Re: [fw-wiz] Random and strange RST,ACKs
- From: Chris Myers <clmmacunix@xxxxxxxxxxx>
- Date: Wed, 4 Apr 2007 12:41:02 -0500
The peculiar part is your dst port is 88. Are you port forwarding
your http to 88, if so, there is no real need for this as it is not
more secure. Are there other clients using port 88 that are working?
If not, then the backend machine is doing its job.
clmmacunix
On Mar 1, 2007, at 1:15 PM, Phil Hunter wrote:
Eduardo Tongson wrote:
---------- Forwarded message ----------Is there a firewall between these. If so it will reset the connection
From: Eduardo Tongson <propolice@xxxxxxxxx>
Date: Feb 28, 2007 6:07 PM
Subject: Random and strange RST,ACKs
To: pf@xxxxxxxxxxxxx
Hi folks,
I have this peculiar problem where the client over http is having
intermittent reset and timeouts. Doing a dump on the session I see
strange and random RST,ACKs. Here is a
snip:
No. Time Source Destination Protocol Info
54 15.291306 CLIENT SERVER TCP 4813 > 88
[ACK] Seq=2857 Ack=7738 Win=64512 Len=0
55 15.303536 CLIENT SERVER TCP 4813 > 88
[ACK] Seq=2857 Ack=9040 Win=64512 Len=0
56 15.393751 CLIENT SERVER KRB5
Continuation[Unreassembled Packet]
57 15.394190 SERVER CLIENT KRB5
Continuation[Unreassembled Packet]
58 15.482484 CLIENT SERVER TCP 4814 > 88
[ACK] Seq=2117 Ack=8350 Win=64042 Len=0
59 15.583039 CLIENT SERVER TCP 4813 > 88
[ACK] Seq=3337 Ack=9275 Win=64277 Len=0
60 17.114978 CLIENT SERVER KRB5
Continuation[Unreassembled Packet]
61 17.116075 CLIENT SERVER TCP 4814 > 88
[RST, ACK] Seq=2446 Ack=8350 Win=0 Len=0
62 17.116481 SERVER CLIENT KRB5
Continuation[Unreassembled Packet]
63 17.116585 SERVER CLIENT KRB5
Continuation[Unreassembled Packet]
64 17.116694 SERVER CLIENT KRB5
Continuation[Unreassembled Packet]
65 17.116703 SERVER CLIENT TCP [TCP segment
of a reassembled PDU]
66 17.214855 CLIENT SERVER TCP 4815 > 88
[SYN] Seq=0 Len=0 MSS=1260
67 17.215060 SERVER CLIENT TCP 88 > 4815
[SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
on 61 there is that sudden RST,ACK.
What might cause this?
By a long shot could it be a RST attack like the one described in
"Slipping the Window"?
TIA
- ed
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
every two hours if not used
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- Prev by Date: [fw-wiz] Reporting Server
- Next by Date: Re: [fw-wiz] Reporting Server
- Previous by thread: [fw-wiz] Reporting Server
- Next by thread: [fw-wiz] LayerOne 2007 - Speaker Line up Announced
- Index(es):
Relevant Pages
|
