dslreports logo
    All Forums Hot Topics Gallery


Search Topic:
share rss forum feed

Mobile, AL

TCP ack packet attack

Click for full size
My firewall has logged 43 of these entries since about 8 AM this morning. All from the same IP. What makes it worse is that I have a hardware firewall (netgear FR-314)and they are getting though the router and being picked up by the software firewall(Kerio). I've never had anything like this happen before and don't know if I should be concerned or not? Is this something that should be reported? and would it do any good if if was?

New York, NY
See these two links for more information:

»Kerio not allowing multiple connections...

»TCP 'ACK' Packet Attack

You can avoid seeing these messages by unchecking "Log Suspicious Packets" on the Advanced-->Miscellaneous tab if you're running an up to date version of Kerio.
Pinky: I think so Brain, but shouldn't the bat boy be wearing a cape?

Mobile, AL
Thanks Zupe. Next time I'll search a little more before posting.

Just Firewall It
Venice, CA

In addition to these discussions, you should be clear about the NAT function in the FR-314, because it identifies the culprit as local. Nothing is attacking you!

A typical reason these ACK packets can reach your computer is the fact that a dynamic NAT mapping still exists on the router, created earlier by an outgoing request to a web site. This is needed so that the return packets can be directed back to the requesting machine.

Unless you have a NAT server defined on your router for port 1512, the appearance of these packet on the LAN proves they are returns! So, the blame lies on some unfortunate event on your PC, maybe the browser or computer crashed, leaving these packets dangling and confusing the firewall. I bet you had a web session open to the 166.90... IP prior to these events.

Note that also here, your firewall throws sand into the gears. Without the firewall, the PC would probably answer with a RST to properly notify the originator that you are no longer listening and immediately stopping any further probes.
[text was edited by author 2002-05-05 15:46:52]