Re: Advice sought

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

On Mon, 26 Feb 2001 14:52:43 -0000 Mike Alexander
<mike.alexander () MAIL MORAY GOV UK> wrote:

> Dear all,
>
> I've noticed in our firewall logs a number of entries that are getting
> dropped.  These seem to be occurring every couple of minutes, and are to a
> couple of our addresses only.
>
> The IP of this device is 63.238.98.16, and it is always trying port 3967.  I
> did a 'tcpdump' on the firewall, with the result as follows (our host is
> x.x.x.24):
>
> ---
> 14:32:30.441991 0:c0:5:3:19:59 0:c0:95:e0:9c:b4 ip 60: 63.238.98.16.http >
> x.x.x.24.3967: F 4005189898:4005189898(0) ack 2941449939 win 17520 (DF) (ttl
> 238, id 22199)
> ---
>
> Can anyone tell me what's going on here?  From what I can see, it's trying
> to poll one or two of our machines, but I've no idea why.

my guess is that this is a belated FIN.  We see these all the time from
some sites.  You have a normal web (or whatever) session which
terminates and then (up to an hour later) the server spits out a FIN
packet.  By this time your FW will have forgotten all about the
original session and just drop the packet.  Note that the *source* port
is http. I believe that this happens with some load balancing systems
where the front and back ends get out of synnc.  In some cases I have
seen such packets coming from IP addresses that are close (in the same
/24) to the original server.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand