Re: [fw-wiz] Random and strange RST,ACKs

To:	"Firewall Wizards Security Mailing List" <firewall-wizards@listserv.icsalabs.com>
Subject:	Re: [fw-wiz] Random and strange RST,ACKs
From:	"Eduardo Tongson" <propolice@gmail.com>
Date:	Mon, 5 Mar 2007 00:59:37 +0800
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	fwwizards-list2@consult.net
Delivered-to:	firewall-wizards@listserv.icsalabs.com
In-reply-to:	<45E7264B.7090809@gmail.com>
List-archive:	<https://listserv.icsalabs.com/pipermail/firewall-wizards>
List-help:	<mailto:firewall-wizards-request@listserv.icsalabs.com?subject=help>
List-id:	Firewall Wizards Security Mailing List <firewall-wizards.listserv.icsalabs.com>
List-post:	<mailto:firewall-wizards@listserv.icsalabs.com>
List-subscribe:	<https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards>, <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=subscribe>
List-unsubscribe:	<https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards>, <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=unsubscribe>
References:	<b18fbe3c0702280207id5b16bex5ab9dea955cf5473@mail.gmail.com> <b18fbe3c0702280221m6b0dba38k73d12fc6b85a4da3@mail.gmail.com> <45E7264B.7090809@gmail.com>
Reply-to:	Firewall Wizards Security Mailing List <firewall-wizards@listserv.icsalabs.com>
Sender:	firewall-wizards-bounces@listserv.icsalabs.com

Yup there is a firewall. But the connection is not idle. Those RST,
ACKs appear during the session.

On 3/2/07, Phil Hunter <1860ph@gmail.com> wrote:
> Eduardo Tongson wrote:
> > ---------- Forwarded message ----------
> > From: Eduardo Tongson <propolice@gmail.com>
> > Date: Feb 28, 2007 6:07 PM
> > Subject: Random and strange RST,ACKs
> > To: pf@benzedrine.cx
> > Hi folks,
> > I have this peculiar problem where the client over http is having
> > intermittent reset and timeouts. Doing a dump on the session I see
> > strange and random RST,ACKs. Here is a
> > snip:
> >
> > No.     Time        Source       Destination           Protocol Info
> >      54 15.291306   CLIENT       SERVER         TCP      4813 > 88
> > [ACK] Seq=2857 Ack=7738 Win=64512 Len=0
> >      55 15.303536   CLIENT       SERVER         TCP      4813 > 88
> > [ACK] Seq=2857 Ack=9040 Win=64512 Len=0
> >      56 15.393751   CLIENT       SERVER         KRB5
> > Continuation[Unreassembled Packet]
> >      57 15.394190   SERVER         CLIENT       KRB5
> > Continuation[Unreassembled Packet]
> >      58 15.482484   CLIENT       SERVER         TCP      4814 > 88
> > [ACK] Seq=2117 Ack=8350 Win=64042 Len=0
> >      59 15.583039   CLIENT       SERVER         TCP      4813 > 88
> > [ACK] Seq=3337 Ack=9275 Win=64277 Len=0
> >      60 17.114978   CLIENT       SERVER         KRB5
> > Continuation[Unreassembled Packet]
> >      61 17.116075   CLIENT       SERVER         TCP      4814 > 88
> > [RST, ACK] Seq=2446 Ack=8350 Win=0 Len=0
> >      62 17.116481   SERVER         CLIENT       KRB5
> > Continuation[Unreassembled Packet]
> >      63 17.116585   SERVER         CLIENT       KRB5
> > Continuation[Unreassembled Packet]
> >      64 17.116694   SERVER         CLIENT       KRB5
> > Continuation[Unreassembled Packet]
> >      65 17.116703   SERVER         CLIENT       TCP      [TCP segment
> > of a reassembled PDU]
> >      66 17.214855   CLIENT       SERVER         TCP      4815 > 88
> > [SYN] Seq=0 Len=0 MSS=1260
> >      67 17.215060   SERVER         CLIENT       TCP      88 > 4815
> > [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
> >
> > on 61 there is that sudden RST,ACK.
> >
> > What might cause this?
> > By a long shot could it be a RST attack like the one described in
> > "Slipping the Window"?
> >
> > TIA
> > - ed
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@listserv.icsalabs.com
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> >
> >
> Is there a firewall between these. If so it will reset the connection
> every two hours if not used
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

<Prev in Thread]	Current Thread	[Next in Thread>
[fw-wiz] Random and strange RST,ACKs, Eduardo Tongson Re: [fw-wiz] Random and strange RST,ACKs, Phil Hunter Re: [fw-wiz] Random and strange RST,ACKs, Eduardo Tongson <=

Previous by Date:	[fw-wiz] [Administrivia] Email address change, Paul D. Robertson
Next by Date:	Re: [fw-wiz] Extreme Networks, rgolodner
Previous by Thread:	Re: [fw-wiz] Random and strange RST,ACKs, Phil Hunter
Next by Thread:	[fw-wiz] PIX 515E config - DMZ host to inside host, Chris Mitchell
Indexes:	[Date] [Thread] [Top] [All Lists]