The pattern you are seeing is indicative of a broken NATing firewall on the part of a content provider. Established web sessions are not closing cleanly, leaving the server continually trying to talk to the client. Unfortunately, the NAT table entry has been torn down, and the original RFC1918 source address punches through. If you have complete packet logs, you'll see that they come at the end of a valid http session. As for the ICMP unreachables, your machines respond to the broken packets with RSTs and your upstream provider is doing the good work by not routing those silly return RSTs from your boxen back to non-routeable addresses. Your border router should have similar filtering in place, but obviously doesn't.....yet. ;-) Funny, one of the sites that is notorious for this kind of behaviour is anonymizer.com. Anyone care to tell us what firewall breaks like this? On 25 Jul 2001, at 16:12, Tobias Diedrich wrote: > Hi, > > I just noticed a interesting sequence of events in my packet filter > log. My system is running linux-2.4.7 with iptables. iptables is > configured so that incoming packets are rejected except for ping > (limited), http, ssh and RELATED, ESTABLISHED connections. > > The pattern in this log file: > > First a packet from 172.16.46.71 or 10.10.1.101 with SPT=80 and > DPT=4724 (172.16.46.71) or DPT=47965 (10.10.1.101). > Flags differ (ACK SYN or only ACK for 172.16.46.71, ACK PSH for > 10.10.1.101). After that a icmp destination unreachable packet from > 62.155.254.18. > > None of these hosts seems to have a reverse dns mapping. > whois shows that 62.155.254.18 belongs to the address space of my > internet provider. The other ip's (172.16.46.71 and 10.10.1.101) > belong to network blocks reserved for private networks (which should > not be routed over the internet) > > Very weird. > Any clues ? > > Here is the log (Times are GMT +0200): <snip> George Bakos - Senior Security Expert Dartmouth College - ISTS gbakosat_private http://www.ists.dartmouth.edu ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 14:25:55 PDT