Re: [fw-wiz] Random and strange RST,ACKs



The peculiar part is your dst port is 88. Are you port forwarding
your http to 88, if so, there is no real need for this as it is not
more secure. Are there other clients using port 88 that are working?
If not, then the backend machine is doing its job.

clmmacunix

On Mar 1, 2007, at 1:15 PM, Phil Hunter wrote:

Eduardo Tongson wrote:
---------- Forwarded message ----------
From: Eduardo Tongson <propolice@xxxxxxxxx>
Date: Feb 28, 2007 6:07 PM
Subject: Random and strange RST,ACKs
To: pf@xxxxxxxxxxxxx
Hi folks,
I have this peculiar problem where the client over http is having
intermittent reset and timeouts. Doing a dump on the session I see
strange and random RST,ACKs. Here is a
snip:

No. Time Source Destination Protocol Info
54 15.291306 CLIENT SERVER TCP 4813 > 88
[ACK] Seq=2857 Ack=7738 Win=64512 Len=0
55 15.303536 CLIENT SERVER TCP 4813 > 88
[ACK] Seq=2857 Ack=9040 Win=64512 Len=0
56 15.393751 CLIENT SERVER KRB5
Continuation[Unreassembled Packet]
57 15.394190 SERVER CLIENT KRB5
Continuation[Unreassembled Packet]
58 15.482484 CLIENT SERVER TCP 4814 > 88
[ACK] Seq=2117 Ack=8350 Win=64042 Len=0
59 15.583039 CLIENT SERVER TCP 4813 > 88
[ACK] Seq=3337 Ack=9275 Win=64277 Len=0
60 17.114978 CLIENT SERVER KRB5
Continuation[Unreassembled Packet]
61 17.116075 CLIENT SERVER TCP 4814 > 88
[RST, ACK] Seq=2446 Ack=8350 Win=0 Len=0
62 17.116481 SERVER CLIENT KRB5
Continuation[Unreassembled Packet]
63 17.116585 SERVER CLIENT KRB5
Continuation[Unreassembled Packet]
64 17.116694 SERVER CLIENT KRB5
Continuation[Unreassembled Packet]
65 17.116703 SERVER CLIENT TCP [TCP segment
of a reassembled PDU]
66 17.214855 CLIENT SERVER TCP 4815 > 88
[SYN] Seq=0 Len=0 MSS=1260
67 17.215060 SERVER CLIENT TCP 88 > 4815
[SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460

on 61 there is that sudden RST,ACK.

What might cause this?
By a long shot could it be a RST attack like the one described in
"Slipping the Window"?

TIA
- ed
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Is there a firewall between these. If so it will reset the connection
every two hours if not used
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • PATCH: Remove file riowinif.h from rio driver (unused file)
    ... -/* The RUP (Remote Unit Port) structure relates to the Remote Terminal Adapters ... - CONFIG is sent from the driver to configure an already opened port. ... - Packet structure is same as OPEN. ... - of the specified port's RTA address space. ...
    (Linux-Kernel)
  • Re: General questions about Sockets
    ... > could I push it before I see the network slowing down and/or errors? ... Nagle/Delayed ACK interaction but you could confirm it with a packet ... > I can setup any port in my registry, but what would be the 'default' one I ... Google could confirm it. ...
    (microsoft.public.win32.programmer.networks)
  • Re: File Transfer and WinSock
    ... I have message types defined and a packet protocol that I use which may be ... You need to bind the winsock control to some port. ... this.Parent.SendConfirmation(lcMessageID, lnPacketNumber) ... SEEK lcMessageID + STR ...
    (microsoft.public.fox.programmer.exchange)
  • Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Executio
    ... maybe abit more about packet infos.. ... more when the author comes out with it wich is, possibly never, but, i ... wich the port opens, but this is undisclosed. ... I have looked at this and, you dont need to be udp... ...
    (Full-Disclosure)
  • RE: Strange replies on closed port
    ... port should be a RST - not dropping the packet. ... receiving an UDP datagram to a non 'listening' port. ... that message isn't generated by the end host, ... Connecting to a closed Port w/o Firewall: ...
    (Pen-Test)