On 31 Oct 2001 16:11:43 +0800 Bradley Filmer <bfilmerat_private> wrote: > I am curious as to what this might be, I am seeing hits in my iptables > logs after visiting certain websites.. mainly > > Oct 29 09:26:15 stealth kernel: IN=eth0 OUT= MAC= "long number" > SRC=64.28.67.70 DST=my.adr.xxx.xxx LEN=56 TOS=0x00 PREC=0x00 TTL=46 > ID=16970 DF PROTO=TCP SPT=80 DPT=33270 WINDOW=15180 RES=0x00 ACK SYN > URGP=0 > This is netbsd.org > Well, if it was not the same destination port every time I would guess that this is some broken load balancing system sending out RSTs or FINs after the session has actually finished. I see this sort of thing a lot in my argus logs: first a normal web session then, up to five minutes later 1 or more RSTs or FINs from the web server, source port 80 and destination is the original source port. So far as I have been able to figure this behaviours is caused by load balancing systems loosing track of some sessions and not realising that they have finished and timing them out by trying to close them again. I have also seen the same thing but with the source IP being closely related (but not the same) as the original. In this case I am pretty sure that we are seeing traffic from the real web server rather than the load balancer. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Oct 31 2001 - 12:33:12 PST