Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 09-17-2008, 02:39 AM   #1
LQ Newbie
Registered: Feb 2005
Location: Kangdaroo Flat, Victoria, Australia
Distribution: slackware
Posts: 14

Rep: Reputation: 0
tripping firewall rate limit, false positive?

Hi there,

I've set up a rate-limiting firewall option with iptables and ipt_recent, today some Ip out there got themselves into 'jail' after a strange looking sequence downloading a single web page. They got about 80% of the page images when they started sending ACK FIN packets which were tossed by the firewall as invalid, then these events triggered the rate limiter (60 new packets in a minute) and they were placed into a ban list where everything is dropped, after about 20 packets they go quiet.

This is okay from my point of view except I wonder why the sequence went from normal request stream to ACK FINs?

To give an idea of the sifference in traffic, here's three different IPs download the same web page, the small number is packet count, the large number SRC port:

Okay, one by one item download:
1 55360
1 55361
1 55362
1 55363
1 55364
1 55365
1 55366
1 55367
1 55368
1 55369
1 55370
1 55371
1 55372
1 55373
Okay, four streams of items:
1 2175
1 2176
1 2177
1 2178
Bad, some sort of download accelerator? Huh?:
8 49263
8 49420
7 52728
9 53523
7 53702
7 53920
8 55719
8 57784
7 59417
7 59714
7 62784
8 65129

Anyone recognise this type of access pattern?
Old 09-19-2008, 04:23 AM   #2
LQ Newbie
Registered: Feb 2005
Location: Kangdaroo Flat, Victoria, Australia
Distribution: slackware
Posts: 14

Original Poster
Rep: Reputation: 0

Added this config item for sadly sicko windoze boxen:

# bugfix? for INVALID packets appearing to break valid connections,
# "be liberal in what you accept"
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal

Much better!


firewall, iptables, linux, networking, windows

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
apache / mod_security: fixing false positive 950013 fryzer Linux - Server 5 05-06-2008 10:30 AM
Is this a false positive....A/V question cbjhawks Linux - Security 4 02-21-2006 06:50 AM
Snort: Block False Positive from Dlink Wireless Router omICron Linux - Security 1 01-01-2005 01:41 AM
'Chkrootkit 0.43' false positive? Mr. Gone Linux - Security 2 03-09-2004 09:16 AM
'Chkrootkit 0.43' false positive? Mr. Gone Linux - Security 0 03-08-2004 08:06 AM

All times are GMT -5. The time now is 09:04 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration