Re: iptables tcp-logged ACK PSH

From: Michael (leahcim@ntlworldNO.UCEcom)
Date: 01/07/02 

From: Michael <leahcim@ntlworldNO.UCEcom>
Date: Mon, 07 Jan 2002 05:24:51 +0000

In <sffa1a.ein.ln@ngate.home.lan>, Allan K wrote:

> I allow related/established email to/from my isp, but periodically get
> the following in my logs:
>
> Jan 6 21:18:10 ngate kernel: <- Drop (Port) IN=ppp0 OUT= MAC=
> SRC=195.92.195.177 DST=217.134.21.163 LEN=46 TOS=0x00 PREC=0x00 TTL=58
> ID=25560 DF PROTO=TCP SPT=110 DPT=6724 WINDOW=32736 RES=0x00 ACK PSH
> URGP=0
>
> Presumably, some sort of packet (above) is arriving that appears to be
> unrelated. I thought I'd read somewhere that the PSH was significant.

More likely the connection is closing (1/2 closed most likely, CLOSE_WAIT)
but the connection track entry timed out before this packet arrived, and
hence failed to match 'established'.

These are very common with the state rules IME, but besides the log noise
are not really a problem.

> Should I continue to drop these? or allow them? (reasoning would be
> appreciated too)

You could look at the timeouts in
linux/net/ipv4/netfilter/ip_conntrack_tcp.c and the netfilter-dev mailing
list for the latest on what they are planning on changing them to.

Looking through the list (a lot of messages if you download it all at
once), Rusty posted a patch Nov 2001 (which will be in 2.5 at some stage
if it isn't already) and that simply increases TCP_CONNTRACK_CLOSE_WAIT,
in the above file, to 2 mins.

If that isn't the issue, you're probably best grabbing a full tcpdump of
the connection when this happens (maybe a similar connection sans
netfilter too) Hmm, perhaps pop3 isn't the protocol to send off to
someone else to look at though, if you use plaintext passwords.

----------------

diff -urN -I \$.*\$ --exclude TAGS -X /home/rusty/devel/kernel/kernel-patches/current-dontdiff --minimal
linux-2.4.12-official/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
working-2.4.12-tcptime/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
--- linux-2.4.12-official/net/ipv4/netfilter/ip_conntrack_proto_tcp.c Sun Apr 29 06:17:11 2001
+++ working-2.4.12-tcptime/net/ipv4/netfilter/ip_conntrack_proto_tcp.c Wed Oct 24 14:23:26 2001
@@ -55,7 +55,7 @@
     2 MINS, /* TCP_CONNTRACK_FIN_WAIT, */
     2 MINS, /* TCP_CONNTRACK_TIME_WAIT, */
     10 SECS, /* TCP_CONNTRACK_CLOSE, */
- 60 SECS, /* TCP_CONNTRACK_CLOSE_WAIT, */
+ 2 MINS, /* TCP_CONNTRACK_CLOSE_WAIT, */
     30 SECS, /* TCP_CONNTRACK_LAST_ACK, */
     2 MINS, /* TCP_CONNTRACK_LISTEN, */
 }; 

-- 
Michael.

Relevant Pages

  • Re: use keep state(strict) to mitigate tcp issues?
    ... My ISP speed-limits my connection if I exceed my monthly data volume. ... consistently result in the last data packet arriving after the FIN ... I don't have statistics for when my connection is running ...
    (FreeBSD-Security)
  • iptables tcp-logged ACK PSH
    ... the following in my logs: ... some sort of packet is arriving that appears to be ...
    (comp.os.linux.security)
  • Re: peer to peer messaging
    ... attempts to open a connection to port 80 of the server at that IP address. ... For example a packet from my machine might have source IP ... Packets from the sever to my laptop would have those reversed. ...
    (comp.lang.java.programmer)
  • Re: IPFW Dynamic Rules
    ... > So if the dynamic rule has the same behaviour as the origination ... > rule on the same port with the same protocol, ... If client sends UDP query to DNS on your machine, you get the packet: ... is deleted after connection is inactive for some time. ...
    (FreeBSD-Security)
  • [NEWS] Cisco PIX TCP Connection DoS
    ... Get your security news from a reliable source. ... By crafting a special TCP packet and sending it to a vulnerable Cisco PIX, ... embryonic connection open until the embryonic connection timeout which is ...
    (Securiteam)