me. Think about the dial up user. How would they expect to connect to them? How would they expect to connect reliably to a dynamic ip address? Well they cannot which is why I think it dodgy/

I am going to change my firewall to log and drop any connection requests. I use iptables so it does not show up like domestic systems show it.

If anyone finds out why do let us know!

---

What service is expected to be on the ports its trying on?

from the IANA Port Numbers list:

ff-sm 1091/tcp FF System Management
ff-sm 1091/udp FF System Management

---

Want to search the BOINC Wiki, BOINCstats, or various BOINC forums from within firefox? Try the BOINC related Firefox Search Engines

What service is expected to be on the ports its trying on?

from the IANA Port Numbers list:

ff-sm 1091/tcp FF System Management
ff-sm 1091/udp FF System Management

Lee are you sure these are current?

I see:

xqosd 31416/tcp XQoS network monitor
xqosd 31416/udp XQoS network monitor
# Joe Elliott <joe@inetd.com> June 2002

does this mean boinc is using Joe Elliott's port?

What service is expected to be on the ports its trying on?

from the IANA Port Numbers list:

ff-sm 1091/tcp FF System Management
ff-sm 1091/udp FF System Management

Lee are you sure these are current?

I see:

xqosd 31416/tcp XQoS network monitor
xqosd 31416/udp XQoS network monitor
# Joe Elliott <joe@inetd.com> June 2002

does this mean boinc is using Joe Elliott's port?

Tony hi there
Are you saying UCB are connecting to you on 31416? Thats the boinc remote connection port I think. But why would they connect to you on that? Why would they connect out at all? Does not make sense.

---

Ian, all I'm saying is I see Joe is assigned that port and boinc is using it. It may just be for "loopback" purposes and such. Boinc was assigned 1043, but MS uses it, so boinc had to change.

Ian, all I'm saying is I see Joe is assigned that port and boinc is using it. It may just be for "loopback" purposes and such. Boinc was assigned 1043, but MS uses it, so boinc had to change.

OK but folks are seeing inbound connection requests. There's no loopback in that Tony. Its suspicious I feel.

---

Ian, all I'm saying is I see Joe is assigned that port and boinc is using it. It may just be for "loopback" purposes and such. Boinc was assigned 1043, but MS uses it, so boinc had to change.

OK but folks are seeing inbound connection requests. There's no loopback in that Tony. Its suspicious I feel.

OK Ian, here's the long drawn out boring train of thought.

hmmm, a link to IANA, I've not seen this before. Thinks to self "I've heard and passed on that boinc was assigned 1043, but MS used it on some software, but do I really know this as a fact?". Tony looks and sees that David A is assigned 1043. good. Now while I'm here, I'll look at 31416 and see. Then I see it's NOT assigned to boinc but to someone else. so I ask you smart people about it.

MS looked less favorable to me since they were using 1043 when they shouldn't have, now the question "is boinc violating some rule by using it?"

Tony

Do you use BoincView? by chance to monitor machines?

Pappa

Ian, all I'm saying is I see Joe is assigned that port and boinc is using it. It may just be for "loopback" purposes and such. Boinc was assigned 1043, but MS uses it, so boinc had to change.

OK but folks are seeing inbound connection requests. There's no loopback in that Tony. Its suspicious I feel.

OK Ian, here's the long drawn out boring train of thought.

hmmm, a link to IANA, I've not seen this before. Thinks to self "I've heard and passed on that boinc was assigned 1043, but MS used it on some software, but do I really know this as a fact?". Tony looks and sees that David A is assigned 1043. good. Now while I'm here, I'll look at 31416 and see. Then I see it's NOT assigned to boinc but to someone else. so I ask you smart people about it.

MS looked less favorable to me since they were using 1043 when they shouldn't have, now the question "is boinc violating some rule by using it?"

---

Please consider a Donation to the Seti Project.

Ian, all I'm saying is I see Joe is assigned that port and boinc is using it. It may just be for "loopback" purposes and such. Boinc was assigned 1043, but MS uses it, so boinc had to change.

OK but folks are seeing inbound connection requests. There's no loopback in that Tony. Its suspicious I feel.

OK Ian, here's the long drawn out boring train of thought.

hmmm, a link to IANA, I've not seen this before. Thinks to self "I've heard and passed on that boinc was assigned 1043, but MS used it on some software, but do I really know this as a fact?". Tony looks and sees that David A is assigned 1043. good. Now while I'm here, I'll look at 31416 and see. Then I see it's NOT assigned to boinc but to someone else. so I ask you smart people about it.

MS looked less favorable to me since they were using 1043 when they shouldn't have, now the question "is boinc violating some rule by using it?"

Tony
No probs mate. Sorry if I rattled you a little there...not intended at all.
I think 31416 is in a range of less control than 1043. MS does as they damn well please and couldn't give two &^*% about IANA tbh. The truth is anyone can use any port they want and no one can do anything about it. So we see all kinds of crap on all kinds of ports and we just have to grin and bear it.

But he issue raised here is very different.
Regards
Ian

---