Page 4 of 4 FirstFirst ... 234
Results 31 to 40 of 40

Thread: How can I shake off this guy ?

  1. #31
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    2,380
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: How can I shake off this guy ?

    Quote Originally Posted by hasinasi View Post
    This appears to be the problem in reverse: if my machine is contacting the ubuntu update server via http, shouldn't the source port be 80 and the destination port a high number?
    No. Your computer uses the high port number and earlier has opened a TCP session with port 80 of the destination. This is, perhaps, a similar problem to your earlier problem, but this time it is your end that is trying to finish a TCP session close, and not the other end. Your end keeps trying because the packets are being dropped instead of rejected, so your end does not know that the TCP connection has actually been terminated (I think). After a few re-tries it just gives up.

    I do not have enough information to comment on the other parts of your post.
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  2. #32
    Join Date
    Mar 2007
    Location
    Virginia
    Beans
    50
    Distro
    Kubuntu 12.04 Precise Pangolin

    Re: How can I shake off this guy ?

    Interesting. Thank you!

    Learning more about this, I am realizing that I am a little bit over my head in terms of how much I understand about TCP packets.

    I am bit surprised these packets end up being dropped, since I am using the following rule to allow http traffic, where "oAll" is my "catch-all" chain for outgoing traffic:
    Code:
    iptables -A oALL -p tcp  --dport 80  -m state --state NEW -j ACCEPT
    I am using this in conjunction with another rule before that to allow all "related" traffic:
    Code:
    iptables  -A OUTPUT  -m state  --state ESTABLISHED,RELATED  -j ACCEPT
    As expected, usual http browsing (and updating the computer via apt-get) is not a problem. So I am a bit puzzled why the above-mentioned events end up in the logs.
    Could these be invalid packets? I am not explicitly addressing packets of state "INVALID" (only NEW, ESTABLISHED, and RELATED), so they would be dropped and logged.
    I will modify my iptables such that invalid packets can be identified from the logs.

  3. #33
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    2,380
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: How can I shake off this guy ?

    The packets are not "NEW" nor are they "ESTABLISHED,RELATED", is why they get end up in the DROP rule.
    What happens is (I think) the TCP session has been closed and the connection tracking table has forgotten about it, but the client application doesn't realize it. This happens a lot with the half-duplex close method and with various NAT type routers in the middle.

    Going back a few posts, here is better example of a case where the other side is trying to reset a connection that my side has already thought of as closed (but not forgotten, in this example). First the logs entries:
    Code:
    May 18 15:26:42 doug-64 kernel: [974914.165959] BAD80:IN=eth1 OUT= MAC=XX SRC=205.210.186.235 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=80 DPT=54972 WINDOW=0 RES=0x00 RST URGP=0
    May 18 15:26:42 doug-64 kernel: [974914.168128] BAD80:IN=eth1 OUT= MAC=XX SRC=205.210.186.235 DST=XXX.XXX.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=80 DPT=54972 WINDOW=0 RES=0x00 RST URGP=0
    And then the entire TCP session
    Code:
    2013-05-18 15:26:41.741035 IP XXX.XXX.XXX.XXX.54972 > 205.210.186.235.80: Flags [S], seq 4147817431, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 571005325 ecr 0,sackOK,eol], length 0
    2013-05-18 15:26:41.793904 IP 205.210.186.235.80 > XXX.XXX.XXX.XXX.54972: Flags [S.], seq 14144562, ack 4147817432, win 8000, options [mss 1460], length 0
    2013-05-18 15:26:41.795412 IP XXX.XXX.XXX.XXX.54972 > 205.210.186.235.80: Flags [.], ack 1, win 65535, length 0
    2013-05-18 15:26:41.797641 IP XXX.XXX.XXX.XXX.54972 > 205.210.186.235.80: Flags [P.], seq 1:1137, ack 1, win 65535, length 1136
    2013-05-18 15:26:41.867327 IP 205.210.186.235.80 > XXX.XXX.XXX.XXX.54972: Flags [.], ack 1137, win 16338, length 0
    2013-05-18 15:26:42.675978 IP 205.210.186.235.80 > XXX.XXX.XXX.XXX.54972: Flags [P.], seq 1:151, ack 1137, win 16338, length 150
    2013-05-18 15:26:42.676185 IP 205.210.186.235.80 > XXX.XXX.XXX.XXX.54972: Flags [F.], seq 151, ack 1137, win 16338, length 0
    2013-05-18 15:26:42.676437 IP 205.210.186.235.80 > XXX.XXX.XXX.XXX.54972: Flags [R.], seq 152, ack 1137, win 16338, length 0
    2013-05-18 15:26:42.677949 IP XXX.XXX.XXX.XXX.54972 > 205.210.186.235.80: Flags [.], ack 151, win 65535, length 0
    2013-05-18 15:26:42.678376 IP XXX.XXX.XXX.XXX.54972 > 205.210.186.235.80: Flags [F.], seq 1137, ack 151, win 65535, length 0
    2013-05-18 15:26:42.678402 IP XXX.XXX.XXX.XXX.54972 > 205.210.186.235.80: Flags [F.], seq 1137, ack 152, win 65535, length 0
    2013-05-18 15:26:42.812191 IP 205.210.186.235.80 > XXX.XXX.XXX.XXX.54972: Flags [R], seq 14144713, win 0, length 0
    2013-05-18 15:26:42.812262 IP XXX.XXX.XXX.XXX > 205.210.186.235: ICMP XXX.XXX.XXX.XXX tcp port 54972 unreachable, length 48
    2013-05-18 15:26:42.814383 IP 205.210.186.235.80 > XXX.XXX.XXX.XXX.54972: Flags [R], seq 14144713, win 0, length 0
    2013-05-18 15:26:42.814414 IP XXX.XXX.XXX.XXX > 205.210.186.235: ICMP XXX.XXX.XXX.XXX tcp port 54972 unreachable, length 48
    My side did acknowledge the FIN request and the RST request, but the other side still tries to RST the connection, hence the logs entries. Here is the related section of my iptables:
    Code:
    # At this point traffic to ports 80 or 443 is likely due to the half-duplex TCP close sequence. Be polite and REJECT instead of DROP.
    
    $IPTABLES -A INPUT -i $EXTIF -p tcp -m multiport --sport 80,443 -j LOG --log-prefix "BAD80:" --log-level info
    $IPTABLES -A INPUT -i $EXTIF -p tcp -m multiport --sport 80,443 -j REJECT
    
    # Catch all rule, all other incoming is denied.
    # (Leave the log-n-drop jump here so that in future I can remember how to do it.)
    #
    $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j log-n-drop
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  4. #34
    Join Date
    May 2008
    Beans
    8

    Re: How can I shake off this guy ?

    Quote Originally Posted by hasinasi View Post
    This appears to be the problem in reverse: if my machine is contacting the ubuntu update server via http, shouldn't the source port be 80 and the destination port a high number? The same machine has been running at least for a month without creating such events in the firewall logs. Automatic updating always worked well.
    No, you've got a reverse understanding of how TCP/IP works. Their server has to listen on a static port and the default for HTTP is 80. If they were listening on something other than the default port, you'd have to manually specify it in your URL string (i.e. http://www.example.com:8080). Your computer will randomly choose a port (usually something 50k+) that it will initiate it's connection FROM. Any packets coming back to you from the server will go to that random port.

    EDIT: Doug beat me to it. Helps if I go to the end of the thread before replying. :-/
    Last edited by jeremywc; May 23rd, 2013 at 01:30 PM.

  5. #35
    Join Date
    Jul 2011
    Beans
    204

    Re: How can I shake off this guy ?

    Hi! Much of this is over my head, but I did read all the posts... Anyway, I had a thought about this:

    "medibuntu" sounds like it's some kind of medical program. However, checking in Synaptic, it didn't show up for this Xubuntu v12.04 OS. (3rd-party source?) What I was thinking, is that if this is a program you have installed on your machine, a remote server might be trying to provide data updates without realizing you don't have the program in operation at the moment; i.e., if the program had been running at that moment, then it would have gathered the data in an authorized manner, and no firewall probe event would have been reported.

    Just a thought...
    .
    "That's my motto - a place for everything, and everything all over the place!"
    -- From an old comic I once saw.--

  6. #36
    Join Date
    Mar 2006
    Location
    Williams Lake
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: How can I shake off this guy ?

    Quote Originally Posted by scruffyeagle View Post
    Hi! Much of this is over my head, but I did read all the posts... Anyway, I had a thought about this:

    "medibuntu" sounds like it's some kind of medical program. However, checking in Synaptic, it didn't show up for this Xubuntu v12.04 OS. (3rd-party source?) What I was thinking, is that if this is a program you have installed on your machine, a remote server might be trying to provide data updates without realizing you don't have the program in operation at the moment; i.e., if the program had been running at that moment, then it would have gathered the data in an authorized manner, and no firewall probe event would have been reported.

    Just a thought...
    Medibuntu is an unofficial repository for media codecs that aren't included in the main Ubuntu repositories, it's been around for almost as long as Ubuntu itself. It looks like the bad guy may be spoofing the Medibuntu ip address.

  7. #37
    Join Date
    Jul 2011
    Beans
    204

    Re: How can I shake off this guy ?

    Got it. Naughty, naughty. Somebody ought to spank his modem.
    .
    "That's my motto - a place for everything, and everything all over the place!"
    -- From an old comic I once saw.--

  8. #38
    Join Date
    Mar 2007
    Location
    Virginia
    Beans
    50
    Distro
    Kubuntu 12.04 Precise Pangolin

    Re: How can I shake off this guy ?

    @cariboo907:
    I don't think it's IP spoofing, as I only get errors in my log as long as medibuntu is enabled as a repository. The occurrence of the problem in my logs also coincides with running "apt-get update". Therefore it (reproducibly) only happens when my machine establishes contact with the repos and not due to an action from an outside person.

  9. #39
    Join Date
    Jul 2011
    Beans
    204

    Re: How can I shake off this guy ?

    Is it possible for a hacker to monitor the medibuntu activity, and spoof to try to take over or exploit the connection for their own purposes?
    .
    "That's my motto - a place for everything, and everything all over the place!"
    -- From an old comic I once saw.--

  10. #40
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: How can I shake off this guy ?

    I guess they could be monitoring the repo, but that is why the packages are signed with GPG keys...
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

Page 4 of 4 FirstFirst ... 234

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •