Doing a reverse lookup, and trying to hit port 80.

Ask for help about NoScript, no registration needed to post
Post Reply
mdelaney
Posts: 2
Joined: Mon Oct 19, 2015 5:40 pm

Doing a reverse lookup, and trying to hit port 80.

Post by mdelaney »

Today, my IT department came to me and mentioned that my system was "slamming" our router with requests to port 80.

It seems that NoScript is doing an IP lookup, getting my works external address, and then trying to hit that address on port 80. Our firewall saw the constant "probe" as an potential attack. While sniffing the network traffic we we a almost constant stream of the following (hostnames redacted)

Code: Select all

13:38:02.119255 IP worklaptop.somedomain.org.49800 > firewall.somedomain.org.http: Flags [S], seq 2269594051, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301657432 ecr 0,sackOK,eol], length 0
13:38:02.369828 IP worklaptop.somedomain.org.49802 > firewall.somedomain.org.http: Flags [S], seq 2584067680, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301657677 ecr 0,sackOK,eol], length 0
13:38:03.136822 IP worklaptop.somedomain.org.49800 > firewall.somedomain.org.http: Flags [S], seq 2269594051, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301658432 ecr 0,sackOK,eol], length 0
13:38:03.382051 IP worklaptop.somedomain.org.49802 > firewall.somedomain.org.http: Flags [S], seq 2584067680, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301658677 ecr 0,sackOK,eol], length 0
13:38:04.146678 IP worklaptop.somedomain.org.49800 > firewall.somedomain.org.http: Flags [S], seq 2269594051, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301659432 ecr 0,sackOK,eol], length 0
13:38:04.396091 IP worklaptop.somedomain.org.49802 > firewall.somedomain.org.http: Flags [S], seq 2584067680, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301659678 ecr 0,sackOK,eol], length 0
13:38:05.150361 IP worklaptop.somedomain.org.49800 > firewall.somedomain.org.http: Flags [S], seq 2269594051, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301660432 ecr 0,sackOK,eol], length 0
13:38:05.396445 IP worklaptop.somedomain.org.49802 > firewall.somedomain.org.http: Flags [S], seq 2584067680, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301660678 ecr 0,sackOK,eol], length 0
13:38:06.150767 IP worklaptop.somedomain.org.49800 > firewall.somedomain.org.http: Flags [S], seq 2269594051, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301661432 ecr 0,sackOK,eol], length 0
13:38:06.399382 IP worklaptop.somedomain.org.49802 > firewall.somedomain.org.http: Flags [S], seq 2584067680, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301661678 ecr 0,sackOK,eol], length 0
13:38:07.169206 IP worklaptop.somedomain.org.49800 > firewall.somedomain.org.http: Flags [S], seq 2269594051, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301662432 ecr 0,sackOK,eol], length 0
13:38:07.416529 IP worklaptop.somedomain.org.49802 > firewall.somedomain.org.http: Flags [S], seq 2584067680, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301662678 ecr 0,sackOK,eol], length 0
13:38:09.181120 IP worklaptop.somedomain.org.49800 > firewall.somedomain.org.http: Flags [S], seq 2269594051, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301664432 ecr 0,sackOK,eol], length 0
13:38:09.428206 IP worklaptop.somedomain.org.49802 > firewall.somedomain.org.http: Flags [S], seq 2584067680, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301664678 ecr 0,sackOK,eol], length 0
13:38:13.211271 IP worklaptop.somedomain.org.49800 > firewall.somedomain.org.http: Flags [S], seq 2269594051, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301668432 ecr 0,sackOK,eol], length 0
13:38:13.461085 IP worklaptop.somedomain.org.49802 > firewall.somedomain.org.http: Flags [S], seq 2584067680, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301668678 ecr 0,sackOK,eol], length 0
13:38:21.267142 IP worklaptop.somedomain.org.49800 > firewall.somedomain.org.http: Flags [S], seq 2269594051, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301676432 ecr 0,sackOK,eol], length 0
13:38:21.513184 IP worklaptop.somedomain.org.49802 > firewall.somedomain.org.http: Flags [S], seq 2584067680, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301676678 ecr 0,sackOK,eol], length 0
13:38:37.305489 IP worklaptop.somedomain.org.49800 > firewall.somedomain.org.http: Flags [S], seq 2269594051, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301692432 ecr 0,sackOK,eol], length 0
13:38:37.553514 IP worklaptop.somedomain.org.49802 > firewall.somedomain.org.http: Flags [S], seq 2584067680, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301692678 ecr 0,sackOK,eol], length 0
13:39:09.399634 IP worklaptop.somedomain.org.49800 > firewall.somedomain.org.http: Flags [S], seq 2269594051, win 65535, options [mss 1460,sackOK,eol], length 0
13:39:09.645775 IP worklaptop.somedomain.org.49802 > firewall.somedomain.org.http: Flags [S], seq 2584067680, win 65535, options [mss 1460,sackOK,eol], length 0
13:39:17.671870 IP worklaptop.somedomain.org.49841 > firewall.somedomain.org.http: Flags [S], seq 3384371286, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301732677 ecr 0,sackOK,eol], length 0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:41.0) Gecko/20100101 Firefox/41.0
Top
barbaz
Senior Member
Posts: 11142
Joined: Sat Aug 03, 2013 5:45 pm

Re: Doing a reverse lookup, and trying to hit port 80.

Post by barbaz »

It's due to NoScript fingerprinting the WAN IP so that it can protect it better. You can stop this behavior by un-checking the "WAN IP ∈ LOCAL" checkbox in NoScript Options > Advanced > ABE, but note that doing so will mean that the router's public interface will not be protected.

The point of this feature is to prevent websites tampering with routers that expose their admin controls or the like on their public interface. You might consider to point your IT department to this thread, because only they will know A) what their router exposes on its public interface (if anything) and B) whether they care if malicious web pages mess with that stuff.

Let us know, thanks.
*Always* check the changelogs BEFORE updating that important software!
-
Top
mdelaney
Posts: 2
Joined: Mon Oct 19, 2015 5:40 pm

Re: Doing a reverse lookup, and trying to hit port 80.

Post by mdelaney »

Awesome. That fixed it. Thanks barbaz
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:41.0) Gecko/20100101 Firefox/41.0
Top
barbaz
Senior Member
Posts: 11142
Joined: Sat Aug 03, 2013 5:45 pm

Re: Doing a reverse lookup, and trying to hit port 80.

Post by barbaz »

You're welcome
*Always* check the changelogs BEFORE updating that important software!
-
Top
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:
Contact Thrawn

Re: Doing a reverse lookup, and trying to hit port 80.

Post by Thrawn »

I'm not sure why NoScript would actually be contacting that address, though. It should just be resolving it.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0
Top
barbaz
Senior Member
Posts: 11142
Joined: Sat Aug 03, 2013 5:45 pm

Re: Doing a reverse lookup, and trying to hit port 80.

Post by barbaz »

No, this is normal and expected behavior. It contacts it to fingerprint it to help protect it better, among other things it uses the fingerprint to help check if the WAN IP has changed. https://hackademix.net/2010/07/28/abe-p ... r-routers/ (& comment 9)
*Always* check the changelogs BEFORE updating that important software!
-
Top
Post Reply

Return to “NoScript Support”