Wayward RST packets - what's the right answer?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Jay Levitt" <jay-netfilter@shopwatch.org>
To: netfilter@lists.netfilter.org
Subject: Wayward RST packets - what's the right answer?
Date: Thu, 25 Mar 2004 23:29:10 -0500	[thread overview]
Message-ID: <00ca01c412ea$e24fe2f0$9701a8c0@office> (raw)

[-- Attachment #1: Type: text/plain, Size: 1603 bytes --]

This message has popped up on the list a few times over the years, but I can't find a definitive answer on the best solution for it.

Fairly often - as in a few times an hour on a very, very underused server - I get repeated RST packets from hosts I've recently been talking to, but that conntrack thinks aren't part of a connection.  My rule:

iptables -A INPUT -p tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "Stealth scan attempt" 
iptables -A INPUT -p tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP 

I then get multiple log entries like:

Mar 25 23:19:05 linux kernel: Stealth scan attemptIN=eth0 OUT= MAC=00:50:2c:01:62:8e:00:20:78:d0:44:8f:08:00 SRC=208.185.179.12 DST=192.168.1.150 LEN=40 TOS=0x00 PREC=0x00 TTL=47 ID=6376 PROTO=TCP SPT=2046 DPT=25 WINDOW=0 RES=0x00 RST URGP=0 

with occasional, "related" (semantically, not conntrack-ily) outbound traffic:

Mar 25 23:19:05 linux kernel: Rejected output by default:IN= OUT=eth0 SRC=192.168.1.150 DST=208.185.179.12 LEN=100 TOS=0x00 PREC=0x00 TTL=64 ID=58139 DF PROTO=TCP SPT=25 DPT=2046 WINDOW=9216 RES=0x00 ACK PSH FIN URGP=0 

Obviously these aren't genuine scans.  Is there any rule I could use that would let the RST do whatever it's trying to do and gracefully close down the connection instead of logging it?  I am almost to the point of not bothering to log iptables output, since I'm not entirely sure what I would do if I did see an attack anyway... but certainly, right now, what's being logged is noise, and I'd like to improve my SNR.  Suggestions?

Jay Levitt

[-- Attachment #2: Type: text/html, Size: 2654 bytes --]

next             reply	other threads:[~2004-03-26  4:29 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-03-26  4:29 Jay Levitt [this message]
2004-03-26 10:02 ` Wayward RST packets - what's the right answer? Chris Brenton
2004-03-29  2:40   ` Jay Levitt
  -- strict thread matches above, loose matches on Subject: below --
2004-03-29 19:11 Jay Levitt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='00ca01c412ea$e24fe2f0$9701a8c0@office' \
    --to=jay-netfilter@shopwatch.org \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.