Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: weird sequence in packet filter log

From: "George Bakos" <alpinista () bigfoot com>
Date: Wed, 25 Jul 2001 15:15:20 +0300
The pattern you are seeing is indicative of a broken NATing firewall 
on the part of a content provider.  Established web sessions are not 
closing cleanly, leaving the server continually trying to talk to the 
client.  Unfortunately, the NAT table entry has been torn down, and 
the original RFC1918 source address punches through.  If you 
have complete packet logs, you'll see that they come at the end of 
a valid http session.
As for the ICMP unreachables, your machines respond to the 
broken packets with RSTs and your upstream provider is doing the 
good work by not routing those silly return RSTs from your boxen 
back to non-routeable addresses.  Your border router should have 
similar filtering in place, but obviously doesn't.....yet.  ;-)
Funny, one of the sites that is notorious for this kind of behaviour is 
anonymizer.com.
Anyone care to tell us what firewall breaks like this?


On 25 Jul 2001, at 16:12, Tobias Diedrich wrote:


Hi,

I just noticed a interesting sequence of events in my packet filter
log. My system is running linux-2.4.7 with iptables. iptables is
configured so that incoming packets are rejected except for ping
(limited), http, ssh and RELATED, ESTABLISHED connections.

The pattern in this log file:

First a packet from 172.16.46.71 or 10.10.1.101 with SPT=80 and
DPT=4724 (172.16.46.71) or DPT=47965 (10.10.1.101).
Flags differ (ACK SYN or only ACK for 172.16.46.71, ACK PSH for
10.10.1.101). After that a icmp destination unreachable packet from
62.155.254.18.

None of these hosts seems to have a reverse dns mapping.
whois shows that 62.155.254.18 belongs to the address space of my
internet provider. The other ip's (172.16.46.71 and 10.10.1.101)
belong to network blocks reserved for private networks (which should
not be routed over the internet)

Very weird.
Any clues ?

Here is the log (Times are GMT +0200):

<snip>

George Bakos - Senior Security Expert
Dartmouth College - ISTS
gbakos () ists dartmouth edu
http://www.ists.dartmouth.edu

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: