Thursday, January 17, 2019

Why so much Invalid State traffic outside my firewall?

I'm trying to learn more about networking and watching the inbound traffic to my network. I know various villains are pounding on my router, but I'm curious what leads to so much Invalid State traffic from "reputable" sources. Specifically, companies like Apple, Google, Microsoft, Amazon. I see a lot of this dropped by my firewall rule for invalid state?

For example... these log excerpts include the above companies' IPs.

SRC=18.204.32.98 DST=69.143.98.96 LEN=291 TOS=0x00 PREC=0x20 TTL=236 ID=38022 DF PROTO=TCP SPT=443 DPT=61865 WINDOW=770 RES=0x00 ACK PSH FIN URGP=0

SRC=17.167.195.42 DST=69.143.98.96 LEN=40 TOS=0x00 PREC=0x20 TTL=242 ID=63083 DF PROTO=TCP SPT=443 DPT=65133 WINDOW=8201 RES=0x00 RST URGP=0 SRC=216.239.36.21 DST=69.143.98.96 LEN=115 TOS=0x00 PREC=0x20 TTL=120 ID=4214 PROTO=TCP SPT=443 DPT=65364 WINDOW=244 RES=0x00 ACK PSH FIN URGP=0 SRC=216.239.36.21 DST=69.143.98.96 LEN=115 TOS=0x00 PREC=0x20 TTL=120 ID=11769 PROTO=TCP SPT=443 DPT=65364 WINDOW=244 RES=0x00 ACK PSH FIN URGP=0 SRC=172.217.3.35 DST=69.143.98.96 LEN=40 TOS=0x00 PREC=0x20 TTL=121 ID=62627 PROTO=TCP SPT=443 DPT=49675 WINDOW=0 RES=0x00 RST URGP=0 SRC=172.217.15.110 DST=69.143.98.96 LEN=40 TOS=0x00 PREC=0x20 TTL=121 ID=26225 PROTO=TCP SPT=443 DPT=49669 WINDOW=0 RES=0x00 RST URGP=0 SRC=172.217.15.110 DST=69.143.98.96 LEN=40 TOS=0x00 PREC=0x20 TTL=120 ID=52978 PROTO=TCP SPT=443 DPT=49670 WINDOW=0 RES=0x00 RST URGP=0 SRC=13.59.223.206 DST=69.143.98.96 LEN=40 TOS=0x00 PREC=0x20 TTL=44 ID=52732 DF PROTO=TCP SPT=443 DPT=58190 WINDOW=0 RES=0x00 RST URGP=0 SRC=52.3.34.252 DST=69.143.98.96 LEN=40 TOS=0x00 PREC=0x20 TTL=238 ID=48058 DF PROTO=TCP SPT=443 DPT=62040 WINDOW=0 RES=0x00 RST URGP=0 SRC=52.3.34.252 DST=69.143.98.96 LEN=40 TOS=0x00 PREC=0x20 TTL=238 ID=48059 DF PROTO=TCP SPT=443 DPT=62040 WINDOW=0 RES=0x00 RST URGP=0 SRC=52.200.223.135 DST=69.143.98.96 LEN=83 TOS=0x00 PREC=0x20 TTL=238 ID=18159 DF PROTO=TCP SPT=443 DPT=62065 WINDOW=123 RES=0x00 ACK PSH FIN URGP=0 SRC=40.97.124.194 DST=PUBLIC-IP LEN=40 TOS=0x00 PREC=0x20 TTL=113 ID=96 DF PROTO=TCP SPT=443 DPT=50271 WINDOW=0 RES=0x00 ACK RST URGP=0

Is it that a device on my LAN has already closed the connection, but answering packets are already on the way? Appreciate any help understanding this.



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)