Re: weird sequence in packet filter log

From: George Bakos (alpinistaat_private)
Date: Wed Jul 25 2001 - 05:15:20 PDT

Next message: Greg A. Woods: "Re: Tracking SirCam"

Previous message: Jordan K Wiens: "Re: IIS Directory traversal vulnerability"
In reply to: Tobias Diedrich: "weird sequence in packet filter log"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The pattern you are seeing is indicative of a broken NATing firewall 
on the part of a content provider.  Established web sessions are not 
closing cleanly, leaving the server continually trying to talk to the 
client.  Unfortunately, the NAT table entry has been torn down, and 
the original RFC1918 source address punches through.  If you 
have complete packet logs, you'll see that they come at the end of 
a valid http session.
As for the ICMP unreachables, your machines respond to the 
broken packets with RSTs and your upstream provider is doing the 
good work by not routing those silly return RSTs from your boxen 
back to non-routeable addresses.  Your border router should have 
similar filtering in place, but obviously doesn't.....yet.  ;-)
Funny, one of the sites that is notorious for this kind of behaviour is 
anonymizer.com.
Anyone care to tell us what firewall breaks like this?

On 25 Jul 2001, at 16:12, Tobias Diedrich wrote:

> Hi,
> 
> I just noticed a interesting sequence of events in my packet filter
> log. My system is running linux-2.4.7 with iptables. iptables is
> configured so that incoming packets are rejected except for ping
> (limited), http, ssh and RELATED, ESTABLISHED connections.
> 
> The pattern in this log file:
> 
> First a packet from 172.16.46.71 or 10.10.1.101 with SPT=80 and
> DPT=4724 (172.16.46.71) or DPT=47965 (10.10.1.101).
> Flags differ (ACK SYN or only ACK for 172.16.46.71, ACK PSH for
> 10.10.1.101). After that a icmp destination unreachable packet from
> 62.155.254.18.
> 
> None of these hosts seems to have a reverse dns mapping.
> whois shows that 62.155.254.18 belongs to the address space of my
> internet provider. The other ip's (172.16.46.71 and 10.10.1.101)
> belong to network blocks reserved for private networks (which should
> not be routed over the internet)
> 
> Very weird.
> Any clues ?
> 
> Here is the log (Times are GMT +0200):
<snip>

George Bakos - Senior Security Expert
Dartmouth College - ISTS
gbakosat_private
http://www.ists.dartmouth.edu

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Greg A. Woods: "Re: Tracking SirCam"
Previous message: Jordan K Wiens: "Re: IIS Directory traversal vulnerability"
In reply to: Tobias Diedrich: "weird sequence in packet filter log"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 14:25:55 PDT