Re: Strange packet log: hacked?
From: Michael (leahcim@ntlworldNO.UCEcom)Date: 01/05/02
- Next message: Kasper Dupont: "Re: Whats so interesting about port 81?"
- Previous message: Daniel V. Mackey: "Re: Whats so interesting about port 81?"
- In reply to: jackson: "Strange packet log: hacked?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Michael <leahcim@ntlworldNO.UCEcom> Date: Sat, 05 Jan 2002 15:27:14 +0000
In <7hvZ7.13995$dG.7994020@news1.rdc1.sdca.home.com>, jackson wrote:
> and I am getting A LOT of logged drops with source address the internal
> Linux web server and a variety of destination addresses. Some of them
> are addresses which I have recently visited, others I don't recognize
> (usually I get a terse "Not Found" when I try to visit the site). Is
> there reason for alarm or is there another explanation?
Quite often a connection track entry reaches its timeout yet traffic still
flows, increasing the timeouts (for things like CLOSE_WAIT) may help and
is a topic discussed on the netfilter-dev mailing list. AIUI the timeouts
that are in the 2.4 kernels were just brought forward from the older ipfw
/ ipchains stuff and haven't been tweaked.
Ultimately the stateful filtering will need to balance between keeping
stale entries around "forever and a day" or timing out and a few trailing
packets being logged and dropped. At the moment I would say it times out
too quickly and there are too many of these, but it's subjective I guess.
Some apps seem to generate these more frequently. Perhaps there is a bug
in there somewhere as well? Exim sending email always does this and it
seems to begin dropping packets before the smallest timeout of 10 seconds
is reached.
If there is no connection track entry then these packets will be classed
as 'NEW' and obviously they aren't going to be SYN packets (most will have
FIN or RST on them, possibly with ACK and PSH), hence your rule is fired.
Certainly for the log entries you've attributed to connections you did
make that's the most likely explanation, effectively just noise that you
can ignore. Be more wary where you don't recognise the traffic though.
A further symptom, that may increase the number of dropped packets is that
once you start dropping packets, either end may resend them several times
so you might see quite a few before it gives in.
> I'm fairly new at reading packet logs, so would appreciate some help.
> Also, how do I do a tcpdump???? I can't find that program on my
> computer.
Install the RPM and man tcpdump.
-- Michael.
- Next message: Kasper Dupont: "Re: Whats so interesting about port 81?"
- Previous message: Daniel V. Mackey: "Re: Whats so interesting about port 81?"
- In reply to: jackson: "Strange packet log: hacked?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
