FirewallWizards
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[fw-wiz] Random and strange RST,ACKs

from [Eduardo Tongson] [Permanent Link][Original]
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] Random and strange RST,ACKs
From: "Eduardo Tongson" <propolice@gmail.com>
Date: Wed, 28 Feb 2007 18:21:56 +0800
Delivered-to: sp-com-lists@consult.net
Delivered-to: fwwizards-list2@consult.net
Delivered-to: firewall-wizards@honor.icsalabs.com
In-reply-to: <b18fbe3c0702280207id5b16bex5ab9dea955cf5473@mail.gmail.com>
List-archive: <https://listserv.icsalabs.com/pipermail/firewall-wizards>
List-help: <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=help>
List-id: Firewall Wizards Security Mailing List <firewall-wizards.listserv.icsalabs.com>
List-post: <mailto:firewall-wizards@listserv.icsalabs.com>
List-subscribe: <https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards>, <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=subscribe>
List-unsubscribe: <https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards>, <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=unsubscribe>
References: <b18fbe3c0702280207id5b16bex5ab9dea955cf5473@mail.gmail.com>
Reply-to: Firewall Wizards Security Mailing List <firewall-wizards@listserv.icsalabs.com>
Sender: firewall-wizards-bounces@listserv.icsalabs.com 
---------- Forwarded message ----------
From: Eduardo Tongson <propolice@gmail.com>
Date: Feb 28, 2007 6:07 PM
Subject: Random and strange RST,ACKs
To: pf@benzedrine.cx
Hi folks,
I have this peculiar problem where the client over http is having
intermittent reset and timeouts. Doing a dump on the session I see
strange and random RST,ACKs. Here is a
snip:

No.     Time        Source       Destination           Protocol Info
     54 15.291306   CLIENT       SERVER         TCP      4813 > 88
[ACK] Seq=2857 Ack=7738 Win=64512 Len=0
     55 15.303536   CLIENT       SERVER         TCP      4813 > 88
[ACK] Seq=2857 Ack=9040 Win=64512 Len=0
     56 15.393751   CLIENT       SERVER         KRB5
Continuation[Unreassembled Packet]
     57 15.394190   SERVER         CLIENT       KRB5
Continuation[Unreassembled Packet]
     58 15.482484   CLIENT       SERVER         TCP      4814 > 88
[ACK] Seq=2117 Ack=8350 Win=64042 Len=0
     59 15.583039   CLIENT       SERVER         TCP      4813 > 88
[ACK] Seq=3337 Ack=9275 Win=64277 Len=0
     60 17.114978   CLIENT       SERVER         KRB5
Continuation[Unreassembled Packet]
     61 17.116075   CLIENT       SERVER         TCP      4814 > 88
[RST, ACK] Seq=2446 Ack=8350 Win=0 Len=0
     62 17.116481   SERVER         CLIENT       KRB5
Continuation[Unreassembled Packet]
     63 17.116585   SERVER         CLIENT       KRB5
Continuation[Unreassembled Packet]
     64 17.116694   SERVER         CLIENT       KRB5
Continuation[Unreassembled Packet]
     65 17.116703   SERVER         CLIENT       TCP      [TCP segment
of a reassembled PDU]
     66 17.214855   CLIENT       SERVER         TCP      4815 > 88
[SYN] Seq=0 Len=0 MSS=1260
     67 17.215060   SERVER         CLIENT       TCP      88 > 4815
[SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460

on 61 there is that sudden RST,ACK.

What might cause this?
By a long shot could it be a RST attack like the one described in
"Slipping the Window"?

TIA
- ed
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [fw-wiz] LayerOne 2007 - Call for Papers and Pre-Registration, Layer One
Next by Date:  [fw-wiz] PIX 515E config - DMZ host to inside host, Chris Mitchell
Previous by Thread:  [fw-wiz] LayerOne 2007 - Call for Papers and Pre-Registration, Layer One
Next by Thread:  Re: [fw-wiz] Random and strange RST,ACKs, Phil Hunter
Indexes:  [Date] [Thread] [Top] [All Lists]