Re: 33270:trinity connection form port 80 to local machine on port

From: Valdis.Kletnieks@vt.edu
Date: 10/31/01


Message-Id: <200110311748.f9VHmSMb024645@foo-bar-baz.cc.vt.edu>
To: Bradley Filmer <bfilmer@ims.telstra.com.au>
Subject: Re: 33270:trinity connection form port 80 to local machine on port 
From: Valdis.Kletnieks@vt.edu
Date: Wed, 31 Oct 2001 12:48:28 -0500

On Wed, 31 Oct 2001 16:11:43 +0800, Bradley Filmer <bfilmer@ims.telstra.com.au> said:
> I am curious as to what this might be, I am seeing hits in my iptables
> logs after visiting certain websites.. mainly
>
> Oct 29 09:26:15 stealth kernel: IN=eth0 OUT= MAC= "long number"
> SRC=64.28.67.70 DST=my.adr.xxx.xxx LEN=56 TOS=0x00 PREC=0x00 TTL=46
> ID=16970 DF PROTO=TCP SPT=80 DPT=33270 WINDOW=15180 RES=0x00 ACK SYN
> URGP=0
> This is netbsd.org

Source port 80, an ACK/SYN - looks like you logged the second of a 3-packet
handshake from your SYN sent to netbsd.org. 33270 was an ephemeral port
picked by your browser on the fly.

Sequence:

you:33270 -> netbsd.org:80 SYN
you:33270 <- netbsd.org:80 SYN+ACK (the packet you logged)
you:33270 -> netbsd.org:80 ACK

> Oct 30 11:35:47 stealth kernel: IN=eth0 OUT= MAC= "long number"
> SRC=64.58.76.98 DST=my.adr.xxx.xxx LEN=44 TOS=0x00 PREC=0x00 TTL=48
> ID=9741 DF PROTO=TCP SPT=443 DPT=33270 WINDOW=16560 RES=0x00 ACK SYN
> URGP=0
> This is yahoo groups.

Similarly, port 443 is https: (http over SSL).

> Oct 31 09:01:41 stealth kernel: IN=eth0 OUT= MAC= "long number"
> SRC=204.152.186.171 DST=my.adr.xxx.xxx LEN=56 TOS=0x00 PREC=0x00 TTL=51
> ID=23555 PROTO=TCP SPT=80 DPT=33270 WINDOW=32768 RES=0x00 ACK SYN URGP=0
> This is mysql.org

More of same.

> Always 5 hits and I cant tell you how long after. I have checked port

I can't comment on "always 5 hits" because you don't show the logs.
Perhaps you're filtering something incorrectly, causing a retransmit of
the SYN+ACK packet at the far end.

> Looking for paranoia in all the right places

And then some, based on what I see. Maybe seeing all 5 hits might
show something I'm not seeing here, but I'm guessing that it's a broken
iptables config logging things that it shouldnt.

-- 
				Valdis Kletnieks
				Operating Systems Analyst
				Virginia Tech