Multiple new packets with ACK or ACK,FIN bits set

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hello group,

I do often observe my firewall/router blocking new TCP packets with
either ACK or ACK, FIN bits set. The packets are addressed to (mostly
windoze) clients and usually have SPT=80 or SPT=443.  AFAIU, they are
parts of broken http (https) connections. A bad thing with them is that
they are sometimes repeated literally for hours thus filling the log
with "noise".

Surely, I can limit the rate of logging or just block such packets
silently but I don't think this is a good idea since, IIRC, such
packets can be used for scanning. Thus my question is: is there a smart
way to get rid of such packets, e.g., by tuning sysctl settings or by
anyhow telling the "noisy" server to shut up or any other way?

Thank you!


Re: Multiple new packets with ACK or ACK,FIN bits set

Quoted text here. Click to load it

I'd drop them since valid new connections don't come from privileged
ports ;)  I put repeat offenders into a deny-list (by CIDR block),
since this traffic seen here originates from US based server farms.

Quoted text here. Click to load it

At one stage I would send an email to 'whois' block owner informing
them their block was denied access to my server due to <whatever>
from logfile.  Only one of many dozen responded after fixing the
issue, asking for the block-deny to be removed.

I have a US based server farm tapping on my server about once per
hour since Nov'05, the date of their registration, some sites seem
specifically setup for this information gathering strategy...

At the moment I DROP this rubbish unlogged.  

WinXP: Access Start->Turn Off Computer, then while holding Ctrl-Alt-Shift,
left click on Cancel.  This terminates Windows Explorer...

Site Timeline