I adjusted logs to keep only "smallest crital" data left :)
[iptables tarpit]
Aug 4 14:39:59 IN=eth0 SRC=109.170.163.174 LEN=41 TTL=117 ID=26474 SPT=4886 DPT=1433 ACK
Aug 4 14:40:10 IN=eth0 SRC=109.170.163.174 LEN=41 TTL=117 ID=2554 SPT=3381 DPT=1433 ACK
Aug 4 14:40:16 IN=eth0 SRC=95.9.252.66 LEN=41 TTL=115 ID=31945 SPT=58633 DPT=1433 ACK
Aug 4 14:40:17 IN=eth0 SRC=172.87.192.33 LEN=41 TTL=121 ID=24321 SPT=5171 DPT=1433 ACK
Aug 4 14:40:19 IN=eth0 SRC=104.247.220.211 LEN=41 TTL=121 ID=3380 SPT=5240 DPT=1433 ACK
Aug 4 14:40:38 IN=eth0 SRC=23.228.81.116 LEN=41 TTL=117 ID=22249 SPT=1716 DPT=1433 ACK
Aug 4 14:40:42 IN=eth0 SRC=58.96.177.123 LEN=41 TTL=232 ID=28264 SPT=55416 DPT=1433 ACK
Aug 4 14:40:47 IN=eth0 SRC=172.87.192.33 LEN=41 TTL=121 ID=29753 SPT=5171 DPT=1433 ACK
Aug 6 04:26:17 IN=eth0 SRC=61.191.59.179 LEN=40 TTL=113 ID=4715 SPT=1144 DPT=1433 ACK
Aug 6 04:26:17 IN=eth0 SRC=61.191.59.179 LEN=40 TTL=113 ID=4716 SPT=1144 DPT=1433 ACK FIN
Aug 6 04:26:26 IN=eth0 SRC=61.191.59.179 LEN=40 TTL=113 ID=14158 SPT=1144 DPT=1433 ACK FIN
>From what I can see these logs show , you have 2 things happening :
the last from AUG 6 seem like a normal session that is no longer responding ( maybe timed-out )
but this can also be some host who tried to scan that port but seems more like some accidental
access attempt .
The first log entries are pretty sure some kind of port-scan , even if the packets are ACK without SYN .
Maybe the attackers are looking for systems behind old non-stateful FW who only block SYN packets and
allows any other flaged packets into their systems assuming they are "safe" ...
... most likely ( and you can try ) if you grep for "SRC=109.170.163.174" you will most likely find
3-8 tries , and maybe 1 or 2 with SYN first .
Best regards
André Paulsberg-Csibi
Senior Network Engineer
Fault Handling
IBM Services AS
andre.paulsberg-csibi@xxxxxxxx
M +47 9070 5988
��.n��������+%�������w��{.n����z���)���jg���������ݢj�����G��������j:+v���w�m������w�������h�����٥
