Im having this on my logs

  • Hi there,

    Do you have an idea what kind of attack is this and how to prevent it?


    After having this, I'm unable to browse the Internet. Email works fine, ping works fine, but the browsing doesn't work.

  • LAYER 8 Global Moderator

    Not sure I would call that an attack - your getting a RST telling you to close that connection.  Would have to assume your trying to create the connection, and being told no.

    Firewalls can sometimes be setup to send RST on ports that are blocked or not allowed, etc.  But odd that pfsense would block it, if there was a state that you had made a connection..  So it is a bit odd that pfsense is blocking it - unless it was out of state.

    So is the pfsense eastern interface behind a firewall, isp based maybe blocking your attempt to talk to 8080, which is a common proxy port.

    I would sniff to see if your actually in fact trying to open those connections with a SYN?  Maybe from a different wan connection, and the RST is coming back in the wrong interface.  A asynchronous routing condition..

    Those first 3 are Microsoft, XO and then some China network?

  • If he gets a rst packet before the TCP connection is fully established, will PF drop it because it's not an "existing" state? If that's the case, then sending a SYN and getting back a RST would cause the RST to be blocked. A non-blackholing server would then cause this situation.

    Classic "Connection Refused" TCP error?

  • LAYER 8 Global Moderator

    Once a SYN is sent the state would be there waiting for a response.  With the name like eastern for the interface, thinking maybe there is a western interface as well for example.  So SYN and state exist on that interface, if the RST comes in on other interface it would be blocked.

Log in to reply