Security Incidents mailing list archives
Re: Strange TCP RSTs
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Thu, 1 Feb 2001 10:51:46 +1300
On Tue, 30 Jan 2001 18:25:35 -0800 Crist Clark <crist.clark () GLOBALSTAR COM> wrote:
I see a lot of these, Jan 30 06:46:40 205.188.144.231:80 -> aaa.bbb.cc0.164:1884 UNKNOWN 1****R** RESERVEDBITS Jan 30 07:09:29 207.200.89.40:80 -> aaa.bbb.cc3.223:2756 UNKNOWN 1****R** RESERVEDBITS Jan 30 07:14:33 207.200.89.225:80 -> aaa.bbb.cc3.223:2770 UNKNOWN 1****R** RESERVEDBITS Jan 30 10:34:47 205.188.144.232:80 -> aaa.bbb.cc1.62:1057 UNKNOWN 1****R** RESERVEDBITS Jan 30 10:36:21 205.188.144.231:80 -> aaa.bbb.cc2.17:50150 UNKNOWN 1****R** RESERVEDBITS Jan 30 10:41:37 205.188.144.231:80 -> aaa.bbb.cc2.17:50184 UNKNOWN 1****R** RESERVEDBITS Jan 30 11:09:16 205.188.144.231:80 -> aaa.bbb.cc3.99:1354 UNKNOWN 1****R** RESERVEDBITS Jan 30 11:15:15 205.188.144.232:80 -> aaa.bbb.cc2.84:37740 UNKNOWN 1****R** RESERVEDBITS Jan 30 11:17:14 207.200.89.225:80 -> aaa.bbb.cc1.206:1437 UNKNOWN 1****R** RESERVEDBITS Jan 30 11:26:50 205.188.144.231:80 -> aaa.bbb.cc3.99:1369 UNKNOWN 1****R** RESERVEDBITS Jan 30 12:43:24 207.200.89.40:80 -> aaa.bbb.cc0.88:4357 UNKNOWN 1****R** RESERVEDBITS Jan 30 12:46:58 205.188.144.231:80 -> aaa.bbb.cc2.84:37818 UNKNOWN 1****R** RESERVEDBITS Jan 30 12:57:30 205.188.144.232:80 -> aaa.bbb.cc3.99:1644 UNKNOWN 1****R** RESERVEDBITS Jan 30 13:10:04 205.188.144.232:80 -> aaa.bbb.cc3.99:1671 UNKNOWN 1****R** RESERVEDBITS Jan 30 13:14:45 205.188.144.232:80 -> aaa.bbb.cc2.17:50915 UNKNOWN 1****R** RESERVEDBITS Jan 30 13:17:00 205.188.144.231:80 -> aaa.bbb.cc2.84:37867 UNKNOWN 1****R** RESERVEDBITS Jan 30 13:18:56 205.188.144.241:80 -> aaa.bbb.cc4.25:1051 UNKNOWN 1****R** RESERVEDBITS Jan 30 14:39:46 207.200.89.40:80 -> aaa.bbb.cc3.223:3304 UNKNOWN 1****R** RESERVEDBITS Jan 30 15:45:33 205.188.144.232:80 -> aaa.bbb.cc2.84:37910 UNKNOWN 1****R** RESERVEDBITS Jan 30 15:51:54 205.188.144.231:80 -> aaa.bbb.cc4.240:2321 UNKNOWN 1****R** RESERVEDBITS Jan 30 16:15:35 205.188.144.232:80 -> aaa.bbb.cc2.84:37921 UNKNOWN 1****R** RESERVEDBITS Jan 30 16:30:37 205.188.144.232:80 -> aaa.bbb.cc4.240:2351 UNKNOWN 1****R** RESERVEDBITS Jan 30 16:45:37 205.188.144.232:80 -> aaa.bbb.cc2.84:37960 UNKNOWN 1****R** RESERVEDBITS Jan 30 17:15:38 205.188.144.232:80 -> aaa.bbb.cc2.84:37982 UNKNOWN 1****R** RESERVEDBITS Jan 30 17:45:38 205.188.144.231:80 -> aaa.bbb.cc2.84:37997 UNKNOWN 1****R** RESERVEDBITS
I see this sort of crap all the time from a number of large sites (including Hotmail). I believe that this is some sort of fallout from the load balancing systems. These RST are from the server farm behind the load balancer and represent real responses to sessions initiated on your network. That is why the source port is 80. I run argus which logs all traffic and this is what I see on close examination time T localIP:hiportnum -> www.bigname.com:80 - normal session time T+(up to 5 minutes) otherIP:80 -> localIP:hiportnum - RST When you do a whois on otherIP you find it belongs to bigname.com. Often there will be a cluster of IPs in the same subnet exihibiting this behaviour. I have had to configure my scan detection software to either ignore certain 'noisy' addresses or to ignore RST with low source port numbers. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand
Current thread:
- Strange TCP RSTs Crist Clark (Jan 30)
- Re: Strange TCP RSTs Russell Fulton (Jan 31)
- Re: Strange TCP RSTs Crist Clark (Jan 31)
- Re: Strange TCP RSTs Russell Fulton (Jan 31)