subject:"netstat shows strange output"

Re: netstat shows strange output

2008-01-06 Thread Bernd Eckenfels

In article <[EMAIL PROTECTED]> you wrote:
> tcp0  0 192.168.1.240:www   ba.2c.5646.static:34884 
> FIN_WAIT2 

You sure 192.168.1.240 is none of your addresses? Please post an ifconfig
output as well as netstat -tn.

> I've blocked this IP (resolves to 18255.com) on this machine using 
> iptables -I INPUT -s 66.116.125.131 -j DROP

What has 18255.com with the above lines to do?

Gruss
Bernd


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: netstat shows strange output

2008-01-06 Thread Noah Meyerhans

On Sun, Jan 06, 2008 at 01:36:26PM -0600, William Twomey wrote:
> 
> I also disabled ipv6, which I was seeing a lot of from this host.

Probably not, unless you've knowingly configured IPv6 routing and all
that; you were probably seeing a lot of IPv4 mapped v6 addresses, which
look (in netstat) like :::66.116.125.131. [1] Disabling v6 is an
entirely reasonable thing to do if you don't use it, but is probably not
going to do anything about the actual traffic.

> tcp0  0 192.168.1.240:www   ba.2c.5646.static:55674 
> FIN_WAIT2 
> tcp1  0 192.168.1.240:www   ba.2c.5646.static:44413 
> CLOSE_WAIT
> tcp0  0 192.168.1.240:www   ba.2c.5646.static:59517 
> ESTABLISHED
> tcp1  0 192.168.1.240:www   ba.2c.5646.static:44401 
> CLOSE_WAIT
> 
> I've blocked this IP (resolves to 18255.com) on this machine using 
> iptables -I INPUT -s 66.116.125.131 -j DROP
> 
> This doesn't work, so perhaps it's a spoofed IP? *shrugs*
> 
> Any help would be appreciated, this is causing a bit of strain on my web 
> server. :/

Dropping packets from a host won't magically make all open connections
from that host go away.  These connections will eventually time out and
go away.  Until then, unless your web server is *really*
resource-starved, these connections aren't causing any significant
strain.

You should probably read the netstat man page and RFC 793 [2] for info
about what those various states mean.  For example, a connection in
FIN_WAIT2 state is waiting for a packet from the remote host, which
you've explicitly forbidden.

noah

[1] http://en.wikipedia.org/wiki/IPv4_mapped_address
[2] http://nwww.faqs.org/rfcs/rfc793.html

signature.asc
Description: Digital signature

netstat shows strange output

2008-01-06 Thread William Twomey


netstat | grep www | wc -l
1138

I was seeing lots of 'SYN_RECV' on port 80 coming from one host. I've 
tried the following iptables rules (from iptables-save). Kind of a mess, 
as I've been trying multiple things to solve this problem.


-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state 
--state NEW -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state 
--state NEW -j DROP

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG 
-j DROP

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state 
--state NEW -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state 
--state NEW -j DROP

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG 
-j DROP

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,SYN,RST,ACK -j DROP

-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DDoS

I also disabled ipv6, which I was seeing a lot of from this host.

I am now seeing a lot of entries like this:

tcp0  0 192.168.1.240:www   ba.2c.5646.static:34884 
FIN_WAIT2 
tcp0  0 192.168.1.240:www   ba.2c.5646.static:33860 
FIN_WAIT2 
tcp0  0 192.168.1.240:www   ba.2c.5646.static:33863 
FIN_WAIT2 
tcp1  0 192.168.1.240:www   ba.2c.5646.static:44103 
CLOSE_WAIT
tcp0  0 192.168.1.240:www   ba.2c.5646.static:57671 
ESTABLISHED
tcp0  0 192.168.1.240:www   ba.2c.5646.static:57927 
FIN_WAIT2 
tcp0  0 192.168.1.240:www   ba.2c.5646.static:57926 
FIN_WAIT2 
tcp0  0 192.168.1.240:www   ba.2c.5646.static:58489 
FIN_WAIT2 
tcp1  0 192.168.1.240:www   ba.2c.5646.static:57465 
CLOSE_WAIT
tcp0  0 192.168.1.240:www   ba.2c.5646.static:50041 
FIN_WAIT2 
tcp0  0 192.168.1.240:www   ba.2c.5646.static:48251 
FIN_WAIT2 
tcp1  0 192.168.1.240:www   ba.2c.5646.static:44155 
CLOSE_WAIT
tcp0  0 192.168.1.240:www   ba.2c.5646.static:55675 
FIN_WAIT2 
tcp1  0 192.168.1.240:www   ba.2c.5646.static:41850 
CLOSE_WAIT
tcp0  0 192.168.1.240:www   ba.2c.5646.static:55674 
FIN_WAIT2 
tcp1  0 192.168.1.240:www   ba.2c.5646.static:44413 
CLOSE_WAIT
tcp0  0 192.168.1.240:www   ba.2c.5646.static:59517 
ESTABLISHED
tcp1  0 192.168.1.240:www   ba.2c.5646.static:44401 
CLOSE_WAIT


I've blocked this IP (resolves to 18255.com) on this machine using 
iptables -I INPUT -s 66.116.125.131 -j DROP


This doesn't work, so perhaps it's a spoofed IP? *shrugs*

Any help would be appreciated, this is causing a bit of strain on my web 
server. :/


-Will


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: netstat shows strange output

Re: netstat shows strange output

netstat shows strange output

3 matches

Site Navigation

Mail list logo

Footer information