Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[wmh]

Can anyone please explain the following "Blocked incoming TCP Packets" from my log. Does this indicate a problem or is there a normal explanation for this? This seems to be going on all the time. From my perspective, the router is working fine but would just like to know what this means.

Thanks.


[INFO]   Mon Feb 01 08:19:11 2010   UPnP renew entry 255.255.255.255 <-> 172.27.35.49:62850 <-> 192.168.0.197:62850 UDP timeout:0 'Teredo'
[INFO]   Mon Feb 01 08:19:05 2010   Blocked incoming TCP packet from 74.125.45.149:80 to 172.27.35.49:63477 as FIN:ACK received but there is no active connection
[INFO]   Mon Feb 01 08:18:49 2010   Above message repeated 6 times
[INFO]   Mon Feb 01 08:18:29 2010   Blocked incoming TCP packet from 74.125.45.149:80 to 172.27.35.49:63430 as FIN:ACK received but there is no active connection
[INFO]   Mon Feb 01 08:18:29 2010   UPnP renew entry 255.255.255.255 <-> 172.27.35.49:62850 <-> 192.168.0.197:62850 UDP timeout:0 'Teredo'
[INFO]   Mon Feb 01 08:18:28 2010   Blocked incoming TCP packet from 74.125.45.149:80 to 172.27.35.49:63428 as FIN:ACK received but there is no active connection
[INFO]   Mon Feb 01 08:18:27 2010   Blocked incoming TCP packet from 74.125.45.149:80 to 172.27.35.49:63424 as FIN:ACK received but there is no active connection
[INFO]   Mon Feb 01 08:18:27 2010   Blocked incoming TCP packet from 74.125.45.149:80 to 172.27.35.49:63423 as FIN:ACK received but there is no active connection
[INFO]   Mon Feb 01 08:18:27 2010   Blocked incoming TCP packet from 74.125.45.149:80 to 172.27.35.49:63421 as FIN:ACK received but there is no active connection
[INFO]   Mon Feb 01 08:18:13 2010   Blocked incoming TCP packet from 74.125.45.149:80 to 172.27.35.49:63430 as FIN:ACK received but there is no active connection
[INFO]   Mon Feb 01 08:18:12 2010   Blocked incoming TCP packet from 74.125.45.149:80 to 172.27.35.49:63428 as FIN:ACK received but there is no active connection
[INFO]   Mon Feb 01 08:18:11 2010   Blocked incoming TCP packet from 74.125.45.149:80 to 172.27.35.49:63424 as FIN:ACK received but there is no active connection
[INFO]   Mon Feb 01 08:18:11 2010   Blocked incoming TCP packet from 74.125.45.149:80 to 172.27.35.49:63423 as FIN:ACK received but there is no active connection
[INFO]   Mon Feb 01 08:18:11 2010   Blocked incoming TCP packet from 74.125.45.149:80 to 172.27.35.49:63421 as FIN:ACK received but there is no active connection
[INFO]   Mon Feb 01 08:18:05 2010   Blocked incoming TCP packet from 74.125.45.149:80 to 172.27.35.49:63430 as FIN:ACK received but there is no active connection
[INFO]   Mon Feb 01 08:18:04 2010   Blocked incoming TCP packet from 74.125.45.149:80 to 172.27.35.49:63428 as FIN:ACK received but there is no active connection
[INFO]   Mon Feb 01 08:18:03 2010   Blocked incoming TCP packet from 74.125.45.149:80 to 172.27.35.49:63424 as FIN:ACK received but there is no active connection
[INFO]   Mon Feb 01 08:18:03 2010   Blocked incoming TCP packet from 74.125.45.149:80 to 172.27.35.49:63423 as FIN:ACK received but there is no active connection
[INFO]   Mon Feb 01 08:18:03 2010   Blocked incoming TCP packet from 74.125.45.149:80 to 172.27.35.49:63421 as FIN:ACK received but there is no active connection
[INFO]   Mon Feb 01 08:18:01 2010   Blocked incoming TCP packet from 74.125.45.149:80 to 172.27.35.49:63430 as FIN:ACK received but there is no active connection
[INFO]   Mon Feb 01 08:18:00 2010   Blocked incoming TCP packet from 74.125.45.149:80 to 172.27.35.49:63428 as FIN:ACK received but there is no active connection
[INFO]   Mon Feb 01 08:18:00 2010   Blocked incoming TCP packet from 74.125.45.149:80 to 172.27.35.49:63424 as FIN:ACK received but there is no active connection
[INFO]   Mon Feb 01 08:17:59 2010   Blocked incoming TCP packet from 74.125.45.149:80 to 172.27.35.49:63430 as FIN:ACK received but there is no active connection

[sideloaded1]

It means the router has no record of your network requesting those packets so it drops them. Its a security feature.

[xli]

To add some color to the above response - the FIN/ACK's (also known as Maimon scan) is frequently  used as a fingerprinting (discovery) technique.  Per IP protocol standards, the scanned system should send a RST (reset) packet to the originator of the FIN/ACK regardless of whether the scanned port is open or closed when there is no active session.  The sender of the FIN/ACK logs the ip adderss of the system responding with a RST as a valid ip address for later additional exploration and exploitation.  As indicated above your router blocks your outgoing response as a security feature.