Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Mikhail Zotov
May 23, 2006, 10:31 am
rate this thread
I do often observe my firewall/router blocking new TCP packets with
either ACK or ACK, FIN bits set. The packets are addressed to (mostly
windoze) clients and usually have SPT=80 or SPT=443. AFAIU, they are
parts of broken http (https) connections. A bad thing with them is that
they are sometimes repeated literally for hours thus filling the log
Surely, I can limit the rate of logging or just block such packets
silently but I don't think this is a good idea since, IIRC, such
packets can be used for scanning. Thus my question is: is there a smart
way to get rid of such packets, e.g., by tuning sysctl settings or by
anyhow telling the "noisy" server to shut up or any other way?
Re: Multiple new packets with ACK or ACK,FIN bits set
I'd drop them since valid new connections don't come from privileged
ports ;) I put repeat offenders into a deny-list (by CIDR block),
since this traffic seen here originates from US based server farms.
At one stage I would send an email to 'whois' block owner informing
them their block was denied access to my server due to <whatever>
from logfile. Only one of many dozen responded after fixing the
issue, asking for the block-deny to be removed.
I have a US based server farm tapping on my server about once per
hour since Nov'05, the date of their registration, some sites seem
specifically setup for this information gathering strategy...
At the moment I DROP this rubbish unlogged.
WinXP: Access Start->Turn Off Computer, then while holding Ctrl-Alt-Shift,
left click on Cancel. This terminates Windows Explorer...
- » Cloud Ace Technologies is offering Implementation Services on Cloud Computing, Cloud Serv...
- — Newest thread in » Linux Security