Hello,
today I saw that there was a connection established for about 4 hours but in my webserver-logfile I had no entry from any request from the IP “128.232.110.28”.
An outgoing connection to this IP is also not allowed - how can it be that this connection was estahblished over such a long time and how could this connection get the flag “C”?
If no data will be transferred the TCP timeout should be reached after 5 minutes. But this connection remained for about 4 hours.
This can not be a confirmed connection, can’t?
Can anyone explain this behavior?
tcp-connection.png
My web server doesn’t log connections where a client doesn’t send enough information to actually initiate a request, so I wouldn’t be too surprised to see nothing logged for this kind of connection. Where do you get 5 minutes from? If the state of the connection is Established, then 24h is what applies, and is confirmed by your screenshot.
In Windows the value is dynamic for established conections, though the default for initial connections is 72 seconds. The Registry settings are defined in this article:
http://technet.microsoft.com/en-us/library/cc739819(WS.10).aspx
HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services: \Tcpip \Parameters
TcpInitialRTT: Defines what the initial time-out settings are for new connections. This number in seconds is doubled each time it retransmits before timing a connection out. Defaults to 3.
TcpMaxConnectRetransmissions: Defines the number of retransmissions before timing a connection out. Defaults to 5.
So I thought that this timout is on linux based machines the same one.
Today happened the same thing.
Request from tor-limits-scanning.cl.cam.ac.uk (128.232.110.28) to port 80 but no data was transferred. The connection stayed established.
Would it be possible to put IP addresses from such incoming requests to port 80 to a list which will be automatically removed after a timeout when no data is transfered (a kind of port knocking security)?
Why not just reduce the timeout? 24h is a little generous.
Yes I also thought to this solution.
- setting all IP addresses from incoming dst-nat requests to a list
- set the timout for this list to 60 seconds
Is this possible with mikrotik?
In dst-nat settings I only can set a limit to max. connections per time but no timeout for this connection.
The setting Dst. Limit does not help - when I set the expire value to 60 seconds I saw a connection from tor-limits-scanning.cl.cam.ac.uk (128.232.110.28) again which had a timeout about 24h. 