Security Incidents mailing list archives
Re: Advice sought
From: John Lampe <j_lampe () BELLSOUTH NET>
Date: Tue, 27 Feb 2001 12:04:56 -0000
What are the chances that several computers on a network all made connections to the same external IP, using the same src port? Does the firewall NAT outgoing connections with src port = 3967)? If so, what is the firewall? :-) Is there anything else within the IP packet which is "static"...i.e. IP ID, Seq number, ACK number.... John Lampe http://f00dikator.penguinpowered.com/ ----- Original Message ----- From: "Russell Fulton" <r.fulton () AUCKLAND AC NZ> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Monday, February 26, 2001 8:26 PM Subject: Re: Advice sought
On Mon, 26 Feb 2001 14:52:43 -0000 Mike Alexander <mike.alexander () MAIL MORAY GOV UK> wrote:Dear all, I've noticed in our firewall logs a number of entries that are getting dropped. These seem to be occurring every couple of minutes, and are to
a
couple of our addresses only. The IP of this device is 63.238.98.16, and it is always trying port
3967. I
did a 'tcpdump' on the firewall, with the result as follows (our host is x.x.x.24): --- 14:32:30.441991 0:c0:5:3:19:59 0:c0:95:e0:9c:b4 ip 60: 63.238.98.16.httpx.x.x.24.3967: F 4005189898:4005189898(0) ack 2941449939 win 17520 (DF)
(ttl
238, id 22199) --- Can anyone tell me what's going on here? From what I can see, it's
trying
to poll one or two of our machines, but I've no idea why.my guess is that this is a belated FIN. We see these all the time from some sites. You have a normal web (or whatever) session which terminates and then (up to an hour later) the server spits out a FIN packet. By this time your FW will have forgotten all about the original session and just drop the packet. Note that the *source* port is http. I believe that this happens with some load balancing systems where the front and back ends get out of synnc. In some cases I have seen such packets coming from IP addresses that are close (in the same /24) to the original server. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand
Current thread:
- Advice sought Mike Alexander (Feb 26)
- Re: Advice sought Russell Fulton (Feb 27)
- Re: Advice sought John Lampe (Feb 27)
- Re: Advice sought Ryan Russell (Feb 27)
- Re: Advice sought John Lampe (Feb 28)
- Re: Advice sought John Lampe (Feb 27)
- Re: Advice sought Russell Fulton (Feb 27)