ACK RST to ports higher than 1024 showing up in firewall log

Discussion in 'NZ Computing' started by Andy Lawson, Oct 4, 2003.

  1. Andy Lawson

    Andy Lawson Guest

    Over the last few days or so the following ip address (202.0.53.160) has
    appeared with greater regularity in my firewall logs . Each time there seems
    to be an ACK RST associated with the attempts at various ports on my
    firewall though "his" source port always stays the same (1025).

    I've not seen this show up in the logs before, any idea what's happening?
     
    Andy Lawson, Oct 4, 2003
    #1
    1. Advertisements

  2. Andy Lawson

    Jay Guest

    Yep. Someone is sending you ACK RSTs.
    Try finding out "his" source IP. What is it?
     
    Jay, Oct 4, 2003
    #2
    1. Advertisements

  3. Andy Lawson

    Matt B Guest

    In
    Uh - duh. Try reading the post again.

    --
    Regards,

    Matt B
    ~~~~~~~~~~~~~~~~~~~~~~
    There are 10 types of people.
    Those who get binary...
    And those who don't.
    ~~~~~~~~~~~~~~~~~~~~~~
     
    Matt B, Oct 4, 2003
    #3
  4. Andy Lawson

    Jay Guest

    Yep. Someone is causing you ACK RSTs.
    Try finding "his" IP address. What is it?
     
    Jay, Oct 4, 2003
    #4
  5. Andy Lawson

    Bill Guest Guest

    That IP address is registered to Telstra Clear (Paradise .net owners).
     
    Bill Guest, Oct 4, 2003
    #5
  6. Andy Lawson

    Andy Lawson Guest

    I already knew that its a paradise cable modem account, I just needed to
    know what was causing the problem.
     
    Andy Lawson, Oct 5, 2003
    #6
  7. Andy Lawson

    T-Boy Guest

    Are you blind?
     
    T-Boy, Oct 5, 2003
    #7
  8. Andy Lawson

    E. Guest

    Messenger service spam?
    E.
     
    E., Oct 5, 2003
    #8

  9. They may be forged.
     
    Uncle StoatWarbler, Oct 5, 2003
    #9
  10. Andy Lawson

    XPD Guest

    And again, re-read the post :)
     
    XPD, Oct 5, 2003
    #10
  11. Andy Lawson

    Jay Guest

    Sigh! One idiot knows the answer to his own question (202.0.53.160)
    and another one wants everyone to re-read the post.
     
    Jay, Oct 6, 2003
    #11
  12. Andy Lawson

    Matt B Guest

    In
    No. OP asked "what's happening", and gave the apparent source IP. *You*
    suggested he try to find the source IP; perhaps in your eagerness to help
    you'd missed the OP's first sentence so *I* suggested you re-read it. You
    then suggested that *I* was logging port scans and should try and find the
    source IP, to which XPD suggested *you* re-read the original post.

    OP hasn't IMHO exhibited any signs of idiocy, nobody has suggested everyone
    re-read the post - however there _does_ seem to be one poster having trouble
    with comprehension.

    To the OP...

    Search for "nastygram" or "Christmas tree packet" - might be the cause of
    what you're seeing.


    --
    Regards,

    Matt B
    ~~~~~~~~~~~~~~~~~~~~~~
    There are 10 types of people.
    Those who get binary...
    And those who don't.
    ~~~~~~~~~~~~~~~~~~~~~~
     
    Matt B, Oct 6, 2003
    #12
  13. Andy Lawson

    Andy Lawson Guest

    snip
    Thanks for the hint, but doesn't a nastygram involve having all the bits
    set?. All I'm seeing is the ACK & RST with no SYN & FIN. Here's an example
    of what I'm seeing:

    00:03:32 SRC=202.0.53.160 DST=202.0.33.254 LEN=40 TOS=0x00 PREC=0x00 TTL=127
    ID=51352 PROTO=TCP SPT=1025 DPT=1727 WINDOW=0 RES=0x00 ACK RST URGP=0
     
    Andy Lawson, Oct 6, 2003
    #13
  14. Andy Lawson

    Matt B Guest

    In
    Yep

    All I'm seeing is the ACK & RST with no SYN & FIN. Here's
    Depends on your setup, by the looks...

    http://www.google.com/search?q=ack+rst+-syn+-fin


    --
    Regards,

    Matt B
    ~~~~~~~~~~~~~~~~~~~~~~
    There are 10 types of people.
    Those who get binary...
    And those who don't.
    ~~~~~~~~~~~~~~~~~~~~~~
     
    Matt B, Oct 6, 2003
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.