Re: Strange TCP RSTs

[Crist Clark <crist.clark () GLOBALSTAR COM>]

Russell Fulton wrote:
> On Tue, 30 Jan 2001 18:25:35 -0800 Crist Clark
> <crist.clark () GLOBALSTAR COM> wrote:

[snip]

> I see this sort of crap all the time from a number of large sites
> (including Hotmail).  I believe that this is some sort of fallout from
> the load balancing systems.  These RST are from the server farm behind
> the load balancer and represent real responses to sessions initiated on
> your network.  That is why the source port is 80.  I run argus which
> logs all traffic and this is what I see on close examination
>
> time T  localIP:hiportnum -> www.bigname.com:80  - normal session
> time T+(up to 5 minutes) otherIP:80 -> localIP:hiportnum  - RST

I have had a chance to look at the two way conversation involved with
one of these a bit more. It looks like the RST with the odd extra bit
flipped is a response to what the remote HTTP server must be seeing as
a surprise FIN,

10:21:28.396870 aaa.bbb.cc2.84.38277 > 205.188.144.231.80: S 2530953764:2530953764(0) win 8760 <mss 1460> (DF) (ttl 
254, id 4724)
10:21:28.486222 205.188.144.231.80 > aaa.bbb.cc2.84.38277: S 704124420:704124420(0) ack 2530953765 win 8760 <mss 1460> 
(DF) (ttl 240, id 7755)
10:21:28.487653 aaa.bbb.cc2.84.38277 > 205.188.144.231.80: . 1:1(0) ack 1 win 8760 (DF) (ttl 254, id 4725)
10:21:28.494449 aaa.bbb.cc2.84.38277 > 205.188.144.231.80: P 1:1323(1322) ack 1 win 8760 (DF) (ttl 254, id 4726)
10:21:28.597889 205.188.144.231.80 > aaa.bbb.cc2.84.38277: . 1:1(0) ack 1323 win 33580 (DF) (ttl 240, id 7756)
10:21:28.603793 205.188.144.231.80 > aaa.bbb.cc2.84.38277: P 1:681(680) ack 1323 win 33580 (DF) (ttl 240, id 7757)
10:21:28.654635 aaa.bbb.cc2.84.38277 > 205.188.144.231.80: . 1323:1323(0) ack 681 win 8760 (DF) (ttl 254, id 4727)
10:21:58.597954 205.188.144.231.80 > aaa.bbb.cc2.84.38277: F 681:681(0) ack 1323 win 33580 (DF) (ttl 240, id 7758)
10:21:58.599507 aaa.bbb.cc2.84.38277 > 205.188.144.231.80: . 1323:1323(0) ack 682 win 8760 (DF) (ttl 254, id 4728)
10:51:02.456094 aaa.bbb.cc2.84.38277 > 205.188.144.231.80: F 1323:1323(0) ack 682 win 8760 (DF) (ttl 254, id 40651)
10:51:02.546232 205.188.144.231.80 > aaa.bbb.cc2.84.38277: R [CWR] 704125102:704125102(0) win 0 (DF) (ttl 49, id 24447)

We see the three-way handshake, a little data getting passed both ways,
then the remote HTTP server asks to close, and my machine ACKs the FIN...
and then waits a half-hour to send its own FIN back. The connection
has timed out at the remote HTTP server which sends back a RST, as expected.
But I'm not any closer to why it is turning on bit-8 in the reserved
TCP field from RFC793 (noted erroneously in this tcpdump as the CWR flag)
in that RST packet.

Looking at the TTL on the returning packets, 49 versus 240,

  255 - 240 = 15
   64 -  49 = 15

We see what is likely a difference in the initial TTL, but this is actually
the expected behavior of Solaris, which is the suspected OS of the
webserver. I have not, however, seen this "CWR bit" set in my experiences
with Solaris. Has anyone else? Another note, I have taken these dumps from
inside my firewall, but captures on the other side show this extra bit is
actually in the packets that get here. Or does anyone have any  evidence
to support a load balancer theory? Perhaps a firewall that has this
signature?
--
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster () globalstar com