Re: weird sequence in packet filter log

From: George Bakos (alpinistaat_private)
Date: Wed Jul 25 2001 - 05:15:20 PDT

  • Next message: Greg A. Woods: "Re: Tracking SirCam"

    The pattern you are seeing is indicative of a broken NATing firewall 
    on the part of a content provider.  Established web sessions are not 
    closing cleanly, leaving the server continually trying to talk to the 
    client.  Unfortunately, the NAT table entry has been torn down, and 
    the original RFC1918 source address punches through.  If you 
    have complete packet logs, you'll see that they come at the end of 
    a valid http session.
    As for the ICMP unreachables, your machines respond to the 
    broken packets with RSTs and your upstream provider is doing the 
    good work by not routing those silly return RSTs from your boxen 
    back to non-routeable addresses.  Your border router should have 
    similar filtering in place, but obviously doesn't.....yet.  ;-)
    Funny, one of the sites that is notorious for this kind of behaviour is 
    anonymizer.com.
    Anyone care to tell us what firewall breaks like this?
    
    
    On 25 Jul 2001, at 16:12, Tobias Diedrich wrote:
    
    > Hi,
    > 
    > I just noticed a interesting sequence of events in my packet filter
    > log. My system is running linux-2.4.7 with iptables. iptables is
    > configured so that incoming packets are rejected except for ping
    > (limited), http, ssh and RELATED, ESTABLISHED connections.
    > 
    > The pattern in this log file:
    > 
    > First a packet from 172.16.46.71 or 10.10.1.101 with SPT=80 and
    > DPT=4724 (172.16.46.71) or DPT=47965 (10.10.1.101).
    > Flags differ (ACK SYN or only ACK for 172.16.46.71, ACK PSH for
    > 10.10.1.101). After that a icmp destination unreachable packet from
    > 62.155.254.18.
    > 
    > None of these hosts seems to have a reverse dns mapping.
    > whois shows that 62.155.254.18 belongs to the address space of my
    > internet provider. The other ip's (172.16.46.71 and 10.10.1.101)
    > belong to network blocks reserved for private networks (which should
    > not be routed over the internet)
    > 
    > Very weird.
    > Any clues ?
    > 
    > Here is the log (Times are GMT +0200):
    <snip>
    
    George Bakos - Senior Security Expert
    Dartmouth College - ISTS
    gbakosat_private
    http://www.ists.dartmouth.edu
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 14:25:55 PDT