External IP locking port 80 Tachyon web server - can you help?

Peter Jakacki

I've been using my Tachyon servers for months, making constant little improvements and everything has been working well, but today I have a problem with port 80. It's not a problem with the web server software itself as the web ports work fine but it's only when I connect to the WAN that it locks up on port 80, but only just today. Wireshark wasn't picking anything suspicious up although that is probably the switch's doing but I did interact with the server and stopped the process so I could issue commands directly to the WIZnet chip.

The IP is originating from Montreal but even though I've blocked that address in the router it is still playing up, time to bridge the interfaces so Wireshark can take a look. Destination port is 80 which is odd.

Here's a capture from my Tachyon console while I access a page successfully on port 81.
Any ideas?

[FONT=courier new]************ W5200 STATUS ************ 
LINK *UP*
CHIP VER  0003[/FONT]
[FONT=courier new]SRC IP    192.168.016.150.
MASK      255.255.255.000.
GATEWAY   192.168.016.001.
MAC       02.FF.62.F3.95.AE.
*** SOCKETS *** 
#0 13:44:24 MODE= CLSD PORT#             TXRW=    .    .RXRW=    .    .RXSZ=    .IR=00 ST=00 CLOSED      
#1 13:44:24 MODE= TCP  PORT#   21        TXRW=    .    .RXRW=    .    .RXSZ=    .IR=00 ST=14 LISTEN      
#2 13:44:24 MODE= CLSD PORT#             TXRW=    .    .RXRW=    .    .RXSZ=    .IR=00 ST=00 CLOSED      
#3 13:44:24 MODE= TCP  PORT#10001        TXRW=    .    .RXRW=    .    .RXSZ=    .IR=00 ST=14 LISTEN      
#4 13:44:24 MODE= TCP  PORT#   80    80  TXRW=7ACF.    .RXRW=    .    .RXSZ=    .IR=00 ST=16 SYNRECV        069.165.095.246.
#5 13:44:24 MODE= TCP  PORT#   81 34084  TXRW= 888. 888.RXRW=    . 133.RXSZ= 133.IR=05 ST=17 ESTABLISHED    192.168.016.019.
#6 13:44:24 MODE= TCP  PORT#   82        TXRW=    .    .RXRW=    .    .RXSZ=    .IR=00 ST=14 LISTEN      
#7 13:44:24 MODE= TCP  PORT#   83        TXRW=    .    .RXRW=    .    .RXSZ=    .IR=00 ST=14 LISTEN      
[/FONT]

msrobots

Destination port is 80 which is odd

why? It is the most obvious port, isn't it?

I just see a SYNCRECV. What is the actual request?

more input

Mike

Peter Jakacki

msrobots wrote: »

why? It is the most obvious port, isn't it?

I just see a SYNCRECV. What is the actual request?

more input

Mike

Not odd if it's the destination as in client destination since the server source port is 80 of course. Anyway by the time I setup a laptop as a bridge so that I could capture all traffic to the Prop server it had pretty much stopped. There was no actual request that I could see. I will sort through the capture files later but I want to be able to shrug off this sort of nuisance in the future.

D.P

Peter Jakacki wrote: »

Not odd if it's the destination as in client destination since the server source port is 80 of course. Anyway by the time I setup a laptop as a bridge so that I could capture all traffic to the Prop server it had pretty much stopped. There was no actual request that I could see. I will sort through the capture files later but I want to be able to shrug off this sort of nuisance in the future.

If you post the capture files I would be happy to look through them. I do this allot on our stackless IP security device.

Peter Jakacki

The IP looks spoofed as these change geographically but the pattern is the same and all it does is continually (every 100ms or so) send SYN packets while ignoring ACKs. This is called a SYN flood and is a form of a denial-of-service attack, but I don't know why.