Large number of invalid packets detected

Rt Ibmer rtibmx at yahoo.com
Sun May 18 11:11:35 MSD 2008


Hi all - I'm using the latest version of nginx 6 and recently put iptables in place.

I am seeing a significant number of matches for the following iptables rule:

  iptables -A INPUT -m state --state INVALID -j LOG --log-prefix INPUT-BAD-PACKET:
  iptables -A INPUT -m state --state INVALID -j DROP

Before it is suggested that perhaps the server is under attack, I am fairly well certain it is not.  A great summary of the problem I am seeing is here: http://www.webmasterworld.com/forum40/1642.htm .

My situation is very much the same as described in that article, including the original posters view that there is no way that was happening as the result of an attack. Also like the original posted, my rate is very high relatively speaking. Seems like about nearly 1 out of every 100 visitors triggers this bad state issue.

If you scroll to near the bottom of that page you will find some conclusions that the invalid state of the packet was likely coming from bad checksums.

Occasionally (but a lot less than the INPUT rule) I see the same type of issue with OUTPUT, specifically from this rule: 

  iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix OUTPUT-BAD-PACKET:
  iptables -A OUTPUT -m state --state INVALID -j DROP


Also like the original posted, the problem seems to occur a few minutes AFTER successfully serving them a web page.  For instance if I take the IP from a failed bad state log on the INPUT rule and look through the nginx log files, I will see a successful 200 status code in the logs where the page was served a couple minutes BEFORE the bad state occurred.  In case it matters I am using nginx with proxy_pass to serve content.

A few questions please:

1) Is it possible something with nginx is contributing to this?

2) Am I correct to assume that I might as well DROP the packets anyway? For now I changed my config to just log the error but not drop the packet, just out of fear that perhaps this rule is dropping packets that there is nothing wrong with and causing more harm then good.  But it seems that if the packets are indeed bad I might as well drop them... ?

3) If the answer to #2 is that I might as well drop them, should I use REJECT instead of DROP? In case it matters this is only affecting http traffic on port 80.

4) How worried should I be about this issue? Is it just a matter of the Internet that there are going to be errored packets and that "out of sight, out of mind" is better (before installing iptables of course I had no way to know of this problem, yet everything still seems to be working ok).

5) Any tips on how I can go about tracking this down further?

Thanks!!



      






More information about the nginx mailing list