So, in the spirit of another post I put up recently, I am monitoring my firewall logs for anything strange and I keep seeing this:
Feb 8 14:47:55 localhost kernel: IN=eth0 OUT= SRC=66.235.120.71 DST=192.168.x.x LEN=455 TOS=0×00 PREC=0×00 TTL=49 ID=33745 DF PROTO=TCP SPT=80 DPT=58709 WINDOW=54 RES=0×00 ACK PSH URGP=0
The Source is Ask.com, the DST is my webserver, but take a look at the Ports. SRC port 80? DPT 58709? Anyone else see anything like this? This is being denied at my firewall because of my ESTABLISHED,RELATED line. So, the connection was not made from here. It’s initiated from the outside.
What’s going on over there at Ask.com?
Comments 6
I don’t think it’s initiated from the outside because the SYN flag isn’t set. The ACK flag, however, is set so I’m thinking that this is a response to a request you sent to Ask.com that somehow didn’t match your stateful ESTABLISHED,RLEATED rule. I’m not sure exactly how this would happen without more knowledge of your IPTables ruleset.
Do you have Snort or Daemonlogger doing full packet capture? That would make it easy to examine the conversation that preceded this DROP.
Posted 09 Feb 2010 at 9:42 am ¶Yes. The packet is sent with the ACK, PSH flags set. I have full packet capture, no packets are initiated to ask.com. Not from this network, and definitely not from that host.
Posted 09 Feb 2010 at 1:50 pm ¶RSS Feed?
Posted 09 Feb 2010 at 2:27 pm ¶Good thought, but no. I don’t pull RSS feeds from the box, either on the webpage or not. I remember things like this from back in the 90s, it was a good way to bypass firewalls, but I didn’t think it worked anymore (and obviously doesn’t, as it got blocked.)
Posted 09 Feb 2010 at 3:37 pm ¶Someone else sending a packet to ask.com spoofing your IP, maybe?
Posted 12 Feb 2010 at 12:05 pm ¶BAM, there you go! However, ACK PSH? Figure out that part. ;)
Posted 12 Feb 2010 at 12:08 pm ¶Post a Comment