1. Home
  2. Networking Firewalls
  3. Question about ack attack and Kerio Firewall

Question about ack attack and Kerio Firewall

I'm using Kerio v2.1.5 and not the newer Sunbelt version. Looking at the log in Kerio I frequently see the following (abbreviated version);

[Date/Time] Rule 'TCP ack packet attack': Blocked in TCP, (null) [IP address:80]->localhost:various ports, Owner: no owner

I looked up ack attack and I'm thinking maybe Kerio is misinterpreting the traffic, or I am. It's always coming from TCP port 80 so is it just web traffic that is being blocked? I have a boat load of adservers etc. blocked in my Hosts file, could that be it?

Reply to
Half_Light
Loading thread data ...

I get the same messages from my Check Point 500W UTM appliance. It was explained on Check Point's discussion group that information may be purged from the state table, prematurely, and this is why it occurs. Here is the broken English response, direct from Sofaware:

"Packets coming from the internal network should be indeed allowed (depending on the security policy) however, they must stand certain criterias like getting TCP ACKs within a certain time interval. If this condition is not fulfilled, the appliance will send a RESET packet, erase the connection from the state table and log the connection as Syn attack. If for some reason the client or server behind the box did not comply to this scenario, then you'll the log. BTW, the Safe@Office appliances behaved like that forever, only without logging..."

This may be what's happening in your case, as well. Sounds like something not to be too concerned with.

Reply to
optikl

I have heard that it's just nonsense and you should ignore it. Turn that option off (log suspicious packets) and you won't see it anymore.

Reply to
Kerodo

OK, thanks. I've been monitoring the ports and there's nothing suspicious going on so I think you are right.

Reply to
Half_Light

OK, thank you.

Reply to
Half_Light

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.