Steven Jan Springl
2002-Dec-14 00:49 UTC
Fwd: Re: [Shorewall-users] Strange log messages, "SPT=80 DPT=0" ?
---------- Forwarded Message ---------- Subject: Re: [Shorewall-users] Strange log messages, "SPT=3D80 DPT=3D0" ? Date: Sat, 14 Dec 2002 00:44:03 +0000 From: Steven Jan Springl <shorewall@springl.fsnet.co.uk> To: Tom Eastep <teastep@shorewall.net> On Friday 13 December 2002 22:11, Tom Eastep wrote:> --On Friday, December 13, 2002 01:07:07 PM -0800 Alex Martin > > <alex@rettconsulting.com> wrote: > > Hello, > > > > I am running shorewall locally on a webserver. Recently I have seen a few > > of these messages, I cannot locate any commentary on them elswhere, > > except: > > > > http://mail.shorewall.net/pipermail/shorewall-users/2002-January/000009.h > > tml > > > > In the archived shorewall mailing list message (above) Tom mentions > > orphaned DNS replies, but the cause of such packets was apparently > > service (DNS) related. > > > > Dec 12 03:02:24 carter kernel: Shorewall:all2all:REJECT:IN=3D OUT=3Deth0 > > SRC=3D216.xxx.xxx.20 DST=3D151.204.98.127 LEN=3D44 TOS=3D0x00 PREC=3D0x00 TTL=3D64 > > ID=3D0 DF PROTO=3DTCP SPT=3D80 DPT=3D0 WINDOW=3D5840 RES=3D0x00 ACK SYN URGP=3D0 > > > > Dec 12 01:53:43 carter kernel: Shorewall:all2all:REJECT:IN=3D OUT=3Deth0 > > SRC=3D216.xxx.xxx.20 DST=3D151.204.100.73 LEN=3D44 TOS=3D0x00 PREC=3D0x00 TTL=3D64 > > ID=3D0 DF PROTO=3DTCP SPT=3D25 DPT=3D0 WINDOW=3D5840 RES=3D0x00 ACK SYN URGP=3D0 > > > > Anyone seen these types of messages, ie, rejected packets with a DPT=3D0 ? > > Know what they are / might be? > > I''ve not seen this before. > > Given that IN=3D<empty> and the "ACK SYN", these appear to be your server''s > responses to the first stage of the 3-way TCP session establishment > protocol. It would be interesting to know if the original SYN packets had > SPT=3D0 -- that might indicate some new form of SYN attack and since your > servers appear to be responding to it, it could be effective. > > I can concoct a trap for SYNs with SPT=3D0 if you are willing to try it -- > what version of Shorewall are you running? > > -TomI have managed to recreate this type of log entry with a program called hping2. So far I have only been able to do so by issuing the command from the firewall itself. Regards Steven. -------------------------------------------------------