Security Incidents mailing list archives
Re: Advice sought
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Tue, 27 Feb 2001 09:26:23 +1300
On Mon, 26 Feb 2001 14:52:43 -0000 Mike Alexander <mike.alexander () MAIL MORAY GOV UK> wrote:
Dear all, I've noticed in our firewall logs a number of entries that are getting dropped. These seem to be occurring every couple of minutes, and are to a couple of our addresses only. The IP of this device is 63.238.98.16, and it is always trying port 3967. I did a 'tcpdump' on the firewall, with the result as follows (our host is x.x.x.24): --- 14:32:30.441991 0:c0:5:3:19:59 0:c0:95:e0:9c:b4 ip 60: 63.238.98.16.http > x.x.x.24.3967: F 4005189898:4005189898(0) ack 2941449939 win 17520 (DF) (ttl 238, id 22199) --- Can anyone tell me what's going on here? From what I can see, it's trying to poll one or two of our machines, but I've no idea why.
my guess is that this is a belated FIN. We see these all the time from some sites. You have a normal web (or whatever) session which terminates and then (up to an hour later) the server spits out a FIN packet. By this time your FW will have forgotten all about the original session and just drop the packet. Note that the *source* port is http. I believe that this happens with some load balancing systems where the front and back ends get out of synnc. In some cases I have seen such packets coming from IP addresses that are close (in the same /24) to the original server. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand
Current thread:
- Advice sought Mike Alexander (Feb 26)
- Re: Advice sought Russell Fulton (Feb 27)
- Re: Advice sought John Lampe (Feb 27)
- Re: Advice sought Ryan Russell (Feb 27)
- Re: Advice sought John Lampe (Feb 28)
- Re: Advice sought John Lampe (Feb 27)
- Re: Advice sought Russell Fulton (Feb 27)