Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange TCP RSTs

From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Thu, 1 Feb 2001 10:51:46 +1300
On Tue, 30 Jan 2001 18:25:35 -0800 Crist Clark
<crist.clark () GLOBALSTAR COM> wrote:


I see a lot of these,

  Jan 30 06:46:40 205.188.144.231:80 -> aaa.bbb.cc0.164:1884 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 07:09:29 207.200.89.40:80 -> aaa.bbb.cc3.223:2756 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 07:14:33 207.200.89.225:80 -> aaa.bbb.cc3.223:2770 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 10:34:47 205.188.144.232:80 -> aaa.bbb.cc1.62:1057 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 10:36:21 205.188.144.231:80 -> aaa.bbb.cc2.17:50150 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 10:41:37 205.188.144.231:80 -> aaa.bbb.cc2.17:50184 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 11:09:16 205.188.144.231:80 -> aaa.bbb.cc3.99:1354 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 11:15:15 205.188.144.232:80 -> aaa.bbb.cc2.84:37740 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 11:17:14 207.200.89.225:80 -> aaa.bbb.cc1.206:1437 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 11:26:50 205.188.144.231:80 -> aaa.bbb.cc3.99:1369 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 12:43:24 207.200.89.40:80 -> aaa.bbb.cc0.88:4357 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 12:46:58 205.188.144.231:80 -> aaa.bbb.cc2.84:37818 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 12:57:30 205.188.144.232:80 -> aaa.bbb.cc3.99:1644 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 13:10:04 205.188.144.232:80 -> aaa.bbb.cc3.99:1671 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 13:14:45 205.188.144.232:80 -> aaa.bbb.cc2.17:50915 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 13:17:00 205.188.144.231:80 -> aaa.bbb.cc2.84:37867 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 13:18:56 205.188.144.241:80 -> aaa.bbb.cc4.25:1051 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 14:39:46 207.200.89.40:80 -> aaa.bbb.cc3.223:3304 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 15:45:33 205.188.144.232:80 -> aaa.bbb.cc2.84:37910 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 15:51:54 205.188.144.231:80 -> aaa.bbb.cc4.240:2321 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 16:15:35 205.188.144.232:80 -> aaa.bbb.cc2.84:37921 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 16:30:37 205.188.144.232:80 -> aaa.bbb.cc4.240:2351 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 16:45:37 205.188.144.232:80 -> aaa.bbb.cc2.84:37960 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 17:15:38 205.188.144.232:80 -> aaa.bbb.cc2.84:37982 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 17:45:38 205.188.144.231:80 -> aaa.bbb.cc2.84:37997 UNKNOWN 1****R** RESERVEDBITS



I see this sort of crap all the time from a number of large sites
(including Hotmail).  I believe that this is some sort of fallout from
the load balancing systems.  These RST are from the server farm behind
the load balancer and represent real responses to sessions initiated on
your network.  That is why the source port is 80.  I run argus which
logs all traffic and this is what I see on close examination

time T  localIP:hiportnum -> www.bigname.com:80  - normal session
time T+(up to 5 minutes) otherIP:80 -> localIP:hiportnum  - RST

When you do a whois on otherIP you find it belongs to bigname.com.
Often there will be a cluster of IPs in the same subnet exihibiting
this behaviour.

I have had to configure my scan detection software to either ignore
certain 'noisy' addresses or to ignore RST with low source port numbers.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand
Previous By Date Next
Previous By Thread Next

Current thread: