Explain URGP - Firewall log

sync · October 28, 2024, 2:56am

Using OpenWrt 23.05.5
Noted something today in logs: URGP=1280? I have never seen this before.

SRC=bad DST=HIDDEN LEN=40 TOS=0x00 PREC=0x00 TTL=119 ID=14139 PROTO=TCP SPT=9987 DPT=31837 WINDOW=0 RES=0x00 ACK SYN URGP=1280

patrakov · October 28, 2024, 3:51am

It is an obsolete TCP feature called the "urgent pointer." It was used in the past by telnet.

However, in a SYN ACK packet, it serves no purpose besides trying to confuse (i.e., attacking) some vulnerable systems (not your router).

brada4 · October 28, 2024, 5:41am

Can you provide start of log line?
And ubus call system board
By flag combo alone it is invalid for conntrack.

github.com

torvalds/linux/blob/c964ced7726294d40913f2127c3f185a92cb4a41/net/netfilter/nf_conntrack_proto_tcp.c#L780


      
          
          			WRITE_ONCE(ct->timeout, timeout + nfct_time_stamp);
          		}
          	} else {
          		ct->proto.tcp.last_index = index;
          		ct->proto.tcp.last_dir = dir;
          	}
          }
          
          /* table of valid flag combinations - PUSH, ECE and CWR are always valid */
          static const u8 tcp_valid_flags[(TCPHDR_FIN|TCPHDR_SYN|TCPHDR_RST|TCPHDR_ACK|
          				 TCPHDR_URG) + 1] =
          {
          	[TCPHDR_SYN]				= 1,
          	[TCPHDR_SYN|TCPHDR_URG]			= 1,
          	[TCPHDR_SYN|TCPHDR_ACK]			= 1,
          	[TCPHDR_RST]				= 1,
          	[TCPHDR_RST|TCPHDR_ACK]			= 1,
          	[TCPHDR_FIN|TCPHDR_ACK]			= 1,
          	[TCPHDR_FIN|TCPHDR_ACK|TCPHDR_URG]	= 1,
          	[TCPHDR_ACK]				= 1,

system · November 27, 2024, 2:21am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.