?
Solved

firewall log

Posted on 2005-02-24
13
Medium Priority
?
363 Views
Last Modified: 2013-11-16
I need explaination on this log

Feb 24 17:40:16 Possible DRDOS TCP attempt: IN=eth0 SRC=202.71.100.92 anggerik.meltechsystems.net. DST=my-ip PROTO=TCP DPT=61955 SPT=HTTP(80) TTL=119 ACK

from this log can you tell me what does it mean?
0
Comment
Question by:operation1611
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 32

Expert Comment

by:LucF
ID: 13391022
Hi operation1611,

It means your firewall detected an ACK packet without you sending out a SYN packet first.

http://www.linuxexposed.com/Articles/Security/DoS,DDoS-and-DRDoS-attack-a-quick-introduction-2.html
6. DRDoS

DRDoS stands Distributed Reflection Denial of Service simple ACK flooding. creating alot of SYN connections with a spoofed ip to many hosts
and they will respond with ACK packets. That means that my spoofed ip will recieve large amounts of ACK packets.

Greetings,

LucF
0
 
LVL 12

Expert Comment

by:srikrishnak
ID: 13391064
Good explanation there..Another point from my experience if you have asynchronous routing in your network you often get this log entries...
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 120 total points
ID: 13391161
Agree though there can be inoccent reasons for this happening

if a client starts a TCP connection to your host, a good statefull firewall will log the initial SYN request and create an entry in its embryonic connection table, when it gets an ACK it opens the connection, if the embronic table is cleared (or overwritten cause its too small then similar errors can occur.)

Though remote client fingerprinting can also be done by sending SYN and ACK requests through firewalls (this is how applications like nMAP and Xprobe2 work)
If you are recieveing a LOT of these logs in a short space of time then as Luc points out, start to get concerned, if its just a random event then I wouldnt be overly worried.
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 

Author Comment

by:operation1611
ID: 13391196
thanks..you mean my firewall is normall or not
0
 
LVL 32

Expert Comment

by:LucF
ID: 13391206
yes, it's perfectly normal if you receive some of these.
But, like Pete said, if you're receiving a lot of these in a very short timespan (as in, close or at the limit of your connection) than you do have a problem.

LucF
0
 

Author Comment

by:operation1611
ID: 13391288
what kinda of problem? my firewall iptables corrupt or somebody attacking?
0
 
LVL 32

Assisted Solution

by:LucF
LucF earned 80 total points
ID: 13391332
See what I've posted at http:#13391022
If you're receiving loads of this, then someone is attacking you.
There's a lot more to read about DRDoS attacks at http://www.grc.com/dos/drdos.htm
A script kiddy will do this as a real hacker won't lower himself to this kind of crap, it's more of an annoyance though but there will be little you can do about it if this is actually happening.

LucF
0
 

Author Comment

by:operation1611
ID: 13391371
thanks for the explaination
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 13394172
ThanQ

Hi Luc :)
0
 
LVL 32

Expert Comment

by:LucF
ID: 13394229
Ditto, thanks!

LucF

p.s. Hi Pete, long time no see :)
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 13394277
busy at work :( trying to get nagios to work :(
0
 
LVL 32

Expert Comment

by:LucF
ID: 13394350
If you can't, just post a question at EE :D
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 13394444
LOL
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses
Course of the Month10 days, 16 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question