One idea, and I may be completely off here is that these might be packets
sent _after_ a connection is closed. Your rule logs any non-SYN packets
that don't have an associated existing conneciton. What _might_ be
happening is that these other servers establish a connection, do some stuff
with it and then try to close it. They send one FIN packet which your
server receives. This causes your server to tear down the connection and
it disappears from the iptables statefull connection list. But maybe your
ACK to FIN (and here I'm really just hazarding a guess ... I don't even
know the full teardown procedure in TCP) doesn't get to the other systems
so they try to send you another FIN. I'm curious if this is even
possible. Someone who knows TCP a little better please comment.
I actually checked out a short TCP tutorial and it seems to me that this is
possible -- it seems that one side can close down the TCP connection before
the other.
Sheer
Matt Kowske wrote:
> On Tue, 2001-12-11 at 01:06, David Correa wrote:
> I would not remove that rule. How are you logging? I don't see
> the word "LOG" in your rule.
>
> Could you send part of the log information here? Do a tcpdump
> and send a packet? Or tell us the sites that you say are doing
> that so i/we can check what they send?
> Well I have a rule directly before the other rule that first logs the
> packet, and then drops it. the two rules are identical except that in
> one rule the target is LOG and the other is DROP. Here is an example of
> a log entry:
>
> Dec 11 02:59:59 bob kernel: New not syn:IN=eth1 OUT=
> MAC=00:e0:29:22:10:80:00:06:2a:cf:ec:54:08:00 SRC=205.156.51.200 DST=<my
> ip> LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=23535 PROTO=TCP SPT=80 DPT=54248
> WINDOW=65500 RES=0x00 ACK FIN URGP=0
>
> That source IP equates to tgftp.nws.noaa.gov, which is a internet
> weather site. I could find other examples too but they're all very
> similar. Here's another from greetingcards.msn.com
>
> Dec 11 00:35:50 bob kernel: New not syn:IN=eth1 OUT=
> MAC=00:e0:29:22:10:80:00:06:2a:cf:ec:54:08:00 SRC=207.68.181.238 DST=<mi
> ip> LEN=471 TOS=0x00 PREC=0x00 TTL=62 ID=53655 PROTO=TCP SPT=80 DPT=3299
> WINDOW=8760 RES=0x00 ACK PSH FIN URGP=0
>
> I don't think these sites would be sending invalid TCP connection
> attempts on purpose but I can't figure out what the reason would be.
>
> -Matt Kowske
>
> ------------------------------------------------------------------------
> To unsubscribe email security-discuss-request@linuxsecurity.com
> with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
To unsubscribe email security-discuss-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
