Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 365
  • Last Modified:

firewall log

I need explaination on this log

Feb 24 17:40:16 Possible DRDOS TCP attempt: IN=eth0 SRC=202.71.100.92 anggerik.meltechsystems.net. DST=my-ip PROTO=TCP DPT=61955 SPT=HTTP(80) TTL=119 ACK

from this log can you tell me what does it mean?
0
operation1611
Asked:
operation1611
  • 5
  • 4
  • 3
  • +1
2 Solutions
 
LucFCommented:
Hi operation1611,

It means your firewall detected an ACK packet without you sending out a SYN packet first.

http://www.linuxexposed.com/Articles/Security/DoS,DDoS-and-DRDoS-attack-a-quick-introduction-2.html
6. DRDoS

DRDoS stands Distributed Reflection Denial of Service simple ACK flooding. creating alot of SYN connections with a spoofed ip to many hosts
and they will respond with ACK packets. That means that my spoofed ip will recieve large amounts of ACK packets.

Greetings,

LucF
0
 
srikrishnakCommented:
Good explanation there..Another point from my experience if you have asynchronous routing in your network you often get this log entries...
0
 
Pete LongTechnical ConsultantCommented:
Agree though there can be inoccent reasons for this happening

if a client starts a TCP connection to your host, a good statefull firewall will log the initial SYN request and create an entry in its embryonic connection table, when it gets an ACK it opens the connection, if the embronic table is cleared (or overwritten cause its too small then similar errors can occur.)

Though remote client fingerprinting can also be done by sending SYN and ACK requests through firewalls (this is how applications like nMAP and Xprobe2 work)
If you are recieveing a LOT of these logs in a short space of time then as Luc points out, start to get concerned, if its just a random event then I wouldnt be overly worried.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
operation1611Author Commented:
thanks..you mean my firewall is normall or not
0
 
LucFCommented:
yes, it's perfectly normal if you receive some of these.
But, like Pete said, if you're receiving a lot of these in a very short timespan (as in, close or at the limit of your connection) than you do have a problem.

LucF
0
 
operation1611Author Commented:
what kinda of problem? my firewall iptables corrupt or somebody attacking?
0
 
LucFCommented:
See what I've posted at http:#13391022
If you're receiving loads of this, then someone is attacking you.
There's a lot more to read about DRDoS attacks at http://www.grc.com/dos/drdos.htm
A script kiddy will do this as a real hacker won't lower himself to this kind of crap, it's more of an annoyance though but there will be little you can do about it if this is actually happening.

LucF
0
 
operation1611Author Commented:
thanks for the explaination
0
 
Pete LongTechnical ConsultantCommented:
ThanQ

Hi Luc :)
0
 
LucFCommented:
Ditto, thanks!

LucF

p.s. Hi Pete, long time no see :)
0
 
Pete LongTechnical ConsultantCommented:
busy at work :( trying to get nagios to work :(
0
 
LucFCommented:
If you can't, just post a question at EE :D
0
 
Pete LongTechnical ConsultantCommented:
LOL
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now