RE: lots of ACKs for DPT=1433

Olaf Zaplinski <olaf@xxxxxxxxxxxx> · Mon, 08 Aug 2016 12:17:57 +0200

Am 2016-08-08 11:35, schrieb André Paulsberg-Csibi:
In any case it would be helpful if you add some complete logfiles
entries (10-20)

Okay, here are some examples:

Aug  4 14:39:59 binky kernel: [2609148.849905] iptables tarpit IN=eth0 
OUT= MAC=00:f1:70:00:58:f0:fc:fb:fb:21:67:58:08:00 SRC=109.170.163.174 
DST=109.75.188.214 LEN=41 TOS=0x00 PREC=0x00 TTL=117 ID=26474 DF 
PROTO=TCP SPT=4886 DPT=1433 WINDOW=65535 RES=0x00 ACK URGP=0
Aug  4 14:40:10 binky kernel: [2609159.677601] iptables tarpit IN=eth0 
OUT= MAC=00:f1:70:00:58:f0:fc:fb:fb:21:67:58:08:00 SRC=109.170.163.174 
DST=109.75.188.214 LEN=41 TOS=0x00 PREC=0x00 TTL=117 ID=2554 DF 
PROTO=TCP SPT=3381 DPT=1433 WINDOW=65535 RES=0x00 ACK URGP=0
Aug  4 14:40:16 binky kernel: [2609165.361891] iptables tarpit IN=eth0 
OUT= MAC=00:f1:70:00:58:f0:fc:fb:fb:2d:55:53:08:00 SRC=95.9.252.66 
DST=109.75.188.214 LEN=41 TOS=0x00 PREC=0x00 TTL=115 ID=31945 DF 
PROTO=TCP SPT=58633 DPT=1433 WINDOW=65340 RES=0x00 ACK URGP=0
Aug  4 14:40:17 binky kernel: [2609166.281294] iptables tarpit IN=eth0 
OUT= MAC=00:f1:70:00:58:f0:fc:fb:fb:21:67:58:08:00 SRC=172.87.192.33 
DST=109.75.188.214 LEN=41 TOS=0x00 PREC=0x00 TTL=121 ID=24321 DF 
PROTO=TCP SPT=5171 DPT=1433 WINDOW=65535 RES=0x00 ACK URGP=0
Aug  4 14:40:19 binky kernel: [2609168.447578] iptables tarpit IN=eth0 
OUT= MAC=00:f1:70:00:58:f0:fc:fb:fb:21:67:58:08:00 SRC=104.247.220.211 
DST=109.75.188.214 LEN=41 TOS=0x00 PREC=0x00 TTL=121 ID=3380 DF 
PROTO=TCP SPT=5240 DPT=1433 WINDOW=65535 RES=0x00 ACK URGP=0
Aug  4 14:40:38 binky kernel: [2609187.895943] iptables tarpit IN=eth0 
OUT= MAC=00:f1:70:00:58:f0:fc:fb:fb:21:67:58:08:00 SRC=23.228.81.116 
DST=109.75.188.214 LEN=41 TOS=0x00 PREC=0x00 TTL=117 ID=22249 DF 
PROTO=TCP SPT=1716 DPT=1433 WINDOW=65535 RES=0x00 ACK URGP=0
Aug  4 14:40:42 binky kernel: [2609192.177811] iptables tarpit IN=eth0 
OUT= MAC=00:f1:70:00:58:f0:fc:fb:fb:2d:55:53:08:00 SRC=58.96.177.123 
DST=109.75.188.214 LEN=41 TOS=0x00 PREC=0x00 TTL=232 ID=28264 DF 
PROTO=TCP SPT=55416 DPT=1433 WINDOW=65392 RES=0x00 ACK URGP=0
Aug  4 14:40:47 binky kernel: [2609196.469551] iptables tarpit IN=eth0 
OUT= MAC=00:f1:70:00:58:f0:fc:fb:fb:21:67:58:08:00 SRC=172.87.192.33 
DST=109.75.188.214 LEN=41 TOS=0x00 PREC=0x00 TTL=121 ID=29753 DF 
PROTO=TCP SPT=5171 DPT=1433 WINDOW=65535 RES=0x00 ACK URGP=0

Interesting is that the number of those log entries have decreased a lot 
meanwhile. On 6th of August there were only 3 instead of 4664 the day 
before:

Aug  6 04:26:17 binky kernel: [2745127.016759] iptables-geoip-cn IN=eth0 
OUT= MAC=00:f1:70:00:58:f0:fc:fb:fb:21:67:58:08:00 SRC=61.191.59.179 
DST=109.75.188.214 LEN=40 TOS=0x04 PREC=0x00 TTL=113 ID=4715 DF 
PROTO=TCP SPT=1144 DPT=1433 WINDOW=65535 RES=0x00 ACK URGP=0
Aug  6 04:26:17 binky kernel: [2745127.016816] iptables-geoip-cn IN=eth0 
OUT= MAC=00:f1:70:00:58:f0:fc:fb:fb:21:67:58:08:00 SRC=61.191.59.179 
DST=109.75.188.214 LEN=40 TOS=0x04 PREC=0x00 TTL=113 ID=4716 DF 
PROTO=TCP SPT=1144 DPT=1433 WINDOW=65535 RES=0x00 ACK FIN URGP=0
Aug  6 04:26:26 binky kernel: [2745136.157327] iptables-geoip-cn IN=eth0 
OUT= MAC=00:f1:70:00:58:f0:fc:fb:fb:21:67:58:08:00 SRC=61.191.59.179 
DST=109.75.188.214 LEN=40 TOS=0x04 PREC=0x00 TTL=113 ID=14158 DF 
PROTO=TCP SPT=1144 DPT=1433 WINDOW=65535 RES=0x00 ACK FIN URGP=0

Yesterday there were none.

Olaf
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html