[ale] Iptables: Packets from port 80 to unestablished ports
Mike Millson
mmillson at meritonlinesystems.com
Sat Jul 19 11:47:01 EDT 2003
I have noticed a number of packets that my iptables firewall is dropping
from port 80 because they are unrelated to an established connection.
For example:
07/19-08:52:53 kernel: ?INPUT:IN=ppp0 OUT= MAC= SRC=208.217.109.66
DST=68.157.175.145 LEN=1452 TOS=0x00 PREC=0x00 TTL=50 ID=60713 DF
PROTO=TCP SPT=80 DPT=35552 WINDOW=9648 RES=0x00 ACK URGP=0
This is a legitimate site that I was visiting, so I revisited the site
and logged all packets. It appears that several times per visit the web
server sends one of these ACK packets to a port that has not previously
been used in the conversation.
According the the http headers, the site is running Apache/1.3.19
(Unix).
Have any others seen this sort of activity in their logs? Is it simply a
buggy version of Apache babbling to the wrong port, or is there possibly
something else going on here?
Thank you,
Mike
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list