On Sun, 11 May 2003 keith@topaz5.worldonline.co.uk wrote:
I noticed these dropped connection attempts recently to port 80 on my machine with a dynamic dial-in ISP account, from IPTables log output.
May 7 17:37:21 topaz kernel: DROPPED IN CONNS ON PPP0IN=ppp0 OUT= MAC= SRC=62.162.87.194 DST=62.64.201.242 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=64376 DF PROTO=TCP SPT=1575 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
[...]
That are just connection attempts, nothing unusual. In particular, there is no indication of an attempted attack or trial to use an exploit whatsoever. See below.
Is each ISP allocated a fixed range of IP addresses for their customers to use?
Yes. The most common setup of a ISP offering dynamic dial-in
accounts, is that the ISP got a pool of IP adresses and everytime a
customer logs on, he gets more or less randomly one of the adresses
thats currently free. That means, that the adress that the customer
uses, might have been used by another customer some minutes before.
Now, imagine that one of the customer did offer some HTTP service on
his box[1] and eventually logs off. Not all of the users of this HTTP
service will be notified about the service getting off line. So, they
will continuing sending HTTP request to this IP adresses. If you
connect right now and get the same IP adress that the other customer
used before, your box will get these request in place of the other
customer. If your firewall blocks these connections, you will see
just the cited entries in your log. There is nothing unusual and
nothing to worry about these log entries.
By far, most of the drop entries in a firewall log on a dynamic
dial-in adrress come just from these kind of "inherited" connections,
not from "attacks".
[1]: Admitted: A HTTP service on a dial-in connection is of arguable
use. But that's the other customer's business.
--
Rolf Krahl