cancel
Showing results for 
Search instead for 
Did you mean: 

ACKs from 84.93.230.186 port 44340 dropped?

ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

ACKs from 84.93.230.186 port 44340 dropped?

While browsing these forums over https, my router firewall ends up with log messages like this:
[tt]IN=ppp0 OUT= MAC= SRC=84.93.230.186 DST=91.125.my.ip LEN=67 TOS=0x00 PREC=0xA0 TTL=53 ID=32360 DF PROTO=TCP SPT=44340 DPT=9061 WINDOW=108 RES=0x00 ACK PSH URGP=0 [/tt]
I add a log rule to the end of the INPUT iptables chain to show what would otherwise just get silently dropped.
The particularly strange thing is that I don't see any connection to 84.93.230.186:44340, nor even that IP address at all, if I monitor traffic with wireshark on my computer. Nor can I connect to 84.93.230.186 port 44340, 443 or 80 from my computer (icmp type 3 code 13 Destination unreachable - Communication administratively filtered response from 84.93.224.48).
community03.servers.plus.net = 84.93.230.186
I'm guessing the source IP and port of these packets should have been translated to something else before leaving plusnet, but somehow that's not always happening?
11 REPLIES 11
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: ACKs from 84.93.230.186 port 44340 dropped?

Quote
IN=ppp0 OUT= MAC= SRC=84.93.235.210 DST=146.90.my.ip LEN=67 TOS=0x00 PREC=0x80 TTL=55 ID=24547 DF PROTO=TCP SPT=44340 DPT=11232 WINDOW=108 RES=0x00 ACK PSH URGP=0

The packets from port 44340 can be from any of the 4 IPs: 84.93.235.210, 84.93.235.226, 84.93.230.186, 84.93.230.178 - community0{1,2,3,4}.servers.plus.net
[tt]# traceroute -q 1 -N 1 -I 84.93.235.210
traceroute to 84.93.235.210 (84.93.235.210), 30 hops max, 60 byte packets
1  192.168.0.1 (192.168.0.1)  3.090 ms
2  lo0-central10.ptw-ag03.plus.net (195.166.128.197)  21.737 ms
3  link-a-central10.ptw-gw01.plus.net (212.159.2.152)  21.208 ms
4  xe-4-3-0.ptw-cr01.plus.net (212.159.0.244)  23.259 ms
5  te9-4.ptn-gw01.plus.net (195.166.129.33)  28.489 ms
6  gi5-1.peh-cr02.plus.net (84.93.232.61)  31.798 ms
7  po5.peh-cr01.plus.net (84.93.232.16)  28.032 ms
8  vlan2657.peh-elb01.plus.net (84.93.232.44)  32.569 ms
9  vl2844.peh-cr01.plus.net (84.93.235.145)  30.192 ms
10  vl2840.peh-asr01.plus.net (84.93.235.137)  30.600 ms
11  84.93.235.210.broadband.plus.dyn.plus.net (84.93.235.210)  28.558 ms (actually community01.servers.plus.net)
[/tt]
Kelly
Hero
Posts: 5,497
Thanks: 380
Fixes: 9
Registered: ‎04-04-2007

Re: ACKs from 84.93.230.186 port 44340 dropped?

Still seeing these?
Kelly Dorset
Ex-Broadband Service Manager
Anonymous
Not applicable

Re: ACKs from 84.93.230.186 port 44340 dropped?

Constantly !  Angry
Just checked my firewall logs a few minutes ago and it was full of this -
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: ACKs from 84.93.230.186 port 44340 dropped?

This issue still hasn't been fixed early this morning at least anyway.
# *** 2014/02/27 06:42:34 ***
dmesg -c
IN=ppp0 OUT= MAC= SRC=84.93.230.186 DST=87.112.my.ip LEN=67 TOS=0x00 PREC=0x80 TTL=54 ID=3526 DF PROTO=TCP SPT=44340 DPT=4087 WINDOW=108 RES=0x00 ACK PSH URGP=0
IN=ppp0 OUT= MAC= SRC=84.93.230.186 DST=87.112.my.ip LEN=67 TOS=0x00 PREC=0x80 TTL=54 ID=18823 DF PROTO=TCP SPT=44340 DPT=6759 WINDOW=108 RES=0x00 ACK PSH URGP=0
IN=ppp0 OUT= MAC= SRC=84.93.230.186 DST=87.112.my.ip LEN=67 TOS=0x00 PREC=0x80 TTL=54 ID=18824 DF PROTO=TCP SPT=44340 DPT=6759 WINDOW=108 RES=0x00 ACK PSH URGP=0
IN=ppp0 OUT= MAC= SRC=84.93.230.186 DST=87.112.my.ip LEN=67 TOS=0x00 PREC=0x80 TTL=54 ID=18825 DF PROTO=TCP SPT=44340 DPT=6759 WINDOW=108 RES=0x00 ACK PSH URGP=0

Which IP addresses you end up with in the logs depends on if you visit 212.159.8.110 or 212.159.9.110. 84.93.230.186 if community.plus.net resolves to 212.159.9.110, so it's probably the 84.93.235. ones for .8.110 and the 84.93.230. ones for .9.110.
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: ACKs from 84.93.230.186 port 44340 dropped?

Seems to have finally been fixed this morning.
Edit: the post with 4 images attached spent many seconds at "waiting for..." but took probably less than a minute.
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: ACKs from 84.93.230.186 port 44340 dropped?

This thread is now one year old.
Although the spurious packet issue did appear to be fixed by some load balancer configuration change, this was reverted shortly afterwards due to it causing other issues, and now plusnet seem to be looking elsewhere for the fix.
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: ACKs from 84.93.230.186 port 44340 dropped?

I have been attempting to get a 582n to log these packets for the past few days. I have not exactly succeeded but have discovered something else which I think indicates that the 582n's firewall isn't particularly "stealthy".
The first step of the configuration is to create an expression which represents all 4 of those IP addresses.
:expr add name=pncommunitylog type=ip addr=84.93.230.178
:expr add name=pncommunitylog type=ip addr=84.93.230.186
:expr add name=pncommunitylog type=ip addr=84.93.235.210
:expr add name=pncommunitylog type=ip addr=84.93.235.226

I added these firewall rules which I expected to match and log incoming packets from those 4 IPs, but these rules never got any hits, nothing was ever logged.
:firewall rule add chain=sink index=1 srcip=pncommunitylog log=enabled state=enabled action=accept
:firewall rule add chain=forward_custom index=1 srcip=pncommunitylog log=enabled state=enabled action=accept
:firewall rule add chain=source index=1 srcip=pncommunitylog log=enabled state=enabled action=accept

Just now I tried adding rules which log outbound packets going to those 4 IP addresses:
:firewall rule add chain=sink index=1 dstip=pncommunitylog log=enabled state=enabled action=accept
:firewall rule add chain=forward_custom index=1 dstip=pncommunitylog log=enabled state=enabled action=accept
:firewall rule add chain=source index=1 dstip=pncommunitylog log=enabled state=enabled action=accept

By default all outbound traffic is allowed, so the action=accept shouldn't make any difference.
I was surprised to see outbound ICMP packets being logged to these 4 IP addresses:
Quote
<84> Nov 15 12:35:20 FIREWALL rule (1 of 6) : Protocol: ICMP  Src ip: 87.115.my.ip Dst ip: 84.93.235.210 Type: Destination Unreachable Code: Port Unreacheable Chain: source Rule Id: 1 Action: accept

I'm pretty sure my computer isn't replying to these spurious packets from 84.93.235.210, since these packets never reach my computer. That implies it must be the 582n that is sending ICMP packets to the spurious packets from 84.93.235.210. I would have expected it to silently drop the packets, not respond to them.
Furthermore, I also tried telnetting to 84.93.235.210:44340:
Quote
<84> Nov 15 12:44:59 FIREWALL rule (1 of 1) : Protocol: TCP  Src ip: 192.168.1.101 Src port: 50915 Dst ip: 84.93.230.178 Dst port: 44340 Chain: forward_custom Rule Id: 1 Action: accept
<81> Nov 15 12:46:09 FIREWALL icmp check (1 of 1): Protocol: ICMP  Src ip: 84.93.232.16 Dst ip: 87.115.my.ip Type: Destination Unreachable Code: Communication Administratively Prohibited

The first log entry is the outgoing packet from my computer being logged, as expected. However, the second log entry seems to be the response being blocked by the 582n firewall, which should have been forwarded to my computer. As I said in an earlier post in this thread, you can't connect to tcp port 44340 on any of those 4 IP addresses, you get an ICMP packet containing the error message from an intermediate router.
So, in summary:
1. I did not succeed in getting the 582n to log these spurious ACK packets it receives.
2. The 582n appears to be sending out ICMP response packets to these spurious packets, indicating it's firewall isn't "stealthy" (doesn't silently drop them).
3. The 582n firewall incorrectly blocked an ICMP response that should have reached my computer, although that could have been because it hit the 582n 70 seconds after the outgoing packet, and 70 seconds may be longer than some timeout value after which the 582n forgets about the outgoing connection attempt.
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: ACKs from 84.93.230.186 port 44340 dropped?

It appears to be possible to block and log the spurious ACK packets by turning on the "tcpchecks" of the firewall config.
:firewall config tcpchecks=exact

I tried the exact setting because I didn't like the idea of the "fast" checks with the arbitrary fixed TCP window value. So after browsing these forums for a bit over https:
{admin}=>:syslog msgbuf show
<81> Nov 17 05:34:52 FIREWALL exact tcp state check (1 of 1): Protocol: TCP  Src ip: 212.159.8.110 Src port: 443 Dst ip: 87.115.my.ip Dst port: 61508
<81> Nov 17 05:38:39 FIREWALL exact tcp state check (1 of 3): Protocol: TCP  Src ip: 84.93.235.210 Src port: 44340 Dst ip: 87.115.my.ip Dst port: 12569
<81> Nov 17 05:39:43 FIREWALL exact tcp state check (1 of 15): Protocol: TCP  Src ip: 84.93.235.210 Src port: 44340 Dst ip: 87.115.my.ip Dst port: 12569
<81> Nov 17 05:41:37 FIREWALL exact tcp state check (1 of 2): Protocol: TCP  Src ip: 84.93.230.186 Src port: 44340 Dst ip: 87.115.my.ip Dst port: 9247
<81> Nov 17 05:42:42 FIREWALL exact tcp state check (1 of 28): Protocol: TCP  Src ip: 84.93.230.186 Src port: 44340 Dst ip: 87.115.my.ip Dst port: 15826
<81> Nov 17 05:54:09 FIREWALL exact tcp state check (1 of 4): Protocol: TCP  Src ip: 84.93.235.210 Src port: 44340 Dst ip: 87.115.my.ip Dst port: 14032
<81> Nov 17 05:55:45 FIREWALL exact tcp state check (1 of 2): Protocol: TCP  Src ip: 84.93.235.210 Src port: 44340 Dst ip: 87.115.my.ip Dst port: 11667
<81> Nov 17 05:57:21 FIREWALL exact tcp state check (1 of 28): Protocol: TCP  Src ip: 84.93.235.210 Src port: 44340 Dst ip: 87.115.my.ip Dst port: 11667
<81> Nov 17 05:59:46 FIREWALL exact tcp state check (1 of 4): Protocol: TCP  Src ip: 84.93.235.210 Src port: 44340 Dst ip: 87.115.my.ip Dst port: 6308
<81> Nov 17 06:00:47 FIREWALL exact tcp state check (1 of 7): Protocol: TCP  Src ip: 84.93.235.210 Src port: 44340 Dst ip: 87.115.my.ip Dst port: 6308
{admin}=>:firewall debug stats
Statistics
==========
Used rule contexts : 3
Total rule contexts : 256
Total packets parsed : 3099625
Packets parsed in hook sink : 979803
Packets parsed in hook forward : 1160246
Packets parsed in hook source : 951800
Packets dropped in hook sink : 18
Packets dropped in hook forward : 0
Packets dropped in hook source : 0
TCP flag errors detected : 102
TCP seq/ack/win errors detected : 0
TCP header errors detected : 0
UDP header errors detected : 0
ICMP header errors detected : 0
ICMP errors with partial info : 1
ICMP errors without cause : 237
ICMP replies without request : 0
Packet replay errors : 0

The "TCP flag errors detected" count increases. Also the tcpchecks have got rid of the outbound ICMP packets in reply to these ACK packets.
However, the default setting (in 10.2.2.B and 10.2.5.2) is tcpchecks=none, perhaps for performance reasons, I don't know how much processing power the extra checks require or if the 582n would be able to cope with the extra checks at a fast FTTC speed. The tcpchecks=none setting makes the 582n visible to ACK scans/probes.
Changing back to the default of tcpchecks=none, the outbound ICMP packets resume:
{admin}=>:firewall config tcpchecks=none

{admin}=>:syslog msgbuf show
<84> Nov 17 06:08:55 FIREWALL rule (1 of 7) : Protocol: ICMP  Src ip: 87.115.my.ip Dst ip: 84.93.235.210 Type: Destination Unreachable Code: Port Unreacheable Chain: source Rule Id: 1 Action: accept
<84> Nov 17 06:10:02 FIREWALL rule (1 of 5) : Protocol: ICMP  Src ip: 87.115.my.ip Dst ip: 84.93.235.210 Type: Destination Unreachable Code: Port Unreacheable Chain: source Rule Id: 1 Action: accept
<84> Nov 17 06:11:05 FIREWALL rule (1 of 5) : Protocol: ICMP  Src ip: 87.115.my.ip Dst ip: 84.93.235.210 Type: Destination Unreachable Code: Port Unreacheable Chain: source Rule Id: 1 Action: accept
Kelly
Hero
Posts: 5,497
Thanks: 380
Fixes: 9
Registered: ‎04-04-2007

Re: ACKs from 84.93.230.186 port 44340 dropped?

Just checking, you're getting these when browsing via https right?  And they have disappeared via http?
Kelly Dorset
Ex-Broadband Service Manager
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: ACKs from 84.93.230.186 port 44340 dropped?

Yes, when browsing these forums over https. It got fixed for plain http access a while ago.
I was more interested in the implications of the 582n replying to the packets actually. And the fact that it did not appear to be possible to configure the firewall to log the inbound packets.
30FTTC06
Pro
Posts: 2,286
Thanks: 108
Fixes: 4
Registered: ‎18-02-2013

Re: ACKs from 84.93.230.186 port 44340 dropped?

Has anybody looked into this at all, no change so far.