Re: Weird TCP flags?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Saturday 13 December 2003 2:00 pm, Akos Szalkai wrote:

> > Dec 11 22:58:52 lucy kernel: Fwd DMZ->Internet DROP: IN=eth1 OUT=ppp0
> > SRC=192.168.254.242 DST=204.157.6.223 LEN=60 TOS=0x00 PREC=0x00 TTL=63
> > ID=56169 DF PROTO=TCP SPT=80 DPT=56319 WINDOW=32476 RES=0x00 ACK SYN
> > URGP=0
>
> I have also been seeing this kind of logs on our web server, and this is
> my explanation.  Probably it is an incoming HTTP connection (ie. SYN
> packet) from a spoofed source address (204.157.6.223 in this case).
> Your web server sends a syn-ack response, which the firewall in front of
> 204.157.6.223 silently drops (since it never saw the first packet of the
> connection).

If the firewall never saw the first packet, how did it get to the web server?

It doesn't matter whether the source IP is spoofed or not, the only way for a 
packet to get to the web server should be through the firewall, and both will 
see the same source address, neither knows whether it's genuine or not.

Antony.

-- 
There are two possible outcomes:

 If the result confirms the hypothesis, then you've made a measurement.
 If the result is contrary to the hypothesis, then you've made a discovery.

 - Enrico Fermi

                                                     Please reply to the list;
                                                           please don't CC me.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux