TCP RST Packet without associated connection

Hi,

On my watchguard firebox logs Im getting alot of these:

192.168.1.5 192.168.5.1 Unknown TCP RST Packet without an associted connection, firewall drop 40 128(internal policy) tcpino="offset 5 AR 0 win 0"rc="104"

they are mainly for 1 or 2 IP addresses.

I know that you can disable SYN checking but I dont think thats wise before I understand whats going on....

Anybody have some Idea ?
Thirst4KnowledgeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Thirst4KnowledgeAuthor Commented:
2010-04-09 12:05:57 Deny 192.168.1.5 192.168.5.3 1747/tcp 80 1747 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:06:00 Deny 192.168.1.5 192.168.5.3 1747/tcp 80 1747 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:06:06 Deny 192.168.1.5 192.168.5.3 1747/tcp 80 1747 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:06:14 Deny 192.168.30.9 192.168.55.9 1025/tcp 2358 1025 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 1223779562 win 0" rc="104"  Traffic
2010-04-09 12:07:50 Deny 192.168.1.5 192.168.5.2 1179/tcp 80 1179 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:07:53 Deny 192.168.1.5 192.168.5.2 1179/tcp 80 1179 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:07:59 Deny 192.168.1.5 192.168.5.2 1179/tcp 80 1179 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:09:35 Deny 192.168.1.5 192.168.5.1 4674/tcp 80 4674 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:09:48 Deny 192.168.1.5 192.168.5.1 4674/tcp 80 4674 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  2 tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:10:37 Deny 192.168.1.5 192.168.5.3 2066/tcp 80 2066 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:10:45 Deny 192.168.1.5 192.168.5.3 2066/tcp 80 2066 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:10:46 Deny 192.168.1.5 192.168.5.3 2066/tcp 80 2066 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:11:17 Deny 192.168.1.5 192.168.5.3 1783/tcp 80 1783 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:11:21 Deny 192.168.1.5 192.168.5.3 1783/tcp 80 1783 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:11:27 Deny 192.168.1.5 192.168.5.3 1783/tcp 80 1783 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:13:11 Deny 192.168.1.5 192.168.5.2 1181/tcp 80 1181 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:13:14 Deny 192.168.1.5 192.168.5.2 1181/tcp 80 1181 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:13:20 Deny 192.168.1.5 192.168.5.2 1181/tcp 80 1181 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:14:56 Deny 192.168.1.5 192.168.5.1 4683/tcp 80 4683 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:15:00 Deny 192.168.1.5 192.168.5.1 4683/tcp 80 4683 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:15:05 Deny 192.168.1.5 192.168.5.1 4683/tcp 80 4683 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:15:58 Deny 192.168.1.5 192.168.5.3 2072/tcp 80 2072 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:16:01 Deny 192.168.1.5 192.168.5.3 2072/tcp 80 2072 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:16:07 Deny 192.168.1.5 192.168.5.3 2072/tcp 80 2072 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:16:39 Deny 192.168.1.5 192.168.5.3 1795/tcp 80 1795 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:17:01 Deny 192.168.1.5 192.168.5.3 1795/tcp 80 1795 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  2 tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:17:55 Deny 192.168.30.14 192.168.55.9 1025/tcp 4631 1025 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 1329191305 win 0" rc="104"  Traffic
2010-04-09 12:18:17 Deny 192.168.30.9 192.168.55.9 1025/tcp 2728 1025 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 1676307280 win 0" rc="104"  Traffic
2010-04-09 12:18:32 Deny 192.168.1.5 192.168.5.2 1189/tcp 80 1189 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:18:35 Deny 192.168.1.5 192.168.5.2 1189/tcp 80 1189 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:18:41 Deny 192.168.1.5 192.168.5.2 1189/tcp 80 1189 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:20:17 Deny 192.168.1.5 192.168.5.1 4689/tcp 80 4689 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:20:20 Deny 192.168.1.5 192.168.5.1 4689/tcp 80 4689 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:20:26 Deny 192.168.1.5 192.168.5.1 4689/tcp 80 4689 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:21:19 Deny 192.168.1.5 192.168.5.3 2101/tcp 80 2101 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:21:23 Deny 192.168.1.5 192.168.5.3 2101/tcp 80 2101 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:21:28 Deny 192.168.1.5 192.168.5.3 2101/tcp 80 2101 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:22:00 Deny 192.168.1.5 192.168.5.3 1813/tcp 80 1813 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:22:03 Deny 192.168.1.5 192.168.5.3 1813/tcp 80 1813 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:22:10 Deny 192.168.1.5 192.168.5.3 1813/tcp 80 1813 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:23:53 Deny 192.168.1.5 192.168.5.2 1190/tcp 80 1190 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:24:00 Deny 192.168.1.5 192.168.5.2 1190/tcp 80 1190 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:24:02 Deny 192.168.1.5 192.168.5.2 1190/tcp 80 1190 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:25:38 Deny 192.168.1.5 192.168.5.1 4690/tcp 80 4690 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:25:41 Deny 192.168.1.5 192.168.5.1 4690/tcp 80 4690 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:25:47 Deny 192.168.1.5 192.168.5.1 4690/tcp 80 4690 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:26:40 Deny 192.168.1.5 192.168.5.3 2103/tcp 80 2103 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:26:43 Deny 192.168.1.5 192.168.5.3 2103/tcp 80 2103 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:26:49 Deny 192.168.1.5 192.168.5.3 2103/tcp 80 2103 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:27:21 Deny 192.168.1.5 192.168.5.3 1825/tcp 80 1825 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:27:26 Deny 192.168.1.5 192.168.5.3 1825/tcp 80 1825 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
2010-04-09 12:27:30 Deny 192.168.1.5 192.168.5.3 1825/tcp 80 1825 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy)  tcpinfo="offset 5 AR 0 win 0" rc="104"  Traffic
0
The--CaptainCommented:
May I assume all those 192.168.x.x IPs are internal networks of yours (and not networks that are unknown to you)?  Are you running a webserver (or any service at all on port 80) on 192.168.1.5?  What about 192.168.5.1, 192.168.5.2, or 192.168.5.3?

If all those networks are not local, then I'd guess backscatter is the source of those log entries.  If they are local, then I'd first like to know if you're running any service on port 80 on any of those IPs.

Cheers,
-Jon
0
Thirst4KnowledgeAuthor Commented:
Hi Capn,

1)Yes all the networks are known

2)No services on port 80


0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

dpk_walCommented:
Can you check your machines which are sending packets out if they are affected by any malware; or if they are having some client service not needed.
Internal machines sending internal packets would not cross the firewall till they are on separate physical interfaces. If the subnets are on different physical ports then first we should analyze why are the clients sending requests in the first place.

Thank you.
0
The--CaptainCommented:
dpk_wal says: "Internal machines sending internal packets would not cross the firewall till they are on separate physical interfaces"

That's not necessarily true.

Thirst4Knowledge says: "No services on port 80"

RST packets are often sent in response to an attempt to access a service that does not exist on a specific port (in this case 80)
 
As such, it would appear that some computer(s) are contacting another computer(s) on port 80 (I don't know enough about your log file format to guess which IP is the source and which is the destination)

In any case I agree with dpk_wal that you should check the machine(s) that are the destination (not the source) of the RST packets, which should be evident assuming you are familiar with your log file format.

Cheers,
-Jon

0
Thirst4KnowledgeAuthor Commented:
Ok,

Just to clarify the First IP is the source and the next IP is the destination
0
Thirst4KnowledgeAuthor Commented:
Most of it seems to be coming from a single PC going to random host IP's in a remote subnet.
0
Thirst4KnowledgeAuthor Commented:
I should add that the soure is also showing random ports
0
dpk_walCommented:
This activity looks to me caused by malware; if feasible, take the machine off the network and check the logs. If no disturbing logs you know the culprit and then scan the machine thoroughly for malware.

Thank you.
0
Thirst4KnowledgeAuthor Commented:
Yes thanks dpk, I have already tken it off the network and will check it for nasty stuff.

Will let you know the results !
0
Thirst4KnowledgeAuthor Commented:
its strange,

I ran a scan and it came up with nothing, when I go to the PC which DNS name maps to thje IP address in uestion, the actual PC name is different  !!

SO for example lets say PC-1 ip address 192.168.1.1 (on the watchguard log)

when I physically log ontpo the pc I checked its computer name and it was different e.g PC-99


0
Thirst4KnowledgeAuthor Commented:
ok now im looking at the service watch and its showing that here is FTP outbound at 1.7Mbps !!
0
Thirst4KnowledgeAuthor Commented:
Basivaly I cant track down what has been compromsed and  is using all the bandwidth
0
dpk_walCommented:
Do you see logs like:
getredirname can't find filter rule
If yes, then there is malware on the network for sure. Using WG we cannot determine which is the culprit machine but at least can say that there is presence of malware.

May be you can run some tools at the local switch to get more data about the culprit. Please have a look at ntop [http://www.ntop.org] among many other tools.

Thank you.
0
Thirst4KnowledgeAuthor Commented:
no I dont get "getredirname" :/
0
dpk_walCommented:
Did you use ntop [or any other tool] to see the bandwidth usage of the local machines.

Thank you.
0
Thirst4KnowledgeAuthor Commented:
im using wireshark to try and gt to the bottom of it.  I setup ntop before but have forgotton how to set it up again...
0
dpk_walCommented:
Any results you can share with us on the wireshark/ntop monitoring; understand that this process is time consuming please update at and when needed.

Thank you.
0
Thirst4KnowledgeAuthor Commented:
I will :)
0
kenternCommented:
Hi,

Enable logging for allowed outbound FTP to see where it's coming from, or use the Hostwatch-utility to check who connects where (if you have the Watchguard System Manager installed).

I've had the same TCP RST packet logs, and someone explained this could be caused by a failed TCP handshake. Host A sends part 1 of the handshake to Host B. Host B acknowledges, but sends part 2 of the handshake to Host C because of a routing or name resolution problem. The firewall will block this since Host C hasn't initiated any communication with host B and reset the connection.

Mostly, these messages have been showing up on services running on NLB clusters, but if name resolution is a problem at your site its worth a check.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.