schoch@ames.UUCP (Steve Schoch) (07/25/87)
A while back, out of curiosity, I added a line to our kernel on ames.arpa that logs a message when a host tries to connect to a TCP port on ames on which no process is listening (i.e. when ames sends back a packet with the reset bit set in response to a SYN). Since we run most of the common servers on ames, I expected to get a few messages if someone played around trying random ports on our machine. I log the foreign address and the destination port i.e. the port on ames to which a connection is attempted. What surprised me is how many messages I got. Here are a couple pages of log messages: ---- Jul 24 00:06:26 ames vmunix: conn refused ucbarpa.berkeley.edu port 3944 Jul 24 00:09:11 ames vmunix: conn refused rutgers.edu port 3836 Jul 24 00:09:17 ames vmunix: conn refused rutgers.edu port 3836 Jul 24 00:17:55 ames vmunix: conn refused hao.ucar.edu port 3958 Jul 24 00:20:48 ames vmunix: conn refused hao.ucar.edu port 3968 Jul 24 00:21:05 ames vmunix: conn refused ucbarpa.berkeley.edu port 3965 Jul 24 00:24:11 ames vmunix: conn refused ucbarpa.berkeley.edu port 3972 Jul 24 00:49:35 ames vmunix: conn refused xn.ll.mit.edu port 3990 Jul 24 00:49:37 ames vmunix: conn refused xn.ll.mit.edu port 3990 Jul 24 00:49:38 ames vmunix: conn refused xn.ll.mit.edu port 3990 Jul 24 00:49:38 ames vmunix: conn refused xn.ll.mit.edu port 3990 Jul 24 01:03:20 ames vmunix: conn refused hao.ucar.edu port 4001 Jul 24 01:06:06 ames vmunix: conn refused cad.berkeley.edu port 4005 Jul 24 01:06:10 ames vmunix: conn refused cad.berkeley.edu port 4005 Jul 24 01:15:45 ames vmunix: conn refused seismo.css.gov port 4026 Jul 24 01:15:50 ames vmunix: conn refused seismo.css.gov port 4026 Jul 24 01:16:23 ames vmunix: conn refused im4u.utexas.edu port 4014 Jul 24 01:24:39 ames vmunix: conn refused think.com port 4034 Jul 24 01:34:13 ames vmunix: conn refused cs.ucla.edu port 4040 Jul 24 01:34:14 ames last message repeated 5 times Jul 24 01:38:04 ames vmunix: conn refused hao.ucar.edu port 4047 Jul 24 01:46:36 ames vmunix: conn refused cad.berkeley.edu port 4051 Jul 24 02:06:10 ames vmunix: conn refused hao.ucar.edu port 4069 Jul 24 02:09:58 ames vmunix: conn refused scubed.arpa port 3797 Jul 24 02:19:11 ames vmunix: conn refused think.com port 4083 Jul 24 03:00:57 ames vmunix: conn refused ucbarpa.berkeley.edu port 4105 Jul 24 03:02:27 ames vmunix: conn refused ucbarpa.berkeley.edu port 4105 Jul 24 03:05:27 ames vmunix: conn refused ucbarpa.berkeley.edu port 4105 Jul 24 03:07:42 ames vmunix: conn refused ucbarpa.berkeley.edu port 4105 Jul 24 03:08:27 ames vmunix: conn refused ucbarpa.berkeley.edu port 4105 Jul 24 03:12:12 ames vmunix: conn refused ucbarpa.berkeley.edu port 4105 Jul 24 03:12:57 ames vmunix: conn refused ucbarpa.berkeley.edu port 4105 Jul 24 03:14:27 ames vmunix: conn refused ucbarpa.berkeley.edu port 4105 Jul 24 03:15:12 ames vmunix: conn refused ucbarpa.berkeley.edu port 4105 Jul 24 03:18:15 ames vmunix: conn refused think.com port 4119 Jul 24 03:19:42 ames vmunix: conn refused ucbarpa.berkeley.edu port 4105 Jul 24 03:21:12 ames vmunix: conn refused ucbarpa.berkeley.edu port 4105 Jul 24 03:22:28 ames vmunix: conn refused hao.ucar.edu port 4125 Jul 24 03:22:40 ames vmunix: conn refused hao.ucar.edu port 4127 Jul 24 03:22:42 ames vmunix: conn refused ucbarpa.berkeley.edu port 4105 Jul 24 03:24:12 ames vmunix: conn refused ucbarpa.berkeley.edu port 4105 Jul 24 03:24:57 ames vmunix: conn refused ucbarpa.berkeley.edu port 4105 Jul 24 03:27:12 ames vmunix: conn refused ucbarpa.berkeley.edu port 4105 ---- My question is: "Why are all these host trying to connect to these ports on ames?" Note that the port numbers are the ports to which they are trying to connect, i.e. someone on ucbarpa could have typed "telnet ames.arpa 4105" to generate that last message, but I kind of doubt someone did this that may times at 3 in the morning. I think all the hosts in this log file run 4BSD UNIX. Does BSD send random SYN packets to sites? Steve
Mills@UDEL.EDU (07/29/87)
Steve, Your observations are consistent with the scenario that you try to initiate a TCP connection, give up after too short a time, then receive a SYN/ACK from your destination, who might not have given up yet. The clue is the port number, which is outside the range assigned most defined services. Dave
louie@TRANTOR.UMD.EDU (Louis A. Mamakos) (07/30/87)
You might also want to log both port numbers; it may be possible that you are seeing broken FTP data connections. louie