netstat shows strange output

To: debian-security@lists.debian.org
Subject: netstat shows strange output
From: William Twomey <william.twomey@gmail.com>
Date: Sun, 06 Jan 2008 13:36:26 -0600
Message-id: <[🔎] 47812DBA.5060301@gmail.com>

netstat | grep www | wc -l
1138

I was seeing lots of 'SYN_RECV' on port 80 coming from one host. I'vetried the following iptables rules (from iptables-save). Kind of a mess,as I've been trying multiple things to solve this problem.


-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP

-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state--state NEW -j DROP-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state--state NEW -j DROP

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG-j DROP

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URGFIN,SYN,RST,PSH,ACK,URG -j DROP-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state--state NEW -j DROP-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state--state NEW -j DROP

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG-j DROP

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URGFIN,SYN,RST,PSH,ACK,URG -j DROP-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URGFIN,SYN,RST,ACK -j DROP

-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DDoS

I also disabled ipv6, which I was seeing a lot of from this host.

I am now seeing a lot of entries like this:

tcp 0 0 192.168.1.240:www ba.2c.5646.static:34884FIN_WAIT2tcp 0 0 192.168.1.240:www ba.2c.5646.static:33860FIN_WAIT2tcp 0 0 192.168.1.240:www ba.2c.5646.static:33863FIN_WAIT2tcp 1 0 192.168.1.240:www ba.2c.5646.static:44103CLOSE_WAITtcp 0 0 192.168.1.240:www ba.2c.5646.static:57671ESTABLISHEDtcp 0 0 192.168.1.240:www ba.2c.5646.static:57927FIN_WAIT2tcp 0 0 192.168.1.240:www ba.2c.5646.static:57926FIN_WAIT2tcp 0 0 192.168.1.240:www ba.2c.5646.static:58489FIN_WAIT2tcp 1 0 192.168.1.240:www ba.2c.5646.static:57465CLOSE_WAITtcp 0 0 192.168.1.240:www ba.2c.5646.static:50041FIN_WAIT2tcp 0 0 192.168.1.240:www ba.2c.5646.static:48251FIN_WAIT2tcp 1 0 192.168.1.240:www ba.2c.5646.static:44155CLOSE_WAITtcp 0 0 192.168.1.240:www ba.2c.5646.static:55675FIN_WAIT2tcp 1 0 192.168.1.240:www ba.2c.5646.static:41850CLOSE_WAITtcp 0 0 192.168.1.240:www ba.2c.5646.static:55674FIN_WAIT2tcp 1 0 192.168.1.240:www ba.2c.5646.static:44413CLOSE_WAITtcp 0 0 192.168.1.240:www ba.2c.5646.static:59517ESTABLISHEDtcp 1 0 192.168.1.240:www ba.2c.5646.static:44401CLOSE_WAIT

I've blocked this IP (resolves to 18255.com) on this machine usingiptables -I INPUT -s 66.116.125.131 -j DROP


This doesn't work, so perhaps it's a spoofed IP? *shrugs*

Any help would be appreciated, this is causing a bit of strain on my webserver. :/


-Will

Reply to:

Follow-Ups:
- Re: netstat shows strange output
  - From: Noah Meyerhans <noahm@debian.org>
- Re: netstat shows strange output
  - From: Bernd Eckenfels <ecki@lina.inka.de>

Prev by Date: Re: [SECURITY] [DSA 1447-1] New tomcat5.5 packages fix several vulnerabilities
Next by Date: Re: netstat shows strange output
Previous by thread: Re: [SECURITY] [DSA 1448-1] New eggdrop packages fix execution of arbitrary code
Next by thread: Re: netstat shows strange output
Index(es):
- Date
- Thread