Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 3 subscribers
  • Views 1009 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ACK PSH

AreshAreshi

Hi Guy's,

 

since 2 days we see lots of connection drops  that source is our Sophos WAN IP and source port is 80 to an IP in China.

In the WAF logs I can see that the same chinese IP harvesting images from one of our websites that hosted behind the Sophos.

the logs show this:

 

 

 

2019:05:28-00:42:17 securitysrv1-2 ulogd[10734]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="00:1a:8c:f0:0f:a1" srcip="62.XX.XX.184" dstip="42.203.129.232" proto="6" length="1480" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="16832" tcpflags="ACK PSH"

 

2019:05:28-00:17:01 securitysrv1-2 ulogd[10734]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="00:1a:8c:f0:0f:a1" srcip="62.XX.XX.184" dstip="42.203.129.232" proto="6" length="2944" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="14126" tcpflags="ACK"

 

can I assume that we see this because our IP try to acknowledge the sync on the same port that website accepting connectios from and the destination dropping this requests?

 

Thanks



This thread was automatically locked due to age.