From: Chris Brenton <cbrenton@chrisbrenton.org>
To: Jay Levitt <jay-netfilter@shopwatch.org>
Cc: netfilter@lists.netfilter.org
Subject: Re: Wayward RST packets - what's the right answer?
Date: Fri, 26 Mar 2004 05:02:28 -0500 [thread overview]
Message-ID: <1080295347.2180.399.camel@grendel> (raw)
In-Reply-To: <00ca01c412ea$e24fe2f0$9701a8c0@office>
On Thu, 2004-03-25 at 23:29, Jay Levitt wrote:
>
> Fairly often - as in a few times an hour on a very, very underused
> server - I get repeated RST packets from hosts I've recently been
> talking to, but that conntrack thinks aren't part of a connection. My
> rule:
>
> iptables -A INPUT -p tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state
> --state NEW -j LOG --log-prefix "Stealth scan attempt"
> iptables -A INPUT -p tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state
> --state NEW -j DROP
Maybe I'm reading this wrong, but I would expect you would only get a
match with this rule if SYN was set. I'm surprised your grabbing RST
packets. Perhaps another rule that uses the same prefix?
Also, not so sure you can consider RST's a "stealth scan" as a receiving
host is just going to ignore bogus RST's and not reply, regardless of
whether the port is open or not. Best an attacker could hope to receive
is a host unreachable.
> Mar 25 23:19:05 linux kernel: Stealth scan attemptIN=eth0 OUT=
> MAC=00:50:2c:01:62:8e:00:20:78:d0:44:8f:08:00 SRC=208.185.179.12
> DST=192.168.1.150 LEN=40 TOS=0x00 PREC=0x00 TTL=47 ID=6376 PROTO=TCP
> SPT=2046 DPT=25 WINDOW=0 RES=0x00 RST URGP=0
What's the time stamp on the accepted packet? If you are
logging/dropping RST packets prior to processing ESTABLISHED that would
explain this entry. I very rarely see legit RST packets get dropped so
if you are seeing them fairly often I would guess a config problem as
RSTs are a last resort.
> with occasional, "related" (semantically, not conntrack-ily) outbound
> traffic:
>
> Mar 25 23:19:05 linux kernel: Rejected output by default:IN= OUT=eth0
> SRC=192.168.1.150 DST=208.185.179.12 LEN=100 TOS=0x00 PREC=0x00 TTL=64
> ID=58139 DF PROTO=TCP SPT=25 DPT=2046 WINDOW=9216 RES=0x00 ACK PSH FIN
> URGP=0
Actually, this would be ESTABLISHED, not RELATED, but these are a bit
less rare. If you were to watch this session, you would probably see
208.185.179.12 initialize the FIN/ACK close and 192.168.1.150 continue
to send data. It does so longer than the connection tracking expire and
an entry like this one appears.
The other time I've seen it is when there is an IDS on the wire kicking
out RST packets when a suspect packet is seen, but the IDS does not get
the sequence numbers right in the RST.
HTH,
Chris
next prev parent reply other threads:[~2004-03-26 10:02 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-03-26 4:29 Wayward RST packets - what's the right answer? Jay Levitt
2004-03-26 10:02 ` Chris Brenton [this message]
2004-03-29 2:40 ` Jay Levitt
-- strict thread matches above, loose matches on Subject: below --
2004-03-29 19:11 Jay Levitt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1080295347.2180.399.camel@grendel \
--to=cbrenton@chrisbrenton.org \
--cc=jay-netfilter@shopwatch.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox