No data from Cloudflare, only TCP handshake then FIN ACK

Hello, I have a Linux HTTPS server and I keep receiving connections but without HTTP data. It doesn’t happen everyday but when it happens I see dozens of entries in iptables.log in a matter of minutes or seconds.

When I do
tail -f /var/log/iptables.log &
and
tail -f /var/log/nginx/access.log &

I see

Oct 23 12:34:49 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.68.76.147 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=2382 DF PROTO=TCP SPT=57107 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 
Oct 23 12:34:50 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.68.76.147 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=37995 DF PROTO=TCP SPT=17399 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 
Oct 23 12:34:50 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.68.76.147 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=53193 DF PROTO=TCP SPT=62447 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 
Oct 23 12:34:50 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.68.76.147 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=20455 DF PROTO=TCP SPT=52299 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 
Oct 23 12:34:50 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.68.76.147 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=51416 DF PROTO=TCP SPT=31791 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0

but Nginx shows nothing at all.

Sometimes it happens on port 80. I wrote a simple server in C to listen on port 80 and 443 and all I get is “Connection accepted” and “Connection closed”.

I used tcpdump today (for the first time) and this is what I got multiple times

12:34:49.937897 IP (tos 0x0, ttl 52, id 2382, offset 0, flags [DF], proto TCP (6), length 52)
    172.68.76.147.57107 > 192.168.X.X.443: Flags [S], cksum 0xa526 (correct), seq 2122757403, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 13], length 0
	0x0000:  4500 0034 094e 4000 3406 82f3 ac44 4c93
	0x0010:  c0a8 xxxx df13 01bb 7e86 b51b 0000 0000
	0x0020:  8002 faf0 a526 0000 0204 05b4 0101 0402
	0x0030:  0103 030d
12:34:49.937987 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.X.X.443 > 172.68.76.147.57107: Flags [S.], cksum 0xbaa9 (incorrect -> 0x2796), seq 696800253, ack 2122757404, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
	0x0000:  4500 0034 0000 4000 4006 8041 c0a8 xxxx
	0x0010:  ac44 4c93 01bb df13 2988 53fd 7e86 b51c
	0x0020:  8012 faf0 baa9 0000 0204 05b4 0101 0402
	0x0030:  0103 0307
12:34:50.047338 IP (tos 0x0, ttl 52, id 2383, offset 0, flags [DF], proto TCP (6), length 40)
    172.68.76.147.57107 > 192.168.X.X.443: Flags [.], cksum 0x6351 (correct), ack 1, win 8, length 0
	0x0000:  4500 0028 094f 4000 3406 82fe ac44 4c93
	0x0010:  c0a8 xxxx df13 01bb 7e86 b51c 2988 53fe
	0x0020:  5010 0008 6351 0000 0000 0000 0000
12:34:50.047509 IP (tos 0x0, ttl 52, id 2384, offset 0, flags [DF], proto TCP (6), length 40)
    172.68.76.147.57107 > 192.168.X.X.443: Flags [F.], cksum 0x6350 (correct), seq 1, ack 1, win 8, length 0
	0x0000:  4500 0028 0950 4000 3406 82fd ac44 4c93
	0x0010:  c0a8 xxxx df13 01bb 7e86 b51c 2988 53fe
	0x0020:  5011 0008 6350 0000 0000 0000 0000
12:34:50.047567 IP (tos 0x0, ttl 64, id 62074, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.X.X.443 > 172.68.76.147.57107: Flags [F.], cksum 0xba9d (incorrect -> 0x6161), seq 1, ack 2, win 502, length 0
	0x0000:  4500 0028 f27a 4000 4006 8dd2 c0a8 xxxx
	0x0010:  ac44 4c93 01bb df13 2988 53fe 7e86 b51d
	0x0020:  5011 01f6 ba9d 0000

If I understand correctly, this is a SYN, SYN-ACK, ACK, FIN-ACK, FIN-ACK. But why? Is it your fault or is someone doing connect() then close() ?

This is what I got today

Oct 23 13:00:21 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.68.197.16 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=60849 DF PROTO=TCP SPT=12683 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:00:21 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.68.197.16 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=49483 DF PROTO=TCP SPT=31645 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:00:21 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.68.197.16 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=62840 DF PROTO=TCP SPT=56315 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:00:21 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.68.197.16 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=48699 DF PROTO=TCP SPT=50035 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:01:41 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.70.203.79 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=38839 DF PROTO=TCP SPT=24739 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:01:41 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.70.203.79 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=37078 DF PROTO=TCP SPT=31899 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:01:41 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.70.203.79 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=16503 DF PROTO=TCP SPT=48145 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:01:41 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.70.203.79 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=34669 DF PROTO=TCP SPT=62783 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:01:42 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.70.203.79 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=53540 DF PROTO=TCP SPT=22715 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:01:42 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.68.85.13 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=45323 DF PROTO=TCP SPT=45667 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:01:42 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.70.183.91 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=10275 DF PROTO=TCP SPT=31213 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:01:42 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.68.85.13 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=60208 DF PROTO=TCP SPT=57113 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:01:42 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.70.183.91 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=31411 DF PROTO=TCP SPT=50479 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:01:42 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.68.85.13 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=14045 DF PROTO=TCP SPT=54913 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:01:42 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.70.183.91 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=22127 DF PROTO=TCP SPT=35515 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:01:42 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.70.183.91 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=15829 DF PROTO=TCP SPT=37285 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:01:42 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.68.85.13 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=26649 DF PROTO=TCP SPT=28427 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:01:43 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.70.183.91 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=39143 DF PROTO=TCP SPT=15577 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:01:43 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.68.85.13 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=32425 DF PROTO=TCP SPT=12913 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:02:02 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.68.220.153 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=60535 DF PROTO=TCP SPT=22305 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:02:02 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.68.220.153 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=47838 DF PROTO=TCP SPT=64337 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:02:02 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.68.220.153 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=60870 DF PROTO=TCP SPT=23683 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:02:03 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.68.220.153 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=45041 DF PROTO=TCP SPT=18799 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:02:03 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.68.220.153 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=37486 DF PROTO=TCP SPT=43195 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:02:03 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=162.158.29.28 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=26999 DF PROTO=TCP SPT=64131 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:02:03 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.69.239.73 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=30517 DF PROTO=TCP SPT=42287 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:02:03 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=162.158.29.28 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=36386 DF PROTO=TCP SPT=23279 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:02:03 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.69.239.73 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=49 ID=44912 DF PROTO=TCP SPT=63853 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:02:03 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=162.158.29.28 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=26086 DF PROTO=TCP SPT=52289 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:02:03 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.69.239.73 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=47714 DF PROTO=TCP SPT=49849 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:02:03 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=162.158.29.28 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=63455 DF PROTO=TCP SPT=26487 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:02:03 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=162.158.29.28 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=51114 DF PROTO=TCP SPT=43795 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 23 13:02:03 HOSTNAME kernel: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:99:00:xx:xx:xx:xx:0f:xx:00 SRC=172.69.239.73 DST=192.168.X.X LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=63239 DF PROTO=TCP SPT=15193 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0

Multiple times per second, different addresses, no output from tail -f /var/log/nginx/access.log &
What’s happening? Can it be stopped?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.