Sign in with
Sign up | Sign in
Your question

[kerio] "TCP ack packet attack"

Last response: in Networking
Share
July 8, 2004 11:19:34 AM

Archived from groups: comp.security.firewalls (More info?)

Does anyone know what this entry in the log means? My guess is it's just
due to a misconfigured rule or something, but the word "attack" concerns
me. Thanks in advance.

"Rule 'TCP ack packet attack': Blocked: In TCP,
127.0.0.1:80->localhost:1476, Owner: no owner"
Anonymous
a b 8 Security
July 8, 2004 6:58:59 PM

Archived from groups: comp.security.firewalls (More info?)

Its garbage, just go back into the administration, and the on the
miscellaneous tab uncheck 'log sucpicious packets'. Its not an attack, and
whoever called it an attack at Kerio was a moron.

"anon" <anon@anonn.com> wrote in message news:2l4as6F88qn0U1@uni-berlin.de...
> Does anyone know what this entry in the log means? My guess is it's just
> due to a misconfigured rule or something, but the word "attack" concerns
> me. Thanks in advance.
>
> "Rule 'TCP ack packet attack': Blocked: In TCP,
> 127.0.0.1:80->localhost:1476, Owner: no owner"
Anonymous
a b 8 Security
July 8, 2004 7:11:47 PM

Archived from groups: comp.security.firewalls (More info?)

I remembered they were logging garbage, here is comment someone else posted on
a web forum

"A 'ack packet attack' is not an attack. Ack packets ACKnowledge something was
received, and are a part of normal traffic. However they have been used as
part of stealth tests.

Now the reason your firewall is showing them is these packets have been timed
out, basically the service stopped listening for some reason, and its still
receiving these acknowledgement packets.

So open your Administration, click advanced, misc tab, uncheck 'log suspicious
packets', and get on with your day as that setting logs 95% garbage, not so
called 'attacks'."

"anon" <anon@anonn.com> wrote in message news:2l4as6F88qn0U1@uni-berlin.de...
> Does anyone know what this entry in the log means? My guess is it's just
> due to a misconfigured rule or something, but the word "attack" concerns
> me. Thanks in advance.
>
> "Rule 'TCP ack packet attack': Blocked: In TCP,
> 127.0.0.1:80->localhost:1476, Owner: no owner"
!