FirewallWizards
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [fw-wiz] Random and strange RST,ACKs

from [Phil Hunter] [Permanent Link][Original]
To: Firewall Wizards Security Mailing List <firewall-wizards@listserv.icsalabs.com>
Subject: Re: [fw-wiz] Random and strange RST,ACKs
From: Phil Hunter <1860ph@gmail.com>
Date: Thu, 01 Mar 2007 13:15:23 -0600
Delivered-to: sp-com-lists@consult.net
Delivered-to: fwwizards-list2@consult.net
Delivered-to: firewall-wizards@listserv.icsalabs.com
In-reply-to: <b18fbe3c0702280221m6b0dba38k73d12fc6b85a4da3@mail.gmail.com>
List-archive: <https://listserv.icsalabs.com/pipermail/firewall-wizards>
List-help: <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=help>
List-id: Firewall Wizards Security Mailing List <firewall-wizards.listserv.icsalabs.com>
List-post: <mailto:firewall-wizards@listserv.icsalabs.com>
List-subscribe: <https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards>, <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=subscribe>
List-unsubscribe: <https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards>, <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=unsubscribe>
References: <b18fbe3c0702280207id5b16bex5ab9dea955cf5473@mail.gmail.com> <b18fbe3c0702280221m6b0dba38k73d12fc6b85a4da3@mail.gmail.com>
Reply-to: Firewall Wizards Security Mailing List <firewall-wizards@listserv.icsalabs.com>
Sender: firewall-wizards-bounces@listserv.icsalabs.com
User-agent: Thunderbird 1.5.0.9 (Windows/20061207) 
Eduardo Tongson wrote:
> ---------- Forwarded message ----------
> From: Eduardo Tongson <propolice@gmail.com>
> Date: Feb 28, 2007 6:07 PM
> Subject: Random and strange RST,ACKs
> To: pf@benzedrine.cx
> Hi folks,
> I have this peculiar problem where the client over http is having
> intermittent reset and timeouts. Doing a dump on the session I see
> strange and random RST,ACKs. Here is a
> snip:
>
> No.     Time        Source       Destination           Protocol Info
>      54 15.291306   CLIENT       SERVER         TCP      4813 > 88
> [ACK] Seq=2857 Ack=7738 Win=64512 Len=0
>      55 15.303536   CLIENT       SERVER         TCP      4813 > 88
> [ACK] Seq=2857 Ack=9040 Win=64512 Len=0
>      56 15.393751   CLIENT       SERVER         KRB5
> Continuation[Unreassembled Packet]
>      57 15.394190   SERVER         CLIENT       KRB5
> Continuation[Unreassembled Packet]
>      58 15.482484   CLIENT       SERVER         TCP      4814 > 88
> [ACK] Seq=2117 Ack=8350 Win=64042 Len=0
>      59 15.583039   CLIENT       SERVER         TCP      4813 > 88
> [ACK] Seq=3337 Ack=9275 Win=64277 Len=0
>      60 17.114978   CLIENT       SERVER         KRB5
> Continuation[Unreassembled Packet]
>      61 17.116075   CLIENT       SERVER         TCP      4814 > 88
> [RST, ACK] Seq=2446 Ack=8350 Win=0 Len=0
>      62 17.116481   SERVER         CLIENT       KRB5
> Continuation[Unreassembled Packet]
>      63 17.116585   SERVER         CLIENT       KRB5
> Continuation[Unreassembled Packet]
>      64 17.116694   SERVER         CLIENT       KRB5
> Continuation[Unreassembled Packet]
>      65 17.116703   SERVER         CLIENT       TCP      [TCP segment
> of a reassembled PDU]
>      66 17.214855   CLIENT       SERVER         TCP      4815 > 88
> [SYN] Seq=0 Len=0 MSS=1260
>      67 17.215060   SERVER         CLIENT       TCP      88 > 4815
> [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
>
> on 61 there is that sudden RST,ACK.
>
> What might cause this?
> By a long shot could it be a RST attack like the one described in
> "Slipping the Window"?
>
> TIA
> - ed
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>   
Is there a firewall between these. If so it will reset the connection 
every two hours if not used
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [fw-wiz] qos pre-classify, Eagle Fire
Next by Date:  Re: [fw-wiz] PIX 515E config - DMZ host to inside host, John.Crissup
Previous by Thread:  [fw-wiz] Random and strange RST,ACKs, Eduardo Tongson
Next by Thread:  Re: [fw-wiz] Random and strange RST,ACKs, Eduardo Tongson
Indexes:  [Date] [Thread] [Top] [All Lists]