[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: netstat shows strange output

On Sun, Jan 06, 2008 at 01:36:26PM -0600, William Twomey wrote:
> I also disabled ipv6, which I was seeing a lot of from this host.

Probably not, unless you've knowingly configured IPv6 routing and all
that; you were probably seeing a lot of IPv4 mapped v6 addresses, which
look (in netstat) like ::ffff: [1] Disabling v6 is an
entirely reasonable thing to do if you don't use it, but is probably not
going to do anything about the actual traffic.

> tcp        0      0       ba.2c.5646.static:55674 
> tcp        1      0       ba.2c.5646.static:44413 
> tcp        0      0       ba.2c.5646.static:59517 
> tcp        1      0       ba.2c.5646.static:44401 
> I've blocked this IP (resolves to 18255.com) on this machine using 
> iptables -I INPUT -s -j DROP
> This doesn't work, so perhaps it's a spoofed IP? *shrugs*
> Any help would be appreciated, this is causing a bit of strain on my web 
> server. :/

Dropping packets from a host won't magically make all open connections
from that host go away.  These connections will eventually time out and
go away.  Until then, unless your web server is *really*
resource-starved, these connections aren't causing any significant

You should probably read the netstat man page and RFC 793 [2] for info
about what those various states mean.  For example, a connection in
FIN_WAIT2 state is waiting for a packet from the remote host, which
you've explicitly forbidden.


[1] http://en.wikipedia.org/wiki/IPv4_mapped_address
[2] http://nwww.faqs.org/rfcs/rfc793.html

Attachment: signature.asc
Description: Digital signature

Reply to: