Feb 8 14:47:55 localhost kernel: IN=eth0 OUT= SRC=66.235.120.71 DST=192.168.x.x LEN=455 TOS=0x00 PREC=0x00 TTL=49 ID=33745 DF PROTO=TCP SPT=80 DPT=58709 WINDOW=54 RES=0x00 ACK PSH URGP=0
The Source is Ask.com, the DST is my webserver, but take a look at the Ports. SRC port 80? DPT 58709? Anyone else see anything like this? This is being denied at my firewall because of my ESTABLISHED,RELATED line. So, the connection was not made from here. It's initiated from the outside.
What's going on over there at Ask.com?
16 comments:
I don't think it's initiated from the outside because the SYN flag isn't set. The ACK flag, however, is set so I'm thinking that this is a response to a request you sent to Ask.com that somehow didn't match your stateful ESTABLISHED,RLEATED rule. I'm not sure exactly how this would happen without more knowledge of your IPTables ruleset.
Do you have Snort or Daemonlogger doing full packet capture? That would make it easy to examine the conversation that preceded this DROP.
Yes. The packet is sent with the ACK, PSH flags set. I have full packet capture, no packets are initiated to ask.com. Not from this network, and definitely not from that host.
RSS Feed?
I don't think it's initiated from the outside because the SYN flag isn't set. The ACK flag, however, is set so I'm thinking that this is a response to a request you sent to Ask.com that somehow didn't match your stateful ESTABLISHED,RLEATED rule. I'm not sure exactly how this would happen without more knowledge of your IPTables ruleset.
Do you have Snort or Daemonlogger doing full packet capture? That would make it easy to examine the conversation that preceded this DROP.
Good thought, but no. I don't pull RSS feeds from the box, either on the webpage or not. I remember things like this from back in the 90s, it was a good way to bypass firewalls, but I didn't think it worked anymore (and obviously doesn't, as it got blocked.)
Yes. The packet is sent with the ACK, PSH flags set. I have full packet capture, no packets are initiated to ask.com. Not from this network, and definitely not from that host.
Yes. The packet is sent with the ACK, PSH flags set. I have full packet capture, no packets are initiated to ask.com. Not from this network, and definitely not from that host.
RSS Feed?
RSS Feed?
Good thought, but no. I don't pull RSS feeds from the box, either on the webpage or not. I remember things like this from back in the 90s, it was a good way to bypass firewalls, but I didn't think it worked anymore (and obviously doesn't, as it got blocked.)
Someone else sending a packet to ask.com spoofing your IP, maybe?
BAM, there you go! However, ACK PSH? Figure out that part. ;)
Someone else sending a packet to ask.com spoofing your IP, maybe?
BAM, there you go! However, ACK PSH? Figure out that part. ;)
Do you have VBulletin with SEO? If so, it's probably the cron job notifying the search engines a new sitemap is ready.
Do you have VBulletin with SEO? If so, it's probably the cron job notifying the search engines a new sitemap is ready.
Post a Comment