ACK RST to ports higher than 1024 showing up in firewall log

Discussion in 'NZ Computing' started by Andy Lawson, Oct 4, 2003.

  1. Andy Lawson

    Andy Lawson Guest

    Over the last few days or so the following ip address (202.0.53.160) has
    appeared with greater regularity in my firewall logs . Each time there seems
    to be an ACK RST associated with the attempts at various ports on my
    firewall though "his" source port always stays the same (1025).

    I've not seen this show up in the logs before, any idea what's happening?
     
    Andy Lawson, Oct 4, 2003
    #1
    1. Advertising

  2. Andy Lawson

    Jay Guest

    Andy Lawson wrote:

    > Over the last few days or so the following ip address (202.0.53.160) has
    > appeared with greater regularity in my firewall logs . Each time there
    > seems to be an ACK RST associated with the attempts at various ports on my
    > firewall though "his" source port always stays the same (1025).
    >
    > I've not seen this show up in the logs before, any idea what's happening?


    Yep. Someone is sending you ACK RSTs.
    Try finding out "his" source IP. What is it?
     
    Jay, Oct 4, 2003
    #2
    1. Advertising

  3. Andy Lawson

    Matt B Guest

    In news:blm1am$doksr$-berlin.de,
    Jay <> wrote:
    > Andy Lawson wrote:
    >
    >> Over the last few days or so the following ip address (202.0.53.160)
    >> has appeared with greater regularity in my firewall logs . Each time
    >> there seems to be an ACK RST associated with the attempts at various
    >> ports on my firewall though "his" source port always stays the same
    >> (1025).
    >>
    >> I've not seen this show up in the logs before, any idea what's
    >> happening?

    >
    > Yep. Someone is sending you ACK RSTs.
    > Try finding out "his" source IP. What is it?


    Uh - duh. Try reading the post again.

    --
    Regards,

    Matt B
    ~~~~~~~~~~~~~~~~~~~~~~
    There are 10 types of people.
    Those who get binary...
    And those who don't.
    ~~~~~~~~~~~~~~~~~~~~~~
     
    Matt B, Oct 4, 2003
    #3
  4. Andy Lawson

    Jay Guest

    Matt B wrote:

    > In news:blm1am$doksr$-berlin.de,
    > Jay <> wrote:
    >> Andy Lawson wrote:
    >>
    >>> Over the last few days or so the following ip address (202.0.53.160)
    >>> has appeared with greater regularity in my firewall logs . Each time
    >>> there seems to be an ACK RST associated with the attempts at various
    >>> ports on my firewall though "his" source port always stays the same
    >>> (1025).
    >>>
    >>> I've not seen this show up in the logs before, any idea what's
    >>> happening?

    >>
    >> Yep. Someone is sending you ACK RSTs.
    >> Try finding out "his" source IP. What is it?

    >
    > Uh - duh. Try reading the post again.
    >


    Yep. Someone is causing you ACK RSTs.
    Try finding "his" IP address. What is it?
     
    Jay, Oct 4, 2003
    #4
  5. Andy Lawson

    Bill Guest Guest

    That IP address is registered to Telstra Clear (Paradise .net owners).


    "Andy Lawson" <> wrote in message
    news:i7vfb.6103$...
    > Over the last few days or so the following ip address (202.0.53.160) has
    > appeared with greater regularity in my firewall logs . Each time there

    seems
    > to be an ACK RST associated with the attempts at various ports on my
    > firewall though "his" source port always stays the same (1025).
    >
    > I've not seen this show up in the logs before, any idea what's happening?
    >
    >
     
    Bill Guest, Oct 4, 2003
    #5
  6. Andy Lawson

    Andy Lawson Guest

    "Bill Guest" <> wrote in message
    news:U7Hfb.6186$...
    > That IP address is registered to Telstra Clear (Paradise .net owners).
    >

    I already knew that its a paradise cable modem account, I just needed to
    know what was causing the problem.
     
    Andy Lawson, Oct 5, 2003
    #6
  7. Andy Lawson

    T-Boy Guest

    In article <blmdvg$dnb2h$-berlin.de>,
    says...
    > Matt B wrote:
    >
    > > In news:blm1am$doksr$-berlin.de,
    > > Jay <> wrote:
    > >> Andy Lawson wrote:
    > >>
    > >>> Over the last few days or so the following ip address (202.0.53.160)
    > >>> has appeared with greater regularity in my firewall logs . Each time
    > >>> there seems to be an ACK RST associated with the attempts at various
    > >>> ports on my firewall though "his" source port always stays the same
    > >>> (1025).
    > >>>
    > >>> I've not seen this show up in the logs before, any idea what's
    > >>> happening?
    > >>
    > >> Yep. Someone is sending you ACK RSTs.
    > >> Try finding out "his" source IP. What is it?

    > >
    > > Uh - duh. Try reading the post again.
    > >

    >
    > Yep. Someone is causing you ACK RSTs.
    > Try finding "his" IP address. What is it?


    Are you blind?

    --
    Duncan
     
    T-Boy, Oct 5, 2003
    #7
  8. Andy Lawson

    E. Guest

    Andy Lawson wrote:

    > Over the last few days or so the following ip address (202.0.53.160) has
    > appeared with greater regularity in my firewall logs . Each time there seems
    > to be an ACK RST associated with the attempts at various ports on my
    > firewall though "his" source port always stays the same (1025).
    >
    > I've not seen this show up in the logs before, any idea what's happening?


    Messenger service spam?
    E.
     
    E., Oct 5, 2003
    #8
  9. On Sat, 04 Oct 2003 22:57:48 +1200, Matt B wrote:

    >> Yep. Someone is sending you ACK RSTs.
    >> Try finding out "his" source IP. What is it?

    >
    > Uh - duh. Try reading the post again.



    They may be forged.
     
    Uncle StoatWarbler, Oct 5, 2003
    #9
  10. Andy Lawson

    XPD Guest

    "Jay" <> wrote in message
    news:blmdvg$dnb2h$-berlin.de...
    > Matt B wrote:
    >
    > > In news:blm1am$doksr$-berlin.de,
    > > Jay <> wrote:
    > >> Andy Lawson wrote:
    > >>
    > >>> Over the last few days or so the following ip address (202.0.53.160)
    > >>> has appeared with greater regularity in my firewall logs . Each time
    > >>> there seems to be an ACK RST associated with the attempts at various
    > >>> ports on my firewall though "his" source port always stays the same
    > >>> (1025).
    > >>>
    > >>> I've not seen this show up in the logs before, any idea what's
    > >>> happening?
    > >>
    > >> Yep. Someone is sending you ACK RSTs.
    > >> Try finding out "his" source IP. What is it?

    > >
    > > Uh - duh. Try reading the post again.
    > >

    >
    > Yep. Someone is causing you ACK RSTs.
    > Try finding "his" IP address. What is it?


    And again, re-read the post :)
     
    XPD, Oct 5, 2003
    #10
  11. Andy Lawson

    Jay Guest

    XPD wrote:

    >
    > "Jay" <> wrote in message
    > news:blmdvg$dnb2h$-berlin.de...
    >> Matt B wrote:
    >>
    >> > In news:blm1am$doksr$-berlin.de,
    >> > Jay <> wrote:
    >> >> Andy Lawson wrote:
    >> >>
    >> >>> Over the last few days or so the following ip address (202.0.53.160)
    >> >>> has appeared with greater regularity in my firewall logs . Each time
    >> >>> there seems to be an ACK RST associated with the attempts at various
    >> >>> ports on my firewall though "his" source port always stays the same
    >> >>> (1025).
    >> >>>
    >> >>> I've not seen this show up in the logs before, any idea what's
    >> >>> happening?
    >> >>
    >> >> Yep. Someone is sending you ACK RSTs.
    >> >> Try finding out "his" source IP. What is it?
    >> >
    >> > Uh - duh. Try reading the post again.
    >> >

    >>
    >> Yep. Someone is causing you ACK RSTs.
    >> Try finding "his" IP address. What is it?

    >
    > And again, re-read the post :)


    Sigh! One idiot knows the answer to his own question (202.0.53.160)
    and another one wants everyone to re-read the post.
     
    Jay, Oct 6, 2003
    #11
  12. Andy Lawson

    Matt B Guest

    In news:blqqme$er3pe$-berlin.de,
    Jay <> wrote:
    > XPD wrote:
    >
    >>
    >> "Jay" <> wrote in message
    >> news:blmdvg$dnb2h$-berlin.de...
    >>> Matt B wrote:
    >>>
    >>>> In news:blm1am$doksr$-berlin.de,
    >>>> Jay <> wrote:
    >>>>> Andy Lawson wrote:
    >>>>>
    >>>>>> Over the last few days or so the following ip address
    >>>>>> (202.0.53.160) has appeared with greater regularity in my
    >>>>>> firewall logs . Each time there seems to be an ACK RST
    >>>>>> associated with the attempts at various ports on my firewall
    >>>>>> though "his" source port always stays the same (1025).
    >>>>>>
    >>>>>> I've not seen this show up in the logs before, any idea what's
    >>>>>> happening?
    >>>>>
    >>>>> Yep. Someone is sending you ACK RSTs.
    >>>>> Try finding out "his" source IP. What is it?
    >>>>
    >>>> Uh - duh. Try reading the post again.
    >>>>
    >>>
    >>> Yep. Someone is causing you ACK RSTs.
    >>> Try finding "his" IP address. What is it?

    >>
    >> And again, re-read the post :)

    >
    > Sigh! One idiot knows the answer to his own question (202.0.53.160)
    > and another one wants everyone to re-read the post.


    No. OP asked "what's happening", and gave the apparent source IP. *You*
    suggested he try to find the source IP; perhaps in your eagerness to help
    you'd missed the OP's first sentence so *I* suggested you re-read it. You
    then suggested that *I* was logging port scans and should try and find the
    source IP, to which XPD suggested *you* re-read the original post.

    OP hasn't IMHO exhibited any signs of idiocy, nobody has suggested everyone
    re-read the post - however there _does_ seem to be one poster having trouble
    with comprehension.

    To the OP...

    Search for "nastygram" or "Christmas tree packet" - might be the cause of
    what you're seeing.


    --
    Regards,

    Matt B
    ~~~~~~~~~~~~~~~~~~~~~~
    There are 10 types of people.
    Those who get binary...
    And those who don't.
    ~~~~~~~~~~~~~~~~~~~~~~
     
    Matt B, Oct 6, 2003
    #12
  13. Andy Lawson

    Andy Lawson Guest

    "Matt B" <> wrote in message
    news:gv6gb.169364$...
    snip

    > To the OP...
    >
    > Search for "nastygram" or "Christmas tree packet" - might be the cause of
    > what you're seeing.
    >


    Thanks for the hint, but doesn't a nastygram involve having all the bits
    set?. All I'm seeing is the ACK & RST with no SYN & FIN. Here's an example
    of what I'm seeing:

    00:03:32 SRC=202.0.53.160 DST=202.0.33.254 LEN=40 TOS=0x00 PREC=0x00 TTL=127
    ID=51352 PROTO=TCP SPT=1025 DPT=1727 WINDOW=0 RES=0x00 ACK RST URGP=0
     
    Andy Lawson, Oct 6, 2003
    #13
  14. Andy Lawson

    Matt B Guest

    In news:65agb.6448$,
    Andy Lawson <> wrote:
    > "Matt B" <> wrote in message
    > news:gv6gb.169364$...
    > snip
    >
    >> To the OP...
    >>
    >> Search for "nastygram" or "Christmas tree packet" - might be the
    >> cause of what you're seeing.
    >>

    >
    > Thanks for the hint, but doesn't a nastygram involve having all the
    > bits set?.


    Yep

    All I'm seeing is the ACK & RST with no SYN & FIN. Here's
    > an example of what I'm seeing:
    >
    > 00:03:32 SRC=202.0.53.160 DST=202.0.33.254 LEN=40 TOS=0x00 PREC=0x00
    > TTL=127 ID=51352 PROTO=TCP SPT=1025 DPT=1727 WINDOW=0 RES=0x00 ACK
    > RST URGP=0


    Depends on your setup, by the looks...

    http://www.google.com/search?q=ack rst -syn -fin


    --
    Regards,

    Matt B
    ~~~~~~~~~~~~~~~~~~~~~~
    There are 10 types of people.
    Those who get binary...
    And those who don't.
    ~~~~~~~~~~~~~~~~~~~~~~
     
    Matt B, Oct 6, 2003
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    776
  2. Tomek W.
    Replies:
    1
    Views:
    435
    Walter Roberson
    Dec 19, 2005
  3. Tomek W.
    Replies:
    1
    Views:
    448
    Walter Roberson
    Dec 21, 2005
  4. Eggert Ehmke

    strange tcp.rst resets on vip

    Eggert Ehmke, Apr 12, 2006, in forum: Cisco
    Replies:
    0
    Views:
    520
    Eggert Ehmke
    Apr 12, 2006
  5. Matthias Scheler

    Sending RST packets

    Matthias Scheler, Dec 8, 2006, in forum: Cisco
    Replies:
    1
    Views:
    1,310
    Martin Turba
    Dec 9, 2006
Loading...

Share This Page