LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 09-17-2008, 03:39 AM   #1
scattered
LQ Newbie
 
Registered: Feb 2005
Location: Bendigo, Vic, Australia
Distribution: slackware
Posts: 14

Rep: Reputation: 0
tripping firewall rate limit, false positive?


Hi there,

I've set up a rate-limiting firewall option with iptables 1.4.1.1 and ipt_recent, today some Ip out there got themselves into 'jail' after a strange looking sequence downloading a single web page. They got about 80% of the page images when they started sending ACK FIN packets which were tossed by the firewall as invalid, then these events triggered the rate limiter (60 new packets in a minute) and they were placed into a ban list where everything is dropped, after about 20 packets they go quiet.

This is okay from my point of view except I wonder why the sequence went from normal request stream to ACK FINs?

To give an idea of the sifference in traffic, here's three different IPs download the same web page, the small number is packet count, the large number SRC port:

Okay, one by one item download:
1 55360
1 55361
1 55362
1 55363
1 55364
1 55365
1 55366
1 55367
1 55368
1 55369
1 55370
1 55371
1 55372
1 55373
Okay, four streams of items:
1 2175
1 2176
1 2177
1 2178
Bad, some sort of download accelerator? Huh?:
8 49263
8 49420
7 52728
9 53523
7 53702
7 53920
8 55719
8 57784
7 59417
7 59714
7 62784
8 65129

Anyone recognise this type of access pattern?
Thanks.
 
Old 09-19-2008, 05:23 AM   #2
scattered
LQ Newbie
 
Registered: Feb 2005
Location: Bendigo, Vic, Australia
Distribution: slackware
Posts: 14

Original Poster
Rep: Reputation: 0
Talking

Added this config item for sadly sicko windoze boxen:

# bugfix? for INVALID packets appearing to break valid connections,
# "be liberal in what you accept"
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal

Much better!
 
  


Reply

Tags
firewall, iptables, linux, networking, windows


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
apache / mod_security: fixing false positive 950013 fryzer Linux - Server 5 05-06-2008 11:30 AM
Is this a false positive....A/V question cbjhawks Linux - Security 4 02-21-2006 07:50 AM
Snort: Block False Positive from Dlink Wireless Router omICron Linux - Security 1 01-01-2005 02:41 AM
'Chkrootkit 0.43' false positive? Mr. Gone Linux - Security 2 03-09-2004 10:16 AM
'Chkrootkit 0.43' false positive? Mr. Gone Linux - Security 0 03-08-2004 09:06 AM


All times are GMT -5. The time now is 11:11 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration