Lot´s of invalid headers or checksums.

Report wireless and/or network connectivity problems in this forum.

Moderator: Moderators

Post Reply
User avatar
CBx86
Posts: 157
Joined: Sun Jan 05, 2014 5:43 pm
Location: Brazil

Lot´s of invalid headers or checksums.

Post by CBx86 »

Hey Guys! :D

Im my home network. I started to log this rule:

Code: Select all

iptables -t mangle -I PREROUTING -m conntrack --ctstate INVALID -j DROP
Im having a lot of invalid headers/checksums.
Some sample:
https://pastebin.com/W0a9B9L7

Code: Select all

Tue Sep 11 11:46:56 2018 kern.warn kernel: [26450.270000] CTInvalid: IN=br-lan OUT= MAC=rr:rr:rr:rr:rr:rr:aa:aa:aa:aa:aa:aa:08:00 SRC=10.0.0.7 DST=172.217.29.138 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=8018 DF PROTO=TCP SPT=42604 DPT=443 WINDOW=1550 RES=0x00 ACK FIN URGP=0 
Tue Sep 11 11:47:57 2018 kern.warn kernel: [26511.760000] CTInvalid: IN=br-lan OUT= MAC=rr:rr:rr:rr:rr:rr:aa:aa:aa:aa:aa:aa:08:00 SRC=10.0.0.7 DST=172.217.29.106 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=46026 DF PROTO=TCP SPT=47570 DPT=443 WINDOW=409 RES=0x00 ACK FIN URGP=0 
Tue Sep 11 11:47:58 2018 kern.warn kernel: [26512.140000] CTInvalid: IN=br-lan OUT= MAC=rr:rr:rr:rr:rr:rr:aa:aa:aa:aa:aa:aa:08:00 SRC=10.0.0.7 DST=172.217.29.106 LEN=75 TOS=0x00 PREC=0x00 TTL=64 ID=46027 DF PROTO=TCP SPT=47570 DPT=443 WINDOW=409 RES=0x00 ACK PSH FIN URGP=0 
Tue Sep 11 11:48:03 2018 kern.warn kernel: [26516.930000] CTInvalid: IN=br-lan OUT= MAC=rr:rr:rr:rr:rr:rr:aa:aa:aa:aa:aa:aa:08:00 SRC=10.0.0.7 DST=172.217.29.106 LEN=75 TOS=0x00 PREC=0x00 TTL=64 ID=46028 DF PROTO=TCP SPT=47570 DPT=443 WINDOW=409 RES=0x00 ACK PSH FIN URGP=0 
Tue Sep 11 11:48:12 2018 kern.warn kernel: [26526.800000] CTInvalid: IN=br-lan OUT= MAC=rr:rr:rr:rr:rr:rr:tt:tt:tt:tt:tt:tt:08:00 SRC=10.0.0.4 DST=157.240.12.32 LEN=89 TOS=0x00 PREC=0x00 TTL=64 ID=9302 DF PROTO=TCP SPT=50437 DPT=443 WINDOW=262 RES=0x00 ACK PSH FIN URGP=0 

Tue Sep 11 14:52:16 2018 kern.warn kernel: [37570.050000] CTInvalid: IN=br-lan OUT= MAC=rr:rr:rr:rr:rr:rr:dd:dd:dd:dd:dd:dd:08:00 SRC=10.0.0.2 DST=162.125.33.7 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=26662 DF PROTO=TCP SPT=1634 DPT=443 WINDOW=0 RES=0x00 ACK RST URGP=0 
Tue Sep 11 14:52:39 2018 kern.warn kernel: [37593.000000] CTInvalid: IN=br-lan OUT= MAC=rr:rr:rr:rr:rr:rr:dd:dd:dd:dd:dd:dd:08:00 SRC=10.0.0.2 DST=162.125.5.3 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=26780 DF PROTO=TCP SPT=1782 DPT=443 WINDOW=0 RES=0x00 ACK RST URGP=0 
Tue Sep 11 14:52:39 2018 kern.warn kernel: [37593.020000] CTInvalid: IN=br-lan OUT= MAC=rr:rr:rr:rr:rr:rr:dd:dd:dd:dd:dd:dd:08:00 SRC=10.0.0.2 DST=162.125.5.3 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=26781 DF PROTO=TCP SPT=1780 DPT=443 WINDOW=0 RES=0x00 ACK RST URGP=0 

rr:rr:rr:rr:rr:rr - router mac
aa:aa:aa:aa:aa:aa - cel android mac
tt:tt:tt:tt:tt:tt - tablet mac
dd:dd:dd:dd:dd:dd - desktop windows 7 mac
:08:00 - WTF?!

I need help or leave it alone? :o

Many thanks!

Lantis
Moderator
Posts: 6735
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Lot´s of invalid headers or checksums.

Post by Lantis »

For any particular reason?
I don’t know enough about firewalls to tell you whether to worry or not. If you logged it for a reason, you probably know more than I do.

Conntrack didn’t find a valid status for the packet so it is INVALID.
They all seem to be 443 traffic, some RST and ACK.

08:00 is the marker for an Ethernet frame.
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

User avatar
CBx86
Posts: 157
Joined: Sun Jan 05, 2014 5:43 pm
Location: Brazil

Re: Lot´s of invalid headers or checksums.

Post by CBx86 »

Humm!!

Sometimes drop the connection, randomly. Even with the router (SSH). That's why I decided to investigate and find this.

I bought another router. Thinking mine old was bad. :lol:

User avatar
CBx86
Posts: 157
Joined: Sun Jan 05, 2014 5:43 pm
Location: Brazil

Re: Lot´s of invalid headers or checksums.

Post by CBx86 »

After read a lot:

My conclusion. (I may be wrong)

Some packets arent set with a real header. Just was set 000, to leave a router set it later.

Drop this packets in PREROUTING isnt a good policy.

Post Reply