Large number of invalid packets detected

Rt Ibmer rtibmx at yahoo.com
Mon May 19 00:11:42 MSD 2008 

>You didn't show us what was important: the log that was produced.

I included various samples from the different types of invalid state errors at the end of this message.

> If the rejected packet was a ACK/FIN, then it is harmless.

About 25% of the invalid packets are of this type. Should I drop them using DROP or using RESET?  How about for the other types?  I take it there is no harm in dropping or rejecting these - as they are obviously bad packets anyway?

I should note that in EVERY case it appears that nginx served the content successfully and that browser got it just fine (no obvious errors), and these bad packet log messages are showing up anywhere from 2-5 minutes after the user hits the page and not part of a new request.  So it seems there is some packet activity that occurs minutes after the user has left the site.

>On busy servers conntrack removes the connection from its table as soon as
>it gets the FIN packet. When the ACK/FIN then comes, the connection is not
>known and this is not a SYN. It logs it as invalid.

My server is not very busy (yet). It is handling about 500-1500 requests per hour and no more than a 2 or 3 concurrently at times.

>This could also have been a scan (nmap can trigger invalid packets too).

I really don't think this could be a scan. I took the site live for the first time and immediately started seeing these invalid packets.

> What kernel version are you running?

uname -a returns the following:
2.6.21.7-2.fc8xen #1 SMP Fri Feb 15 12:39:36 EST 2008 i686 athlon i386 GNU/Linux

Here are some log samples. Thank you and I look forward to hearing your thoughts on this. I really appreciate your help!!
==========
Out of 436 log entries here is the break down (these are not exact counts but will give you an idea of what % are for what type of bad packet):

218 are type "ACK RST" on the INPUT chain. None of this type are for the OUTPUT chain. Examples:
--------
May 18 15:21:44 domU kernel: PCK-INP-BADSTATE-DROP:IN=eth0 OUT= MAC=12:....:ff:08:00 SRC=x.y.z.a DST=10.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=13770 DF PROTO=TCP SPT=1391 DPT=80 WINDOW=0 RES=0x00 ACK RST URGP=0

May 18 15:17:25 domU kernel: PCK-INP-BADSTATE-DROP:IN=eth0 OUT= MAC=12:....:ff:08:00 SRC=x.y.z.a DST=10.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=17970 DF PROTO=TCP SPT=49671 DPT=80 WINDOW=0 RES=0x00 ACK RST URGP=0
--------

110 are of type "ACK FIN". Out of this group 82 are on the INPUT chain and 28 are on the OUTPUT chain. Examples:
-------- (OUTPUT)
May 18 15:14:13 domU kernel: PCK-OUT-BADSTATE-DROP:IN= OUT=eth0 SRC=10.x.x.x DST=x.y.z.a LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=31199 DF PROTO=TCP SPT=80 DPT=3055 WINDOW=6432 RES=0x00 ACK FIN URGP=0

May 18 13:39:17 domU kernel: PCK-OUT-BADSTATE-DROP:IN= OUT=eth0 SRC=10.x.x.x DST=x.y.z.a LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=299 DF PROTO=TCP SPT=80 DPT=1157 WINDOW=6432 RES=0x00 ACK FIN URGP=0
-------- (INPUT)
May 18 15:24:08 domU kernel: PCK-INP-BADSTATE-DROP:IN=eth0 OUT= MAC=12:....:ff:08:00 SRC==x.y.z.a DST=10.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=25196 DF PROTO=TCP SPT=57214 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0

May 18 12:58:10 domU kernel: PCK-INP-BADSTATE-DROP:IN=eth0 OUT= MAC=12:....:ff:08:00 SRC=x.y.z.a DST=10.x.x.x LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=52221 DF PROTO=TCP SPT=55817 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0

99 are for type "RST", out of those 22 are for the INPUT chain and 77 are for the OUTPUT chain. Examples:
-------- (OUTPUT)
May 18 10:49:15 domU kernel: PCK-OUT-BADSTATE-DROP:IN= OUT=eth0 SRC=10.x.x.x DST=x.y.z.a LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=19144 WINDOW=0 RES=0x00 RST URGP=0

May 18 15:35:40 domU kernel: PCK-OUT-BADSTATE-DROP:IN= OUT=eth0 SRC=10.x.x.x DST=x.y.z.a LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=62353 WINDOW=0 RES=0x00 RST URGP=0
-------- (INPUT)
May 18 13:54:58 domU kernel: PCK-INP-BADSTATE-DROP:IN=eth0 OUT= MAC=12:....:ff:08:00 SRC==x.y.z.a DST=10.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=9943 PROTO=TCP SPT=4361 DPT=80 WINDOW=0 RES=0x00 RST URGP=0


May 18 12:31:37 domU kernel: PCK-INP-BADSTATE-DROP:IN=eth0 OUT= MAC=12:....:ff:08:00 SRC=x.y.z.a DST=10.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=65259 PROTO=TCP SPT=12568 DPT=80 WINDOW=6432 RES=0x00 RST URGP=0


9 are for type "ACK PSH FIN". Example:
--------
May 18 02:00:03 domU kernel: PCK-OUT-BADSTATE-DROP:IN= OUT=eth0 SRC=10.x.x.x DST=x.y.z.a LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=29585 DF PROTO=TCP SPT=80 DPT=5178 WINDOW=54 RES=0x00 ACK PSH FIN URGP=0

-- end of message --

More information about the nginx mailing list