Re: 33270:trinity connection form port 80 to local machine on port

From: Russell Fulton (r.fulton@auckland.ac.nz)
Date: 10/31/01 

From: Russell Fulton <r.fulton@auckland.ac.nz>
To: incidents@securityfocus.com
Subject: Re: 33270:trinity connection form port 80 to local machine on port
Message-ID: <SIMEON.10111010928.D26305@bluebottle.itss>
Date: Thu, 1 Nov 2001 09:12:28 +1300 (NZDT)

On 31 Oct 2001 16:11:43 +0800 Bradley Filmer
<bfilmer@ims.telstra.com.au> wrote:

> I am curious as to what this might be, I am seeing hits in my iptables
> logs after visiting certain websites.. mainly
>
> Oct 29 09:26:15 stealth kernel: IN=eth0 OUT= MAC= "long number"
> SRC=64.28.67.70 DST=my.adr.xxx.xxx LEN=56 TOS=0x00 PREC=0x00 TTL=46
> ID=16970 DF PROTO=TCP SPT=80 DPT=33270 WINDOW=15180 RES=0x00 ACK SYN
> URGP=0
> This is netbsd.org
>

Well, if it was not the same destination port every time I would guess
that this is some broken load balancing system sending out RSTs or FINs
after the session has actually finished.

I see this sort of thing a lot in my argus logs: first a normal web
session then, up to five minutes later 1 or more RSTs or FINs from the
web server, source port 80 and destination is the original source port.

So far as I have been able to figure this behaviours is caused by load
balancing systems loosing track of some sessions and not realising that
they have finished and timing them out by trying to close them again.

I have also seen the same thing but with the source IP being closely
related (but not the same) as the original. In this case I am pretty
sure that we are seeing traffic from the real web server rather than the
load balancer.

Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • 33270:trinity connection form port 80 to local machine on port
    ... Subject: 33270:trinity connection form port 80 to local machine on port ... I am curious as to what this might be, I am seeing hits in my iptables ... 33270 trinity on my machine and the local subnet for the trinity ddos ...
    (Incidents)
  • Re: Trying to figger this out
    ... > I intended to block the socks port by rule 24, ... > unfortunately picked a "bad port". ... > web server or place the web server rules before the socks and mysql rules. ... A UDP packet with a source port of 80 is not normal. ...
    (comp.os.linux.security)
  • Controlling accepted source port
    ... How can I control which port the kernel uses as a source port for source ... for example you would have something like a web server which listens on ... accepts an incomming connection an uses only port 5050 for the ...
    (comp.os.linux.networking)
  • Re: Remote Access
    ... Please rerun CEICW, this helps up configure network and websites ... On the Web Server Certificate page shows. ... http://ipaddress/remote to access RWW, type the public IP address in the ... that if SBS is behind a router, I need to configure the port forwarding ...
    (microsoft.public.windows.server.sbs)
  • Re: SMTP and tcp ports
    ... This ACL would permit access to the internal SMTP server (listening on TCP port 25) from external clients and servers. ... The mail clients would be using a TCP source port>1023, and external mail servers would be using TCP source port 25, or TCP source port>1023. ...
    (comp.dcom.sys.cisco)