Re: TCP and SYN packets

From: Matt Kowske (jmkowske@students.wisc.edu)
Date: 12/12/01 

From: Matt Kowske <jmkowske@students.wisc.edu>
To: Linux security list <security-discuss@linuxsecurity.com>
Date: 11 Dec 2001 19:16:19 -0600

On Tue, 2001-12-11 at 01:06, David Correa wrote:
    I would not remove that rule. How are you logging? I don't see
    the word "LOG" in your rule.
    
    Could you send part of the log information here? Do a tcpdump
    and send a packet? Or tell us the sites that you say are doing
    that so i/we can check what they send?
Well I have a rule directly before the other rule that first logs the
packet, and then drops it. the two rules are identical except that in
one rule the target is LOG and the other is DROP. Here is an example of
a log entry:

Dec 11 02:59:59 bob kernel: New not syn:IN=eth1 OUT=
MAC=00:e0:29:22:10:80:00:06:2a:cf:ec:54:08:00 SRC=205.156.51.200 DST=<my
ip> LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=23535 PROTO=TCP SPT=80 DPT=54248
WINDOW=65500 RES=0x00 ACK FIN URGP=0

That source IP equates to tgftp.nws.noaa.gov, which is a internet
weather site. I could find other examples too but they're all very
similar. Here's another from greetingcards.msn.com

Dec 11 00:35:50 bob kernel: New not syn:IN=eth1 OUT=
MAC=00:e0:29:22:10:80:00:06:2a:cf:ec:54:08:00 SRC=207.68.181.238 DST=<mi
ip> LEN=471 TOS=0x00 PREC=0x00 TTL=62 ID=53655 PROTO=TCP SPT=80 DPT=3299
WINDOW=8760 RES=0x00 ACK PSH FIN URGP=0

I don't think these sites would be sending invalid TCP connection
attempts on purpose but I can't figure out what the reason would be.

-Matt Kowske

------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.