What is happening here?
My logs are showing this at lot:
Oct 7 08:02:29 ares kernel: ABORTED IN=eth1 OUT= MAC=00:c0:f0:3e:14:29:00:06:25:f4:48:49:08:00 SRC=172.179.48.246 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=65259 PROTO=TCP SPT=15282 DPT=6881 SEQ=2395347946 ACK=2779374892 WINDOW=64363 RES=0x00 RST URGP=0 Problem is I don't fully know how to read this. I can see that someone from AOL is trying to attach to my box. What I don't know is what most of the item here mean. What is LEN, TOS, PREC, TTL, ID, SPT, DPT, SEQ, ACK, WINDOW, RES RST, URGP? I can't seem to find any docs that I can understand that explain this. |
Hi.
They're just TCP header bits. Have a look here: http://www.networksorcery.com/enp/protocol/tcp.htm Dave |
Forgive me, as I apreciate your help but that link doesn't tell me much. I can see how the packet is structured but comparing that to the output I just posted I can't see everything that is occuring. For example what port is this packet trying to access?
|
Re: What is happening here?
Quote:
If you don't understand what it says and you just want to "read" what the log says as you mention, then you don't need LEN,TOS,etc I will try to explain as briefly as i can what it says. Oct 7 08:02:29 ares kernel: ABORTED IN=eth1 OUT= MAC=00:c0:f0:3e:14:29:00:06:25:f4:48:49:08:00 SRC=172.179.48.246 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=65259 PROTO=TCP SPT=15282 DPT=6881 SEQ=2395347946 ACK=2779374892 WINDOW=64363 RES=0x00 RST URGP=0 The packet came in the eth1 interface (incoming traffic). It came from 172.179.48.246 (something.aol.com) and had destination 192.168.0.3 (you i guess) The packet protocol was TCP and the source port at the aol machine was 15282 (not important) The port at your machine it tried to access was 6881 This is the default port of Bittorent clients. It can be anything but if you use a Bittorent client (Azureus,Ktorrent,ctorrent,whatever) then i guess it has a good possibility that's it. The flags are RST (reset). Google has a great deal of information about SYN/ACK/RST so i don't mention anything here. I hope i helped and didn't confuse you. |
Not confusing at all. I was running Azureus last night and I thought the 6881 might refer to that as bittorrent uses that port.
This is listed as ABORTED. By who? Them or me? |
I find it a bit weird that you got this as 192.168.0.3 is usualy a LAN reserved IP. Is this log from a NAT box or a router or something like that?
These aborted messages must come from your iptables rules. There must be a rule that is throwing it into your logs. |
It's behind a router on a private net.
Quote:
|
the remote cliente send a RST so he close the connection.
The thing with the ABORT is there because you must have something like -j LOG --log-prefix "ABORT:" in you iptables rules |
Ok so that is worthless info filling my logs. Now I know that is probably safe to add that to logsentry to filter out that.
Thanks. :) |
"Aborted" tcp connections are usually associated with "half-open" port scans that can be an important indicator that someone is trying to stealthily perform information gathering for a future attack. So that is why they are logged by certain firewalls. The downside is that you do see alot of false positives, commonly due to a webserver terminating the tcp connection so that it doesn't have to maintain a large number of active connections. It's also possible that what you're seeing here has to do with AOLs weird IP address rotation scheme, where an AOL client can actually get reassigned a new IP in the middle of an established connection.
|
You can assume that it is a scan-attempt unless you were attempting to do something with bittorrent at these times. Someone in AOL may be sniffing to find servers.
|
All times are GMT -5. The time now is 06:07 AM. |