Re: Question about ack attack and Kerio Firewall

Half_Light wrote:
> I'm using Kerio v2.1.5 and not the newer Sunbelt version. Looking at
> the log in Kerio I frequently see the following (abbreviated version);
>
> [Date/Time] Rule 'TCP ack packet attack': Blocked in TCP, (null) [IP
> address:80]->localhost:various ports, Owner: no owner
>
> I looked up ack attack and I'm thinking maybe Kerio is misinterpreting
> the traffic, or I am. It's always coming from TCP port 80 so is it
> just web traffic that is being blocked? I have a boat load of
> adservers etc. blocked in my Hosts file, could that be it?

I get the same messages from my Check Point 500W UTM appliance. It was
explained on Check Point's discussion group that information may be
purged from the state table, prematurely, and this is why it occurs.
Here is the broken English response, direct from Sofaware:

"Packets coming from the internal network should be indeed allowed
(depending on the security policy) however, they must stand certain
criterias like getting TCP ACKs within a certain time interval. If this
condition is not fulfilled, the appliance will send a RESET packet,
erase the connection from the state table and log the connection as Syn
attack. If for some reason the client or server behind the box did not
comply to this scenario, then you'll the log. BTW, the Safe@Office
appliances behaved like that forever, only without logging..."

This may be what's happening in your case, as well. Sounds like
something not to be too concerned with.
Received on Mon May 1 01:03:16 2006