[ale] Iptables: Packets from port 80 to unestablished ports

Mike Millson mmillson at meritonlinesystems.com
Sat Jul 19 11:47:01 EDT 2003


I have noticed a number of packets that my iptables firewall is dropping
from port 80 because they are unrelated to an established connection. 

For example:

07/19-08:52:53 kernel: ?INPUT:IN=ppp0 OUT= MAC= SRC=208.217.109.66
DST=68.157.175.145 LEN=1452 TOS=0x00 PREC=0x00 TTL=50 ID=60713 DF
PROTO=TCP SPT=80 DPT=35552 WINDOW=9648 RES=0x00 ACK URGP=0 

This is a legitimate site that I was visiting, so I revisited the site
and logged all packets. It appears that several times per visit the web
server sends one of these ACK packets to a port that has not previously
been used in the conversation.

According the the http headers, the site is running Apache/1.3.19
(Unix).

Have any others seen this sort of activity in their logs? Is it simply a
buggy version of Apache babbling to the wrong port, or is there possibly
something else going on here?

Thank you,
Mike

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list