Thirst4Knowledge
asked on
TCP RST Packet without associated connection
Hi,
On my watchguard firebox logs Im getting alot of these:
192.168.1.5 192.168.5.1 Unknown TCP RST Packet without an associted connection, firewall drop 40 128(internal policy) tcpino="offset 5 AR 0 win 0"rc="104"
they are mainly for 1 or 2 IP addresses.
I know that you can disable SYN checking but I dont think thats wise before I understand whats going on....
Anybody have some Idea ?
On my watchguard firebox logs Im getting alot of these:
192.168.1.5 192.168.5.1 Unknown TCP RST Packet without an associted connection, firewall drop 40 128(internal policy) tcpino="offset 5 AR 0 win 0"rc="104"
they are mainly for 1 or 2 IP addresses.
I know that you can disable SYN checking but I dont think thats wise before I understand whats going on....
Anybody have some Idea ?
May I assume all those 192.168.x.x IPs are internal networks of yours (and not networks that are unknown to you)? Are you running a webserver (or any service at all on port 80) on 192.168.1.5? What about 192.168.5.1, 192.168.5.2, or 192.168.5.3?
If all those networks are not local, then I'd guess backscatter is the source of those log entries. If they are local, then I'd first like to know if you're running any service on port 80 on any of those IPs.
Cheers,
-Jon
If all those networks are not local, then I'd guess backscatter is the source of those log entries. If they are local, then I'd first like to know if you're running any service on port 80 on any of those IPs.
Cheers,
-Jon
ASKER
Hi Capn,
1)Yes all the networks are known
2)No services on port 80
1)Yes all the networks are known
2)No services on port 80
Can you check your machines which are sending packets out if they are affected by any malware; or if they are having some client service not needed.
Internal machines sending internal packets would not cross the firewall till they are on separate physical interfaces. If the subnets are on different physical ports then first we should analyze why are the clients sending requests in the first place.
Thank you.
Internal machines sending internal packets would not cross the firewall till they are on separate physical interfaces. If the subnets are on different physical ports then first we should analyze why are the clients sending requests in the first place.
Thank you.
dpk_wal says: "Internal machines sending internal packets would not cross the firewall till they are on separate physical interfaces"
That's not necessarily true.
Thirst4Knowledge says: "No services on port 80"
RST packets are often sent in response to an attempt to access a service that does not exist on a specific port (in this case 80)
As such, it would appear that some computer(s) are contacting another computer(s) on port 80 (I don't know enough about your log file format to guess which IP is the source and which is the destination)
In any case I agree with dpk_wal that you should check the machine(s) that are the destination (not the source) of the RST packets, which should be evident assuming you are familiar with your log file format.
Cheers,
-Jon
That's not necessarily true.
Thirst4Knowledge says: "No services on port 80"
RST packets are often sent in response to an attempt to access a service that does not exist on a specific port (in this case 80)
As such, it would appear that some computer(s) are contacting another computer(s) on port 80 (I don't know enough about your log file format to guess which IP is the source and which is the destination)
In any case I agree with dpk_wal that you should check the machine(s) that are the destination (not the source) of the RST packets, which should be evident assuming you are familiar with your log file format.
Cheers,
-Jon
ASKER
Ok,
Just to clarify the First IP is the source and the next IP is the destination
Just to clarify the First IP is the source and the next IP is the destination
ASKER
Most of it seems to be coming from a single PC going to random host IP's in a remote subnet.
ASKER
I should add that the soure is also showing random ports
This activity looks to me caused by malware; if feasible, take the machine off the network and check the logs. If no disturbing logs you know the culprit and then scan the machine thoroughly for malware.
Thank you.
Thank you.
ASKER
Yes thanks dpk, I have already tken it off the network and will check it for nasty stuff.
Will let you know the results !
Will let you know the results !
ASKER
its strange,
I ran a scan and it came up with nothing, when I go to the PC which DNS name maps to thje IP address in uestion, the actual PC name is different !!
SO for example lets say PC-1 ip address 192.168.1.1 (on the watchguard log)
when I physically log ontpo the pc I checked its computer name and it was different e.g PC-99
I ran a scan and it came up with nothing, when I go to the PC which DNS name maps to thje IP address in uestion, the actual PC name is different !!
SO for example lets say PC-1 ip address 192.168.1.1 (on the watchguard log)
when I physically log ontpo the pc I checked its computer name and it was different e.g PC-99
ASKER
ok now im looking at the service watch and its showing that here is FTP outbound at 1.7Mbps !!
ASKER
Basivaly I cant track down what has been compromsed and is using all the bandwidth
Do you see logs like:
getredirname can't find filter rule
If yes, then there is malware on the network for sure. Using WG we cannot determine which is the culprit machine but at least can say that there is presence of malware.
May be you can run some tools at the local switch to get more data about the culprit. Please have a look at ntop [http://www.ntop.org] among many other tools.
Thank you.
getredirname can't find filter rule
If yes, then there is malware on the network for sure. Using WG we cannot determine which is the culprit machine but at least can say that there is presence of malware.
May be you can run some tools at the local switch to get more data about the culprit. Please have a look at ntop [http://www.ntop.org] among many other tools.
Thank you.
ASKER
no I dont get "getredirname" :/
Did you use ntop [or any other tool] to see the bandwidth usage of the local machines.
Thank you.
Thank you.
ASKER
im using wireshark to try and gt to the bottom of it. I setup ntop before but have forgotton how to set it up again...
Any results you can share with us on the wireshark/ntop monitoring; understand that this process is time consuming please update at and when needed.
Thank you.
Thank you.
ASKER
I will :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
2010-04-09 12:06:00 Deny 192.168.1.5 192.168.5.3 1747/tcp 80 1747 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:06:06 Deny 192.168.1.5 192.168.5.3 1747/tcp 80 1747 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:06:14 Deny 192.168.30.9 192.168.55.9 1025/tcp 2358 1025 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 1223779562 win 0" rc="104" Traffic
2010-04-09 12:07:50 Deny 192.168.1.5 192.168.5.2 1179/tcp 80 1179 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:07:53 Deny 192.168.1.5 192.168.5.2 1179/tcp 80 1179 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:07:59 Deny 192.168.1.5 192.168.5.2 1179/tcp 80 1179 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:09:35 Deny 192.168.1.5 192.168.5.1 4674/tcp 80 4674 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:09:48 Deny 192.168.1.5 192.168.5.1 4674/tcp 80 4674 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) 2 tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:10:37 Deny 192.168.1.5 192.168.5.3 2066/tcp 80 2066 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:10:45 Deny 192.168.1.5 192.168.5.3 2066/tcp 80 2066 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:10:46 Deny 192.168.1.5 192.168.5.3 2066/tcp 80 2066 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:11:17 Deny 192.168.1.5 192.168.5.3 1783/tcp 80 1783 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:11:21 Deny 192.168.1.5 192.168.5.3 1783/tcp 80 1783 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:11:27 Deny 192.168.1.5 192.168.5.3 1783/tcp 80 1783 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:13:11 Deny 192.168.1.5 192.168.5.2 1181/tcp 80 1181 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:13:14 Deny 192.168.1.5 192.168.5.2 1181/tcp 80 1181 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:13:20 Deny 192.168.1.5 192.168.5.2 1181/tcp 80 1181 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:14:56 Deny 192.168.1.5 192.168.5.1 4683/tcp 80 4683 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:15:00 Deny 192.168.1.5 192.168.5.1 4683/tcp 80 4683 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:15:05 Deny 192.168.1.5 192.168.5.1 4683/tcp 80 4683 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:15:58 Deny 192.168.1.5 192.168.5.3 2072/tcp 80 2072 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:16:01 Deny 192.168.1.5 192.168.5.3 2072/tcp 80 2072 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:16:07 Deny 192.168.1.5 192.168.5.3 2072/tcp 80 2072 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:16:39 Deny 192.168.1.5 192.168.5.3 1795/tcp 80 1795 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:17:01 Deny 192.168.1.5 192.168.5.3 1795/tcp 80 1795 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) 2 tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:17:55 Deny 192.168.30.14 192.168.55.9 1025/tcp 4631 1025 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 1329191305 win 0" rc="104" Traffic
2010-04-09 12:18:17 Deny 192.168.30.9 192.168.55.9 1025/tcp 2728 1025 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 1676307280 win 0" rc="104" Traffic
2010-04-09 12:18:32 Deny 192.168.1.5 192.168.5.2 1189/tcp 80 1189 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:18:35 Deny 192.168.1.5 192.168.5.2 1189/tcp 80 1189 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:18:41 Deny 192.168.1.5 192.168.5.2 1189/tcp 80 1189 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:20:17 Deny 192.168.1.5 192.168.5.1 4689/tcp 80 4689 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:20:20 Deny 192.168.1.5 192.168.5.1 4689/tcp 80 4689 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:20:26 Deny 192.168.1.5 192.168.5.1 4689/tcp 80 4689 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:21:19 Deny 192.168.1.5 192.168.5.3 2101/tcp 80 2101 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:21:23 Deny 192.168.1.5 192.168.5.3 2101/tcp 80 2101 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:21:28 Deny 192.168.1.5 192.168.5.3 2101/tcp 80 2101 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:22:00 Deny 192.168.1.5 192.168.5.3 1813/tcp 80 1813 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:22:03 Deny 192.168.1.5 192.168.5.3 1813/tcp 80 1813 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:22:10 Deny 192.168.1.5 192.168.5.3 1813/tcp 80 1813 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:23:53 Deny 192.168.1.5 192.168.5.2 1190/tcp 80 1190 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:24:00 Deny 192.168.1.5 192.168.5.2 1190/tcp 80 1190 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:24:02 Deny 192.168.1.5 192.168.5.2 1190/tcp 80 1190 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:25:38 Deny 192.168.1.5 192.168.5.1 4690/tcp 80 4690 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:25:41 Deny 192.168.1.5 192.168.5.1 4690/tcp 80 4690 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:25:47 Deny 192.168.1.5 192.168.5.1 4690/tcp 80 4690 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:26:40 Deny 192.168.1.5 192.168.5.3 2103/tcp 80 2103 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:26:43 Deny 192.168.1.5 192.168.5.3 2103/tcp 80 2103 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:26:49 Deny 192.168.1.5 192.168.5.3 2103/tcp 80 2103 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:27:21 Deny 192.168.1.5 192.168.5.3 1825/tcp 80 1825 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:27:26 Deny 192.168.1.5 192.168.5.3 1825/tcp 80 1825 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic
2010-04-09 12:27:30 Deny 192.168.1.5 192.168.5.3 1825/tcp 80 1825 1-Trusted unknown TCP RST packet without an associated connection, firewall drop 40 128 (internal policy) tcpinfo="offset 5 AR 0 win 0" rc="104" Traffic