-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 13 Jul 2006, Arno van Amersfoort wrote:
Just did some more investigation. Didn't test with tcpdump yet as this issue
is not reproducable easiely :-S Anyway it turns out that the packets shown
have state "INVALID" (opposed to ESTABLISHED or NEW). So somehow iptables
"thinks" they no longer belong to a connection (somehow)....
Or that there is some other issue with the packets, such as bad header,
improper flags set, truncated packets, etc. This could be a sign as well
of a nic flaking out or a bad cable or switch port. Or could be a
malicious app is spewing packets that do not fit the coresponding
connections paramaters.
Thanks,
Ron DuFresne
Arno van Amersfoort wrote:
Jozsef Kadlecsik wrote:
On Tue, 11 Jul 2006, Arno van Amersfoort wrote:
I think I already stumbled into this bug in the past, I recall that this
bug was in 2.6.14.
Anyway, I've tried to disable tcp_sack & tcp_dsack but no luck. I also
upgraded to 2.6.17.4 but this doesn't help iether :-S I'm also getting
packets like this for "open ports" (with ie. -p tcp --dport 22 --syn -j
ACCEPT) giving:
Jul 11 04:02:59 rulhm2 kernel: Stealth scan (PRIV)?: IN=eth0 OUT=
MAC=00:01:02:05:1d:25:00:01:03:d2:b8:75:08:00 SRC=132.229.96.110
DST=132.229.96.12 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=34709 DF PROTO=TCP
SPT=39536 DPT=445 WINDOW=5840 RES=0x00 ACK FIN URGP=0
I don't understand how it is related to an open ssh port.
Sorry about that. It should (of course) be -p tcp --dport 445 --syn -j
ACCEPT . (I'm running Samba on this machine). But do note that this issue
doesn't specifically happen with Samba. I've also seen it happen with http
packets...
Any other suggestions?
Enable logging invalid packets via
/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid then record by
tcpdump a whole TCP session which triggers the problem. Then send me the
capture file and the corresponding kernel log entries.
Ok. I will try to do this. And let you know my findings
Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFEtrvGst+vzJSwZikRAsBdAJ4zpaSRk+7nnrIqC1jpjNq3eLz6LgCgoMgr
9TkGWKMZMOdETwS0mLhi8ok=
=qs/A
-----END PGP SIGNATURE-----
