Linode Forum
Linode Community Forums
 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic
Author Message
PostPosted: Tue Feb 19, 2008 7:20 am 
Offline
Junior Member

Joined: Tue Feb 19, 2008 7:08 am
Posts: 23
Location: USA
Is this normal?
I have iptables to drop INVALID in both INPUT and OUTPUT chain.
Code:
iptables -I INPUT -m state --state INVALID -j logblock
iptables -I OUTPUT -m state --state INVALID -j logblock


The log file looks like this
Code:
IN= OUT=eth0 SRC=67.18.*.*DST=140.211.*.* LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1362 DF PROTO=TCP SPT=39659 DPT=80 WINDOW=126 RES=0x00 ACK FIN URGP=0



My sysctl

Code:
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_syncookies = 1
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1
net.core.netdev_max_backlog = 2500
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
Code:


Top
   
 Post subject:
PostPosted: Tue Feb 19, 2008 11:03 am 
Offline
Senior Member

Joined: Tue Feb 19, 2008 10:55 am
Posts: 164
> Is this normal?

I don't know if it's normal, but I've seen it myself. My guess is the connection is removed from conntrack before the fin/ack arrives. So it appears as a new connection starting with fin/ack, which is invalid. (just a guess, I haven't been bothered to look into it)

Perhaps google has the answer?


Top
   
PostPosted: Tue Feb 19, 2008 2:05 pm 
Offline
Senior Member
User avatar

Joined: Wed Mar 17, 2004 4:11 pm
Posts: 554
Website: http://www.unixtastic.com
Location: Europe
yejun wrote:
The log file looks like this
Code:
IN= OUT=eth0 SRC=67.18.*.*DST=140.211.*.* LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1362 DF PROTO=TCP SPT=39659 DPT=80 WINDOW=126 RES=0x00 ACK FIN URGP=0



It looks like a Maimon scan. Is the source IP known to you?

From the nmap man page:

Quote:
-sM (TCP Maimon scan)
The Maimon scan is named after its discoverer, Uriel Maimon. He
described the technique in Phrack Magazine issue #49 (November
1996). Nmap, which included this technique, was released two issues
later. This technique is exactly the same as null, FIN, and Xmas
scans, except that the probe is FIN/ACK. According to RFC 793
(TCP), a RST packet should be generated in response to such a probe
whether the port is open or closed. However, Uriel noticed that
many BSD-derived systems simply drop the packet if the port is
open.


It seems to be common to get all kinds of scans from just about everywhere on any internet IP.


Top
   
 Post subject:
PostPosted: Tue Feb 19, 2008 2:23 pm 
Offline
Junior Member

Joined: Tue Feb 19, 2008 7:08 am
Posts: 23
Location: USA
The source ip is myself. It seems some client such as php will generate ack/fin but not others.

I googled around. This bug only briefly mentioned in ipfilter mailing list 2006, but it seems no one bother to fix.


Top
   
 Post subject:
PostPosted: Thu Sep 01, 2011 1:09 pm 
Offline

Joined: Thu Sep 01, 2011 1:04 pm
Posts: 1
Website: http://www.proxar.co.uk
Location: London, UK
I have got the same problem on CentOS 5.6 64 bit.

I'm suprised that it hasn't been fixed.

_________________
Paul Preston - Proxar IT Consulting
www.proxar.co.uk - info@proxar.co.uk


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group