Skip to content

Hey, ask.com, what are you doing?

So, in the spirit of another post I put up recently, I am monitoring my firewall logs for anything strange and I keep seeing this:

Feb  8 14:47:55 localhost kernel: IN=eth0 OUT= SRC=66.235.120.71 DST=192.168.x.x LEN=455 TOS=0×00 PREC=0×00 TTL=49 ID=33745 DF PROTO=TCP SPT=80 DPT=58709 WINDOW=54 RES=0×00 ACK PSH URGP=0

The Source is Ask.com, the DST is my webserver, but take a look at the Ports.  SRC port 80?  DPT 58709?  Anyone else see anything like this?  This is being denied at my firewall because of my ESTABLISHED,RELATED line.  So, the connection was not made from here.  It’s initiated from the outside.

What’s going on over there at Ask.com?

View Comments

Categories: analysis, funny.

By Joel
February 8, 2010 at 15:06
  • Steve
    Do you have VBulletin with SEO? If so, it's probably the cron job notifying the search engines a new sitemap is ready.
  • Seth
    Someone else sending a packet to ask.com spoofing your IP, maybe?
  • BAM, there you go! However, ACK PSH? Figure out that part. ;)
  • b*
    RSS Feed?
  • Good thought, but no. I don't pull RSS feeds from the box, either on the webpage or not. I remember things like this from back in the 90s, it was a good way to bypass firewalls, but I didn't think it worked anymore (and obviously doesn't, as it got blocked.)
  • I don't think it's initiated from the outside because the SYN flag isn't set. The ACK flag, however, is set so I'm thinking that this is a response to a request you sent to Ask.com that somehow didn't match your stateful ESTABLISHED,RLEATED rule. I'm not sure exactly how this would happen without more knowledge of your IPTables ruleset.

    Do you have Snort or Daemonlogger doing full packet capture? That would make it easy to examine the conversation that preceded this DROP.
  • Yes. The packet is sent with the ACK, PSH flags set. I have full packet capture, no packets are initiated to ask.com. Not from this network, and definitely not from that host.
blog comments powered by Disqus