Attack or probe src 80/tcp to dst 80/tcp

Hi all,

does anybody have a clue as to what kind of probe or attack is going on since days coming from source port 80/tcp to dst port 80/tcp? My firewall log is full of this kind of messages:


whois gives for both IPs a hosting provider. Both IPs are registered by a swedish company.
Do you own a web server in your LAN, which is contacted by these IPs? Can you find them in the server logs?
nmap tells port 80 of as tcpwrapped.

I own a web server running on port 80 but nothing got written to the logs, the package length is only 44 byte.

Mar 25 14:51:07 ipfire kernel: DNAT IN=red0 OUT= MAC=aa:bb:cc:b5:ff:38:xx:yy:c4:8b:33:eb:08:00 SRC= LEN=44 TOS=0x00 PREC=0x00 TTL=117 ID=60787 PROTO=TCP SPT=80 DPT=80 WINDOW=65125 RES=0x00 ECE SYN URGP=0 MARK=0xcc


I thought of the logs of your web server.
But you could capture these packets with tcpdump -i red0 host

Right, I have analysed them and there was nothing in it referring to the traffic logged in the firewall.

[EDIT:] What I can see is that the traffic stops at the firewall and is not being handled by the web server further downstream, but maybe these non-http “requests” are just not logged per configuration of the web server (nginx).

Three lines of output from tcpdump:

16:01:15.563994 IP (tos 0x0, ttl 180, id 47953, offset 0, flags [none], proto TCP (6), length 44) > Flags [SE], cksum 0xa274 (correct), seq 0, win 65535, options [mss 1460], length 0
16:01:15.627064 IP (tos 0x0, ttl 36, id 47971, offset 0, flags [none], proto TCP (6), length 44) > Flags [SE], cksum 0x91e1 (correct), seq 0, win 16666, options [mss 1460], length 0
16:01:17.630664 IP (tos 0x0, ttl 8, id 41197, offset 0, flags [none], proto TCP (6), length 44) > Flags [SE], cksum 0xa897 (correct), seq 0, win 65340, options [mss 1460], length 0