Re: [fw-wiz] Random and strange RST,ACKs

Yup there is a firewall. But the connection is not idle. Those RST,
ACKs appear during the session.

On 3/2/07, Phil Hunter <1860ph@xxxxxxxxx> wrote:
Eduardo Tongson wrote:
---------- Forwarded message ----------
From: Eduardo Tongson <propolice@xxxxxxxxx>
Date: Feb 28, 2007 6:07 PM
Subject: Random and strange RST,ACKs
To: pf@xxxxxxxxxxxxx
Hi folks,
I have this peculiar problem where the client over http is having
intermittent reset and timeouts. Doing a dump on the session I see
strange and random RST,ACKs. Here is a
snip:

No. Time Source Destination Protocol Info
54 15.291306 CLIENT SERVER TCP 4813 > 88
[ACK] Seq=2857 Ack=7738 Win=64512 Len=0
55 15.303536 CLIENT SERVER TCP 4813 > 88
[ACK] Seq=2857 Ack=9040 Win=64512 Len=0
56 15.393751 CLIENT SERVER KRB5
Continuation[Unreassembled Packet]
57 15.394190 SERVER CLIENT KRB5
Continuation[Unreassembled Packet]
58 15.482484 CLIENT SERVER TCP 4814 > 88
[ACK] Seq=2117 Ack=8350 Win=64042 Len=0
59 15.583039 CLIENT SERVER TCP 4813 > 88
[ACK] Seq=3337 Ack=9275 Win=64277 Len=0
60 17.114978 CLIENT SERVER KRB5
Continuation[Unreassembled Packet]
61 17.116075 CLIENT SERVER TCP 4814 > 88
[RST, ACK] Seq=2446 Ack=8350 Win=0 Len=0
62 17.116481 SERVER CLIENT KRB5
Continuation[Unreassembled Packet]
63 17.116585 SERVER CLIENT KRB5
Continuation[Unreassembled Packet]
64 17.116694 SERVER CLIENT KRB5
Continuation[Unreassembled Packet]
65 17.116703 SERVER CLIENT TCP [TCP segment
of a reassembled PDU]
66 17.214855 CLIENT SERVER TCP 4815 > 88
[SYN] Seq=0 Len=0 MSS=1260
67 17.215060 SERVER CLIENT TCP 88 > 4815
[SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460

on 61 there is that sudden RST,ACK.

What might cause this?
By a long shot could it be a RST attack like the one described in
"Slipping the Window"?

TIA
- ed
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Is there a firewall between these. If so it will reset the connection
every two hours if not used
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • [fw-wiz] Random and strange RST,ACKs
    ... Subject: Random and strange RST,ACKs ... Doing a dump on the session I see ... Continuation[Unreassembled Packet] ...
    (Firewall-Wizards)
  • Re: weird scans from port 80
    ... the attack to hide their own identity. ... >> It specifies in all details when to send RST and when not to. ... requiring a reset in response to an unexpected TCP packet? ... So if the connection is in the CLOSED state (which is ...
    (comp.os.linux.security)
  • Re: simple, adaptive bandwidth throttling with ipfw/dummynet ?
    ... but I'm not sure if it's the last packet into or out of the queue. ... 'Queued' refer to bytes and packets for that bucket currently queued ... Juri said he only has one pipe ... average throughput per session. ...
    (freebsd-net)
  • RE: session logging IDS
    ... attack packet - and up to the end. ... you can also set the intruvert to capture 256 bytes ... Subject: session logging IDS ...
    (Focus-IDS)
  • Re: Socket weirdness
    ... Anyway, if the application on one device does Shutdownthen if a packet containing data is received from the peer on that connection, then that is an not a valid packet and a packet with the RST bit set is sent clearing down the connection. ... In TCP there is simply *one* type of packet, this is unlike HDLC, which carries data in 'I' frames, has ACK frames which it calls 'RR', and lots more. ... And receiving a segment containing data is not valid where the local application has done shutdown). ...
    (microsoft.public.dotnet.framework)