Monday, February 8

Hey, ask.com, what are you doing?

So, in the spirit of another post I put up recently, I am monitoring my firewall logs for anything strange and I keep seeing this:
Feb  8 14:47:55 localhost kernel: IN=eth0 OUT= SRC=66.235.120.71 DST=192.168.x.x LEN=455 TOS=0x00 PREC=0x00 TTL=49 ID=33745 DF PROTO=TCP SPT=80 DPT=58709 WINDOW=54 RES=0x00 ACK PSH URGP=0

The Source is Ask.com, the DST is my webserver, but take a look at the Ports.  SRC port 80?  DPT 58709?  Anyone else see anything like this?  This is being denied at my firewall because of my ESTABLISHED,RELATED line.  So, the connection was not made from here.  It's initiated from the outside.

What's going on over there at Ask.com?

16 comments:

Doug Burks said...

I don't think it's initiated from the outside because the SYN flag isn't set. The ACK flag, however, is set so I'm thinking that this is a response to a request you sent to Ask.com that somehow didn't match your stateful ESTABLISHED,RLEATED rule. I'm not sure exactly how this would happen without more knowledge of your IPTables ruleset.

Do you have Snort or Daemonlogger doing full packet capture? That would make it easy to examine the conversation that preceded this DROP.

Joel said...

Yes. The packet is sent with the ACK, PSH flags set. I have full packet capture, no packets are initiated to ask.com. Not from this network, and definitely not from that host.

b* said...

RSS Feed?

Doug Burks said...

I don't think it's initiated from the outside because the SYN flag isn't set. The ACK flag, however, is set so I'm thinking that this is a response to a request you sent to Ask.com that somehow didn't match your stateful ESTABLISHED,RLEATED rule. I'm not sure exactly how this would happen without more knowledge of your IPTables ruleset.

Do you have Snort or Daemonlogger doing full packet capture? That would make it easy to examine the conversation that preceded this DROP.

Joel said...

Good thought, but no. I don't pull RSS feeds from the box, either on the webpage or not. I remember things like this from back in the 90s, it was a good way to bypass firewalls, but I didn't think it worked anymore (and obviously doesn't, as it got blocked.)

Joel said...

Yes. The packet is sent with the ACK, PSH flags set. I have full packet capture, no packets are initiated to ask.com. Not from this network, and definitely not from that host.

Joel said...

Yes. The packet is sent with the ACK, PSH flags set. I have full packet capture, no packets are initiated to ask.com. Not from this network, and definitely not from that host.

b* said...

RSS Feed?

b* said...

RSS Feed?

Joel said...

Good thought, but no. I don't pull RSS feeds from the box, either on the webpage or not. I remember things like this from back in the 90s, it was a good way to bypass firewalls, but I didn't think it worked anymore (and obviously doesn't, as it got blocked.)

Seth said...

Someone else sending a packet to ask.com spoofing your IP, maybe?

Joel said...

BAM, there you go! However, ACK PSH? Figure out that part. ;)

Seth said...

Someone else sending a packet to ask.com spoofing your IP, maybe?

Joel said...

BAM, there you go! However, ACK PSH? Figure out that part. ;)

Steve said...

Do you have VBulletin with SEO? If so, it's probably the cron job notifying the search engines a new sitemap is ready.

Steve said...

Do you have VBulletin with SEO? If so, it's probably the cron job notifying the search engines a new sitemap is ready.