Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 4492 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Top blocked services

wingman
Hi All

For the last couple of days, I getting- on the top blocked services- HTTP trafic as the highest blocked service

TOP10 dropped services
Total dropped packets: 25 315
Top Service Name Protocol Service Packets % of total
1 HTTP TCP 80 16 693 65.94 %
2 NETBIOS-DGM UDP 138 318 1.26 %
3 T8C0 ICMP t8c0 271 1.07 %
4 EPMAP TCP 135 271 1.07 %
5 T11C0 ICMP t11c0 220 0.87 %
6 MICROSOFT-DS TCP 445 197 0.78 %
7 UDP 5351 128 0.51 %
8 REMOTE-WINSOCK TCP 1745 127 0.50 %
9 H263-VIDEO UDP 2979 105 0.41 %
10 IRDMI TCP 8000 96 0.38 %


I think that HTTP is blocked as the handshake is not correct. I have multiple entries on the packet filter where the start of the handshake is [ACK FIN] and therefore dropped. I remember a user complaining about the same issue not a long ago. (I've attached the pf logs for the previous days)

Can you advise on anything to look for as I don't think that's normal.The following are enabled:

        Enable TCP Window scaling     YES
Use strict TCP session handling  NO
Validate packet length    YES
        Spoof protection: Normal



Thanks


This thread was automatically locked due to age.
packetfilter-2009-11-07.zip
Parents
  • 0
    Are you learning Greek ?hehehe

    I am just having a concern as to why I have so many https traffic blocked. 

    21:21:47	Default DROP	TCP	

    192.168.2.11	:	60073


    216.239.59.118	:	80

    [ACK RST]	len=40	ttl=127	tos=0x00	srcmac=00:b0:c2:02:e3:c7	dstmac=00:b0:c2:02:e4:4f

    21:21:48	Default DROP	TCP	

    192.168.2.11	:	56302


    95.154.193.105	:	80

    [ACK RST]	len=40	ttl=127	tos=0x00	srcmac=00:b0:c2:02:e3:c7	dstmac=00:b0:c2:02:e4:4f

    21:21:50	Default DROP	TCP	

    192.168.2.11	:	60076


    85.115.22.3	:	80

    [ACK FIN]	len=40	ttl=127	tos=0x00	srcmac=00:b0:c2:02:e3:c7	dstmac=00:b0:c2:02:e4:4f

    21:21:51	Default DROP	TCP	

    192.168.2.11	:	56316


    74.125.47.133	:	80

    [ACK FIN]	len=40	ttl=127	tos=0x00	srcmac=00:b0:c2:02:e3:c7	dstmac=00:b0:c2:02:e4:4f

    21:22:00	Default DROP	TCP	

    192.168.2.11	:	60076


    85.115.22.3	:	80

    [ACK RST]	len=40	ttl=127	tos=0x00	srcmac=00:b0:c2:02:e3:c7	dstmac=00:b0:c2:02:e4:4f

    21:22:01	Default DROP	TCP	

    192.168.2.11	:	56316


    74.125.47.133	:	80

    [ACK RST]	len=40	ttl=127	tos=0x00	srcmac=00:b0:c2:02:e3:c7	dstmac=00:b0:c2:02:e4:4f

    21:22:06	Default DROP	TCP	

    67.215.65.130	:	80


    86.156.25.3	:	41757

    [ACK]	len=52	ttl=44	tos=0x00	srcmac=00:00:00:00:00:00	dstmac=00:b0:c2:02:e3:c7

    21:22:13	Default DROP	TCP	

    67.215.65.130	:	80


    86.156.25.3	:	41757

    [ACK]	len=52	ttl=44	tos=0x00	srcmac=00:00:00:00:00:00	dstmac=00:b0:c2:02:e3:c7

    21:22:23	Default DROP	TCP	

    67.215.65.130	:	80


    86.156.25.3	:	41757

    [ACK]	len=52	ttl=44	tos=0x00	srcmac=00:00:00:00:00:00	dstmac=00:b0:c2:02:e3:c7
Reply
  • 0
    Are you learning Greek ?hehehe

    I am just having a concern as to why I have so many https traffic blocked. 

    21:21:47	Default DROP	TCP	

    192.168.2.11	:	60073


    216.239.59.118	:	80

    [ACK RST]	len=40	ttl=127	tos=0x00	srcmac=00:b0:c2:02:e3:c7	dstmac=00:b0:c2:02:e4:4f

    21:21:48	Default DROP	TCP	

    192.168.2.11	:	56302


    95.154.193.105	:	80

    [ACK RST]	len=40	ttl=127	tos=0x00	srcmac=00:b0:c2:02:e3:c7	dstmac=00:b0:c2:02:e4:4f

    21:21:50	Default DROP	TCP	

    192.168.2.11	:	60076


    85.115.22.3	:	80

    [ACK FIN]	len=40	ttl=127	tos=0x00	srcmac=00:b0:c2:02:e3:c7	dstmac=00:b0:c2:02:e4:4f

    21:21:51	Default DROP	TCP	

    192.168.2.11	:	56316


    74.125.47.133	:	80

    [ACK FIN]	len=40	ttl=127	tos=0x00	srcmac=00:b0:c2:02:e3:c7	dstmac=00:b0:c2:02:e4:4f

    21:22:00	Default DROP	TCP	

    192.168.2.11	:	60076


    85.115.22.3	:	80

    [ACK RST]	len=40	ttl=127	tos=0x00	srcmac=00:b0:c2:02:e3:c7	dstmac=00:b0:c2:02:e4:4f

    21:22:01	Default DROP	TCP	

    192.168.2.11	:	56316


    74.125.47.133	:	80

    [ACK RST]	len=40	ttl=127	tos=0x00	srcmac=00:b0:c2:02:e3:c7	dstmac=00:b0:c2:02:e4:4f

    21:22:06	Default DROP	TCP	

    67.215.65.130	:	80


    86.156.25.3	:	41757

    [ACK]	len=52	ttl=44	tos=0x00	srcmac=00:00:00:00:00:00	dstmac=00:b0:c2:02:e3:c7

    21:22:13	Default DROP	TCP	

    67.215.65.130	:	80


    86.156.25.3	:	41757

    [ACK]	len=52	ttl=44	tos=0x00	srcmac=00:00:00:00:00:00	dstmac=00:b0:c2:02:e3:c7

    21:22:23	Default DROP	TCP	

    67.215.65.130	:	80


    86.156.25.3	:	41757

    [ACK]	len=52	ttl=44	tos=0x00	srcmac=00:00:00:00:00:00	dstmac=00:b0:c2:02:e3:c7
Children
No Data