Re: netstat shows strange output

On Sun, Jan 06, 2008 at 01:36:26PM -0600, William Twomey wrote:
>
> I also disabled ipv6, which I was seeing a lot of from this host.

Probably not, unless you've knowingly configured IPv6 routing and all that; you were probably seeing a lot of IPv4 mapped v6 addresses, which look (in netstat) like ::ffff:66.116.125.131. [1] Disabling v6 is an entirely reasonable thing to do if you don't use it, but is probably not going to do anything about the actual traffic.

> tcp 0 0 192.168.1.240:www ba.2c.5646.static:55674
> FIN_WAIT2
> tcp 1 0 192.168.1.240:www ba.2c.5646.static:44413
> CLOSE_WAIT
> tcp 0 0 192.168.1.240:www ba.2c.5646.static:59517
> ESTABLISHED
> tcp 1 0 192.168.1.240:www ba.2c.5646.static:44401
> CLOSE_WAIT
>
> I've blocked this IP (resolves to 18255.com) on this machine using
> iptables -I INPUT -s 66.116.125.131 -j DROP
>
> This doesn't work, so perhaps it's a spoofed IP? *shrugs*
>
> Any help would be appreciated, this is causing a bit of strain on my web
> server. :/

Dropping packets from a host won't magically make all open connections from that host go away. These connections will eventually time out and go away. Until then, unless your web server is *really* resource-starved, these connections aren't causing any significant strain.

You should probably read the netstat man page and RFC 793 [2] for info about what those various states mean. For example, a connection in FIN_WAIT2 state is waiting for a packet from the remote host, which you've explicitly forbidden.

noah

[1] http://en.wikipedia.org/wiki/IPv4_mapped_address [2] http://nwww.faqs.org/rfcs/rfc793.html

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


application/pgp-signature attachment: Digital signature

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek