At 18:38 18/12/96 -0300, you wrote:
>A small part of the log follows:
>
>Time / Protocol / Source IP / Source Port / Destination IP / Destination Port
>
>Dec 16 10:52:24 firewall: TCP 200.255.159.33 80 200.239.39.15 1148
[snip...]
> Does anyboy can explain me why (and under what conditions) the web server
>starts a connection to the client ? Is this kind of behavior normal ?
>
Are you sure these are connection attempts (ACK=0)? My guess is that they
are replies, and that someone has a misconfigured machine which is
erroneously using one of your IP addresses. They are trying to contact
http://www.software.ibm.com.br/ (=200.255.159.33) and you are getting the
replies. Unfortunately there is no way to work out where the incompetent
is. If you find that there are several different servers all using sending
packets of this type to the same IP address, then I would be certain this is
the problem. [Another argument of routers sanity checking source addresses.]
Rubbish like this cloggs up the log file but there is very little you can do
about it. You also get the odd packet of this type as a result of SYN-flood
attacks.
Ian
Follow-Ups:
|
|
