Security Incidents mailing list archives
Re: Strange TCP RSTs
From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Wed, 31 Jan 2001 14:59:48 -0800
Russell Fulton wrote:
On Tue, 30 Jan 2001 18:25:35 -0800 Crist Clark <crist.clark () GLOBALSTAR COM> wrote:
[snip]
I see this sort of crap all the time from a number of large sites (including Hotmail). I believe that this is some sort of fallout from the load balancing systems. These RST are from the server farm behind the load balancer and represent real responses to sessions initiated on your network. That is why the source port is 80. I run argus which logs all traffic and this is what I see on close examination time T localIP:hiportnum -> www.bigname.com:80 - normal session time T+(up to 5 minutes) otherIP:80 -> localIP:hiportnum - RST
I have had a chance to look at the two way conversation involved with one of these a bit more. It looks like the RST with the odd extra bit flipped is a response to what the remote HTTP server must be seeing as a surprise FIN, 10:21:28.396870 aaa.bbb.cc2.84.38277 > 205.188.144.231.80: S 2530953764:2530953764(0) win 8760 <mss 1460> (DF) (ttl 254, id 4724) 10:21:28.486222 205.188.144.231.80 > aaa.bbb.cc2.84.38277: S 704124420:704124420(0) ack 2530953765 win 8760 <mss 1460> (DF) (ttl 240, id 7755) 10:21:28.487653 aaa.bbb.cc2.84.38277 > 205.188.144.231.80: . 1:1(0) ack 1 win 8760 (DF) (ttl 254, id 4725) 10:21:28.494449 aaa.bbb.cc2.84.38277 > 205.188.144.231.80: P 1:1323(1322) ack 1 win 8760 (DF) (ttl 254, id 4726) 10:21:28.597889 205.188.144.231.80 > aaa.bbb.cc2.84.38277: . 1:1(0) ack 1323 win 33580 (DF) (ttl 240, id 7756) 10:21:28.603793 205.188.144.231.80 > aaa.bbb.cc2.84.38277: P 1:681(680) ack 1323 win 33580 (DF) (ttl 240, id 7757) 10:21:28.654635 aaa.bbb.cc2.84.38277 > 205.188.144.231.80: . 1323:1323(0) ack 681 win 8760 (DF) (ttl 254, id 4727) 10:21:58.597954 205.188.144.231.80 > aaa.bbb.cc2.84.38277: F 681:681(0) ack 1323 win 33580 (DF) (ttl 240, id 7758) 10:21:58.599507 aaa.bbb.cc2.84.38277 > 205.188.144.231.80: . 1323:1323(0) ack 682 win 8760 (DF) (ttl 254, id 4728) 10:51:02.456094 aaa.bbb.cc2.84.38277 > 205.188.144.231.80: F 1323:1323(0) ack 682 win 8760 (DF) (ttl 254, id 40651) 10:51:02.546232 205.188.144.231.80 > aaa.bbb.cc2.84.38277: R [CWR] 704125102:704125102(0) win 0 (DF) (ttl 49, id 24447) We see the three-way handshake, a little data getting passed both ways, then the remote HTTP server asks to close, and my machine ACKs the FIN... and then waits a half-hour to send its own FIN back. The connection has timed out at the remote HTTP server which sends back a RST, as expected. But I'm not any closer to why it is turning on bit-8 in the reserved TCP field from RFC793 (noted erroneously in this tcpdump as the CWR flag) in that RST packet. Looking at the TTL on the returning packets, 49 versus 240, 255 - 240 = 15 64 - 49 = 15 We see what is likely a difference in the initial TTL, but this is actually the expected behavior of Solaris, which is the suspected OS of the webserver. I have not, however, seen this "CWR bit" set in my experiences with Solaris. Has anyone else? Another note, I have taken these dumps from inside my firewall, but captures on the other side show this extra bit is actually in the packets that get here. Or does anyone have any evidence to support a load balancer theory? Perhaps a firewall that has this signature? -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster () globalstar com
Current thread:
- Strange TCP RSTs Crist Clark (Jan 30)
- Re: Strange TCP RSTs Russell Fulton (Jan 31)
- Re: Strange TCP RSTs Crist Clark (Jan 31)
- Re: Strange TCP RSTs Russell Fulton (Jan 31)