---- IPTables: Upto 30,000 Invalid packets logged per week
AlexK - 4:09 pm on Jan 28, 2006 (gmt 0)
Not a full resolution, but my response to the issue:
I switched the DROP off for 48+ hours, but kept the LOG, then compared results. There was just one instance found (not exhaustive) where an IP sent Invalid packets *and* was caught by another rule:
Jan 26 03:39:49 olivia kernel: Invalid packet: IN=eth0 OUT= MAC=00:20:ed:82:c6:f5:00:30:f2:10:b0:00:08:00 SRC=126.96.36.199 DST=188.8.131.52 LEN=52 TOS=0x00 PREC=0x00 TTL=41 ID=62431 PROTO=TCP SPT=64852 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0 Jan 26 03:42:05 olivia kernel: New not syn: IN=eth0 OUT= MAC=00:20:ed:82:c6:f5:00:30:f2:10:b0:00:08:00 SRC=184.108.40.206 DST=220.127.116.11 LEN=40 TOS=0x00 PREC=0x00 TTL=41 ID=4270 PROTO=TCP SPT=25275 DPT=80 WINDOW=65535 RES=0x00 ACK URGP=0 Jan 26 03:42:07 olivia kernel: New not syn: IN=eth0 OUT= MAC=00:20:ed:82:c6:f5:00:30:f2:10:b0:00:08:00 SRC=18.104.22.168 DST=22.214.171.124 LEN=40 TOS=0x00 PREC=0x00 TTL=41 ID=44529 PROTO=TCP SPT=25557 DPT=80 WINDOW=65535 RES=0x00 ACK URGP=0
(both occurred many times with this IP; above is just a sample)
Going through the same exhaustive process as msg #:6+7 also produced little difference: there were perhaps more complete pages loaded, but still the same catalogue of partial page-loads (graphics files missing), multiple requests for the style sheet, etc. etc.. The only thing that I did get for my trouble was an extremely wierd page request [webmasterworld.com].
In the end, it seems that switching the DROP off offers little or no benefit to site visitors, and may clog up the server. So, it has been reinstituted, and the LOG has been dropped instead.
Here is a sight of the relevant part of the iptables script:
# bad_packets chain # . # Drop INVALID packets immediately # 2006-01-28 logging for INVALID switched off -AK # log is filling with >500 IPs daily due to foll rule # $IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \ # --log-prefix "Invalid packet: " . $IPT -A bad_packets -p ALL -m state --state INVALID -j DROP . # Then check the tcp packets for additional problems $IPT -A bad_packets -p tcp -j bad_tcp_packets . # All good, so return $IPT -A bad_packets -p ALL -j RETURN . # bad_tcp_packets chain # # All tcp packets will traverse this chain. # Every new connection attempt should begin with # a syn packet. . . # 2006-01-28 added -AK # Act honourably on behalf of others receiving TCP # Sequence Number Prediction attacks (these attacks # rely on the spoofed host DROPping unknown SYN/ACKs # rather than REJECTing them). # See [iptables-tutorial.frozentux.net...] $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \ -m state --state NEW -j REJECT --reject-with tcp-reset . # Fix iptables feature of allowing NEW packets with SYN bit unset # See [iptables-tutorial.frozentux.net...] $IPT -A bad_tcp_packets -p tcp! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn: " $IPT -A bad_tcp_packets -p tcp! --syn -m state --state NEW -j DROP
I still want to know where all these wretched INVALID packets come from.